On mån, 2008-04-28 at 23:45 +0200, F. wrote: > I am thinking about make a [transparent proxy + http accelerator + > server] on the same machine. > But I do not know if it is secure this configuration. > ->Lan to Internet: Transparent proxy using acl LAN, redirected port 80 > to squid port in firewall. Destination all. > ->Intenet to Server. http accelerator. 80 to 3128 redirected on > firewall. Destination only server domain names.
It's fine in 2.6 and later, but you need two different http_port for this kind of setup. One for the proxy port, and one for the accelerator port. It's a little tricky to get the access controls right, but not too hard if you are careful. And even if you do get things slightly wrong Squid will not allow you to do very bad things unless you tell it that you know what you are doing... The configuration you suggested looks fine to me, but I would probably switch the order somewhat to have the accelerated domains before your local lan. When the configuration is as simple as you are doing now it doesn't matter very much, but the day you start doing authentication for your LAN clients etc things gets quite different... Regards Henrik