David Vaughan wrote: > I have a number of networks (think of them as being in local offices), > each of which is connected to the internet via a NAT'ed firewall. Users > on these networks access the internet via an Apache server acting as a > forwarding proxy. These local office proxies are then chained to a > single central forwarding proxy (think of it as being at head office) > from where the internet is accessed. > > The local office proxies are locked down to only accept requests from > their local 192.168 network. My problem is how to lock down the head > office proxy such that it only handles requests from the local office > proxies.
Use your local firewall to implement a transparent proxy, configure each local proxy to forward his request to the main proxy on a special port, filter on the main proxy with that port only and implement certificate authentication between the local and the central proxy. See the documentation of the proxy server. DO NOT USE apache for this. An alternative is to implement a VPN between the local offices and the central one and have the proxy only talks over the VPN. Davide -- Have you ever noticed that at trade shows Microsoft is always the one giving away stress balls... -- From a Slashdot.org post --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
