You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David Vaughan <da...@satemail.com> on 2009/03/23 09:42:37 UTC
[users@httpd] Locking down a proxy server
I have a number of networks (think of them as being in local offices),
each of which is connected to the internet via a NAT'ed firewall. Users
on these networks access the internet via an Apache server acting as a
forwarding proxy. These local office proxies are then chained to a
single central forwarding proxy (think of it as being at head office)
from where the internet is accessed.
Users logon the local office networks and the central office network has
no knowledge of the user accounts.
The local office proxies are locked down to only accept requests from
their local 192.168 network. My problem is how to lock down the head
office proxy such that it only handles requests from the local office
proxies. I can't filter on the basis of the IP address as the local
offices have dynamic addresses.
In the prototype solution local office proxies add an X-header into the
request and the head office proxy rejects all requests not containing
this header. Whilst this prevents open abuse of the proxy, the solution
does feel a little bodged.
I was wondering whether it is possible to configure the local office
proxies to act as a client to use digest authentication. I know Apache
supports server side authentication but I'm struggling to see how it can
act as the client.
Any suggestions as to how I lockdown my head office proxy gratefully
received.
Many thanks
Dave
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Locking down a proxy server
Posted by Krist van Besien <kr...@gmail.com>.
On Mon, Mar 23, 2009 at 10:28 AM, David Vaughan
<da...@satemail.com> wrote:
> As the local offices are international I was reluctant to employ SSL
> technology
> because of the associated import/export restrictions. Also, I'm not
> sure why you
> emphasise not to use Apache.
While apache can be used as a general web proxy it is not the best
suited program for this.
I'd look in to squid. You can install squid on all your local office,
and configure it to use the central office as a "parent" cache. Squid
has several options for authentication, and it is possible to have
your "child" proxies authenticate themselves when accessing the
"parent" proxy.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Locking down a proxy server
Posted by David Vaughan <da...@satemail.com>.
> From: Krist van Besien [mailto:krist.vanbesien@gmail.com]
> While apache can be used as a general web proxy it is not the best
> suited program for this.
>
> I'd look in to squid. You can install squid on all your local office,
> and configure it to use the central office as a "parent" cache. Squid
> has several options for authentication, and it is possible to have
> your "child" proxies authenticate themselves when accessing the
> "parent" proxy.
Yes, I did look at Squid for the "child" proxies, but decided on
Apache because:
- Relatively low throughput of the local office networks offers
limited caching benefits. However, I have observed disk_cache
generating warnings when it attempts to refresh cached headers.
- I wanted the program to act as a web server for a small intranet;
- I need to extend the server to interact with other Windows services
to
for the purposes of validating user status and recording detailed
accounting interactions. Apache seems far more open to this.
So far my best offer is validation based on a known type C address
together with a an X-header containing verifiable data.
Dave
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Locking down a proxy server
Posted by David Vaughan <da...@satemail.com>.
Davide Bianchi wrote:
>Use your local firewall to implement a transparent proxy, configure
each
>local proxy to forward his request to the main proxy on a special port,
>filter on the main proxy with that port only and implement certificate
>authentication between the local and the central proxy. See the
>documentation of the proxy server. DO NOT USE apache for this.
>
>An alternative is to implement a VPN between the local offices and the
>central one and have the proxy only talks over the VPN.
Yes, the local firewall is a transparent proxy using a special port
which is
filtered at head office.
As the local offices are international I was reluctant to employ SSL
technology
because of the associated import/export restrictions. Also, I'm not
sure why you
emphasise not to use Apache.
A VPN would be nice, but some of the connectivity will be via limited
bandwidth
satellite connections, so I do not see this as a way forward.
Dave
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Locking down a proxy server
Posted by Davide Bianchi <da...@walterisookeensufferukker.nl>.
David Vaughan wrote:
> I have a number of networks (think of them as being in local offices),
> each of which is connected to the internet via a NAT'ed firewall. Users
> on these networks access the internet via an Apache server acting as a
> forwarding proxy. These local office proxies are then chained to a
> single central forwarding proxy (think of it as being at head office)
> from where the internet is accessed.
>
> The local office proxies are locked down to only accept requests from
> their local 192.168 network. My problem is how to lock down the head
> office proxy such that it only handles requests from the local office
> proxies.
Use your local firewall to implement a transparent proxy, configure each
local proxy to forward his request to the main proxy on a special port,
filter on the main proxy with that port only and implement certificate
authentication between the local and the central proxy. See the
documentation of the proxy server. DO NOT USE apache for this.
An alternative is to implement a VPN between the local offices and the
central one and have the proxy only talks over the VPN.
Davide
--
Have you ever noticed that at trade shows Microsoft is always the
one giving away stress balls...
-- From a Slashdot.org post
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org