Heya Steve,
> >
> > If you get REALLY stuck, grab a 486 / low end pentium, and simply
run
> > junk buster on that - that way you can get away with stuff all in
expenses,
> > and all you have to do is redirect requests to the junkbuster/486, and
only
> > allow access to squid from the jb/486 machine ? considering all it will
be
> > doing is acting as a data pump, you could quite easily get away with
it -
> > worst case is that you'll have to get a p100 or something =]
>
> I've taken the advice from Bug Hunter in a previous mail and modified
> the configuration of Squid to only accept requests from localhost. So,
> that little problem is out of the way.
no problemo - probably a lil easier than doing it my way =]
> Thanks for the 486 idea though! We've got a pile of them sitting in the
> corner just WAITING for a use... Linux might be their salvation. Maybe
> a nice closet cluster? :)
depends on your task - if you've got the time and patience - read up on the
Beowulf project =]
or again, stick an OS on them, and give them to a smaller school etc, and
let them play with them - hell you might even get a tax write off =]
Zak
> > > > What if you made squid run on a different port? i.e. you could
> > > > have it so that its set for 58347 (etc) and junkbuster talks to
that -
> > > > alternatively - add a line to /etc/hosts.deny, denying all access to
> > > > port 3128, except for local host?
> > >
> > > The problem with the first solution is that there's still port
> > > <whatever> available for a wily user to attach to and get unfiltered
> > > access to the 'net. Making it a different port doesn't do much except
> > > stop a person from reading Squid docs to find out where it listens
> > > normally.
> > >
> > > The problem with the second idea is that Squid doesn't run through
> > > tcp_wrappers, so it ignores /etc/hosts.*. Running it through
> > > tcp_wrappers is NOT an option -- the performance hit would be
horrible,
> > > I'd imagine...
> > >
> > > Thanks for the ideas, though. I _think_ I remember seeing a
> > > configuration option in squid.conf to limit who it listens to. Since
> > > all accesses should be from localhost, I think I can deny cache use to
> > > anything else. I'll give it a try and send my results to the list.
> > >
> > > --
> > > Steve Philp
> > >
> > >
> > > > ----- Original Message -----
> > > > From: Steve Philp <[EMAIL PROTECTED]>
> > > > To: <[EMAIL PROTECTED]>
> > > > Sent: Thursday, August 05, 1999 8:13 AM
> > > > Subject: [expert] Configuring Squid
> > > >
> > > > > Hello all!
> > > > >
> > > > > I'm having a problem that maybe someone here can help me with...
> > > > >
> > > > > I've setup a proxy server running Junkbuster and Squid for
Internet
> > > > > access from our corporate network.
> > > > >
> > > > > Direct Internet access is forbidden by the router, allowing only
> > traffic
> > > > > which comes from the proxy server. Clients are expected to talk
to
> > the
> > > > > Junkbuster proxy in order to reach the Internet (this allows us to
> > > > > filter and block extremely easily). The Junkbuster proxy talks to
the
> > > > > Squid proxy to cache all requests.
> > > > >
> > > > > All of this is working fine, and I'm extremely happy with the
"useless
> > > > > box in the closet" as it was known prior to its new Linux life.
> > > > >
> > > > > Our problem comes here:
> > > > >
> > > > > _IF_ our clients leave the proxy configured as we set it, they
talk to
> > > > > Junkbuster and get filtered access to the net. However, they
_could_
> > > > > change the port from 8000 to 3128 and talk to Squid instead,
yielding
> > > > > unfiltered access.
> > > > >
> > > > > Does anyone know of a way to limit Squid so that it will only talk
to
> > > > > Junkbuster? I'd like to simply throw an error page if someone
tries
> > to
> > > > > talk to Squid directly.
> > > > >
> > > > > Any hints would be extremely appreciated!
> > > > >
> > > > > --
> > > > > Steve Philp
> > > > > Network Administrator
> > > > > Advance Packaging Corporation
> > > > > [EMAIL PROTECTED]
> > > > >
> > >
>
