Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 87457 invoked from network); 23 Mar 2009 09:36:47 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 23 Mar 2009 09:36:47 -0000 Received: (qmail 24678 invoked by uid 500); 23 Mar 2009 09:29:26 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 24646 invoked by uid 500); 23 Mar 2009 09:29:26 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 24637 invoked by uid 99); 23 Mar 2009 09:29:26 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Mar 2009 09:29:26 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of david.vaughan@satemail.com designates 213.208.81.174 as permitted sender) Received: from [213.208.81.174] (HELO uk-site1-ex00.net.satemail.com) (213.208.81.174) by apache.org (qpsmtpd/0.29) with SMTP; Mon, 23 Mar 2009 09:29:20 +0000 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Mon, 23 Mar 2009 09:28:39 -0000 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [users@httpd] Locking down a proxy server Thread-Index: AcmrlkXzFTtAnXggS5yKzInrBOSRMAAAUgPA References: From: "David Vaughan" To: X-Virus-Checked: Checked by ClamAV on apache.org Subject: RE: [users@httpd] Locking down a proxy server Davide Bianchi wrote: >Use your local firewall to implement a transparent proxy, configure each >local proxy to forward his request to the main proxy on a special port, >filter on the main proxy with that port only and implement certificate >authentication between the local and the central proxy. See the >documentation of the proxy server. DO NOT USE apache for this. > >An alternative is to implement a VPN between the local offices and the >central one and have the proxy only talks over the VPN. Yes, the local firewall is a transparent proxy using a special port which is=20 filtered at head office. =20 As the local offices are international I was reluctant to employ SSL technology=20 because of the associated import/export restrictions. Also, I'm not sure why you=20 emphasise not to use Apache. A VPN would be nice, but some of the connectivity will be via limited bandwidth=20 satellite connections, so I do not see this as a way forward. Dave --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org