Re: [squid-users] advice for proxy architecture
Thanks for these advices. I've thought that it was better to have dedicated proxys (internal for authentication and intranet access, external for internet access) to distribute functions and cache capacities. But I am going to consider your opininon. However, if i only use internal proxies, is there any risk (such as hijacking) to have some direct communication from my Lan server to Internet ? Security is for me (as for everyone) a big constraint in our context. On 14.01 11:49, [EMAIL PROTECTED] wrote: Here is my squid architecture : I am using Squid Version 2.5.STABLE7 and Samba 3.0.9 on Red Hat ES3.0. I've got two internal proxies on which are performed the NLTM authentication of the users. There are configured to forward request to some remote proxies (in other sites of the company), or to two redundant external proxies used for internet access. I am studying how to optimise my proxy architecture, and am looking for advices. Based on your own experience, is it better to keep the architecture 1 : Client -- internal proxies -- FW -- External proxies -- Internet or the architecture 2 Client -- internal proxies -- FW -- Internet the second one is easier and you won't get any benefit of the external proxy. Do find some particular advantages to have additionnal external proxies (in term of performances, security, ..) no. or do you think that having only two internal proxies for all trafic (remote site, internet traffic) is sufficient and not risky ? yes. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: Let God Debug It!. --
Re: [squid-users] advice for proxy architecture
On 14.01 11:49, [EMAIL PROTECTED] wrote: Here is my squid architecture : I am using Squid Version 2.5.STABLE7 and Samba 3.0.9 on Red Hat ES3.0. I've got two internal proxies on which are performed the NLTM authentication of the users. There are configured to forward request to some remote proxies (in other sites of the company), or to two redundant external proxies used for internet access. I am studying how to optimise my proxy architecture, and am looking for advices. Based on your own experience, is it better to keep the architecture 1 : Client -- internal proxies -- FW -- External proxies -- Internet or the architecture 2 Client -- internal proxies -- FW -- Internet the second one is easier and you won't get any benefit of the external proxy. Do find some particular advantages to have additionnal external proxies (in term of performances, security, ..) no. or do you think that having only two internal proxies for all trafic (remote site, internet traffic) is sufficient and not risky ? yes. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: Let God Debug It!.
RE: [squid-users] advice for proxy architecture
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, January 14, 2005 1:50 AM To: squid-users@squid-cache.org Subject: [squid-users] advice for proxy architecture Hello to all, Here is my squid architecture : I am using Squid Version 2.5.STABLE7 and Samba 3.0.9 on Red Hat ES3.0. I've got two internal proxies on which are performed the NLTM authentication of the users. There are configured to forward request to some remote proxies (in other sites of the company), or to two redundant external proxies used for internet access. I am studying how to optimise my proxy architecture, and am looking for advices. Based on your own experience, is it better to keep the architecture 1 : Client -- internal proxies -- FW -- External proxies -- Internet or the architecture 2 Client -- internal proxies -- FW -- Internet Do find some particular advantages to have additionnal external proxies (in term of performances, security, ..) or do you think that having only two internal proxies for all trafic (remote site, internet traffic) is sufficient and not risky ? Thanks by advance for your help. Lionel From my experience, parent proxies give diminishing returns. The customer premise proxies are achieving ~50% hit rates (both byte and request), but the central parent proxies struggle to achieve 15% hit and almost never rise above 5% byte. OTOH, the central servers would not be hurt (and would likely be greatly helped) by increasing their cache space. YMMV. As for security, the more boxes you have, the more targets you have for attack, and dependant on your firewall setup, putting boxes outside the firewall just makes them more vulnerable. Without knowing the exact details of your situation, I would advise keeping it simple (go with architecture 2). Chris
