Amos Jeffries
Mon, 08 Feb 2010 19:54:38 -0800
Jeff Peng wrote:
在 2010-02-08一的 22:14 -0300,Alejandro Facultad写道:Dear all, I have a webmail which must be accesed by users from another network.The content of the webmail is not static obviously, so the content caching is not an advantage here. Also the webmail is just one server, not load balancing is important here.So are there any security advantage of using a Squid as a reverse proxy in front of my webmail ??? Because I can't see any security benefit...
DDoS reduction? Squid raises your server traffic threshold for DDoS attack before it falls over by several order of magnitude.
Then there is the source security controls Jeff points out below.
At some points you can consider Squid as an application firewall, and setup some rules like: acl badip src 192.168.0.100 http_access deny badip acl badsite referer_regex -i qq.com http_access deny badsite acl badconn maxconn 20 http_access deny badconn acl badbrow browser -i Sosospider http_access deny badbrowThose may help improve some security,but it depends... Squid is just a cache, if you don't need the cache feature, you may notwant to use it.
"just a cache" ha!It's a general-use HTTP proxy. Doing load balancing, full set of CDN features for HTTP-as-service, HTTP flow redirection/reflection, bandwidth shaping, caching, HTTP security, and protocol conversion.
I'm sure I've left off a bunch of things too.But yes, I see the point, Squid might not be _that_ beneficial for a single load-critical non-cachable app.
Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23 Current Beta Squid 3.1.0.16