> > BTW. Is your squid transparent? > > No. > > > BTW#2. Why do you proxy https traffic at all? > > What are you trying to achieve? > > Security. From what I learned is to deny direct tcp connections to the > internet. I can go direct in this case but that is an exception. > Besides it's easy to implement squid's acl.
Give me an example of some security measure which you can accomplish with squid but not with masquerading using iptables. If you can't, maybe you need to think first what exactly you are trying to accomplish. I hope you arent thinking "I do not exactly know why, but folks said it is more secure"? ;) If you do need some filtering via squid, at least make it transparent and unavoidable for your users. Now you have to set up each user's IE to use squid, right? Nothing prevents them from reenabling direct access to Inet. > > IE DoSes your server. In this case inadvertently but still, > > you have to take measures. > > You probably should configure squid/Domino to limit number > > of TCP connections from one IP, total number of open > > connections and/or limit max connection lifetime. > > I know you are very kind and are trying to help me, thx very much for > this. But this cannot be a solution. There is something fundamentally > wrong. I can take down one server with just one client -easily-. Exactly. Right now, you triggered a DoS with IE bug (or maybe it's a squid bug? we are not 100% sure). But any user can do the same with very simple tools like netcat and/or stunnel. You have to make it impossible if you want a rock stable system. And I gave you a few ideas how to do that. Why "this cannot be a solution"? -- vda
