httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Davide Bianchi <dav...@walterisookeensufferukker.nl>
Subject Re: [users@httpd] Locking down a proxy server
Date Mon, 23 Mar 2009 08:56:35 GMT
David Vaughan wrote:
> I have a number of networks (think of them as being in local offices),
> each of which is connected to the internet via a NAT'ed firewall.  Users
> on these networks access the internet via an Apache server acting as a
> forwarding proxy. These local office proxies are then chained to a
> single central forwarding proxy (think of it as being at head office)
> from where the internet is accessed.
> 
> The local office proxies are locked down to only accept requests from
> their local 192.168 network. My problem is how to lock down the head
> office proxy such that it only handles requests from the local office
> proxies. 

Use your local firewall to implement a transparent proxy, configure each
local proxy to forward his request to the main proxy on a special port,
filter on the main proxy with that port only and implement certificate
authentication between the local and the central proxy. See the
documentation of the proxy server. DO NOT USE apache for this.

An alternative is to implement a VPN between the local offices and the
central one and have the proxy only talks over the VPN.

Davide

-- 
Have you ever noticed that at trade shows Microsoft is always the
one giving away stress balls...
   -- From a Slashdot.org post

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message