Re: squid replacement
Sean Kamath writes: > Just which hosts and ports? No caching? Sorry, I should have given a better description ... We proxy http, https, and rsync. squid functions as a simple L7 relay for those protocols. The purpose of the proxy is to restrict 1) which internal hosts can establish outbound connections in the first place, and 2) which hosts they can connect to. E.g., our admin hosts that handle billing can only connect to our payment processor's services. The server that front-ends the internal help desk can only connect to hubscout. Etc. Pretty simple, we just don't want to make it easy for people to exfiltrate data if they do manage to get a foothold inside. There's also the issue of most of our internal infrastructure servers running in 1918 address space. We don't NAT at the border, so the proxy is their only way out (again, by design). > Kinda sounds like a pf.conf solution. . . Maybe with relay to relay everythi > ng through a firewall? That's how we used to do it. The problem is upstream services change their IP addresses on a surprisingly frequent basis, and they don't always let people know this is happening. By using the proxy, I no longer have to hardwire and keep track of IP addresses. The squid ACLs serve as the L7 "firewall", and we have a single rule on the border firewall that allows the proxy host unfettered access to ports 80, 443, and 873. --lyndon
Re: squid replacement
On 2023-10-20, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: > We've been running squid on OpenBSD for years, but it seems these > days that any time it tries to proxy a file > 1MB, it just dies. > This makes it impossible to do thinks like mirror the OpenBSD > distributions. > > Does anyone know of another HTTP proxy that supports squid-style > ACLs? That's a big part of why we chose it in the first place. We > restrict which hosts can connect to the proxy, and further restrict > which hosts they can connect to upstream. We don't need (or want) > caching -- just connection pass through. > > I've been looking for a while but haven't found anything with > equivalent ACL support. Anybody out there have suggestions for a > likely candidate? Perhaps Apache httpd with mod_proxy can do what you want. No problems with Squid with >1MB files here though...
Re: squid replacement
> On Oct 20, 2023, at 11:35, Lyndon Nerenberg (VE7TFX/VE6BBM) > wrote: > > Does anyone know of another HTTP proxy that supports squid-style > ACLs? That's a big part of why we chose it in the first place. We > restrict which hosts can connect to the proxy, and further restrict > which hosts they can connect to upstream. We don't need (or want) > caching -- just connection pass through. Just which hosts and ports? No caching? Kinda sounds like a pf.conf solution. . . Maybe with relay to relay everything through a firewall? Sean
squid replacement
We've been running squid on OpenBSD for years, but it seems these days that any time it tries to proxy a file > 1MB, it just dies. This makes it impossible to do thinks like mirror the OpenBSD distributions. Does anyone know of another HTTP proxy that supports squid-style ACLs? That's a big part of why we chose it in the first place. We restrict which hosts can connect to the proxy, and further restrict which hosts they can connect to upstream. We don't need (or want) caching -- just connection pass through. I've been looking for a while but haven't found anything with equivalent ACL support. Anybody out there have suggestions for a likely candidate? Thanks, --lyndon
