linux poison RSS
linux poison Email

How To Setup Squid Proxy Server to use outgoing IP address

SQUID is a powerful and fast object cache server. It proxies FTP and WWW sessions making it relatively safe. Squid would be very hard to use to actually compromise the system and runs as a non root user (typically 'nobody'), so generally it's not much to worry about. Your main worry with Squid should be improper configuration. For example, if Squid is hooked up to your internal network (as is usually the case), and the internet (again, very common), it could actually be used to reach internal hosts (even if they are using non-routed IP addresses). Hence proper configuration of Squid is very important.

The simplest way to make sure this doesn't happen is to use Squid's internal configuration and only bind it to the internal interface(s), not letting the outside world attempt to use it as a proxy to get at your internal LAN. In addition to this, firewalling it is a good idea. Fortunately Squid has very good ACL's (Access Control Lists) built into the squid.conf file, allowing you to lock down access by names, IP’s, networks, time of day, actual day. Remember however that the more complicated an ACL is, the slower Squid will be to respond to requests.

Example where requests from 10.0.0.0/24 will be forwarded with source address 10.1.0.1,

10.0.2.0/24 forwarded with source address 10.1.0.2 and the rest will be forwarded with source address 10.1.0.3.

acl abc src 10.0.0.0/24
acl xyz 10.0.2.0/24


tcp_outgoing_address 10.1.0.1 abc
tcp_outgoing_address 10.1.0.2 xyz
tcp_outgoing_address 10.1.0.3

This will prevent anyone from using Squid to probe your internal network.


0 comments:

Post a Comment

Related Posts with Thumbnails