[svlug] using reverse-proxy and firewall...

George Georgalis georgw at galis.org
Wed Jan 8 09:11:22 PST 2003


Hi,

I'm setting up a reverse proxy, a setup I thought would be simple:

1) use iptables to redirect ip:80 to ip:3130 on the firewall
2) run the webserver on a local subnet, port 80
3) run squid on firewall
4) use djbdns conditionals to give the firewall ip answers for internet queries
5) use djbdns conditionals to give the webserver ip answers for local queries

so access from the internet would get to the firewall, have its port
changed to squid port, squid would look up the domain, discover the
local ip, query the webserver, and reply to the internet client.

okay so what's wrong with that scenario? squid gets the request on port
3130 and queries the webserver on that port too, bummer.

I can think of several different ways to fix this, but which is the
best? I want to avoid the obvious, have squid listen on port 80, because
the firewall function is already quite complex and that would make it
really confusing (if you saw how it's put together). The next thought
would be to run the webserver on 3130 :) but that seems funny.

I'm hoping there is a line I can adjust in the squid.conf to fix it, but
didn't see anything on my first pass. Is there a fix in there? Is there
a better way to do this?

// George

Some links:
http://www.squid-cache.org
proxy / reverse proxy
http://www.squidguard.org/
an acl / blacklist plugin for squid
http://en.tldp.org/HOWTO/mini/TransparentProxy.html
Transparent Proxy with Linux and Squid mini-HOWTO
http://www.ists.dartmouth.edu/IRIA/projects/d_jeanne.htm
some white paper I haven't read...


-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
Security Services, Web, Mail,            mailto:george at galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george 




More information about the svlug mailing list