From: Mats L. <mat...@bo...> - 2004-04-26 18:22:03
|
>I've always considered the "usual reason" for having a proxy is to >improve performance and reduce bandwidth usage by providing a large >centralized cache for all internet users. Plus some people also use >squid to limit internet access to certain users and/or restrict access >to certain sites. That is the basis of my previous statements. > >I've never heard of someone using squid _only_ to increase security. >That doesn't mean you're wrong, but browser vulnerabilities seem to be >rare these days, and you increase the security of browsers at the risk >of future potential squid exploits. > >I was looking at squid's web site, seeing what they had to say about >increasing security. I didn't find anything (only a quick look) about >browser security, but I did find something relating to your original >problem/question. > >It appears that you CAN'T run squid without modifying the default >config. See: http://www.squid-cache.org/Doc/FAQ/FAQ-25.html > >Quoting from the above URL: > >"Squid's default configuration file denies all client requests. It is >the administrator's responsibility to configure Squid to allow access >only to trusted hosts and/or users. > >If your proxy allows access from untrusted hosts or users, you can be >sure that people will find and abuse your service. ...." > >Plus, if your main concern is security, you shouldn't accept anyone's >defaults for any internet service. > > - BS > > Maybe I'm overdoing things then, there might be no reason for having Squid only for security. And no, I did not intend to use default configuration when using it for real, it was just to get going. What's left is then DNS cache and packet filtering. I guess the named service in DL can do the DNS cache thing, using ramdisk for storage. Is that assumption correct? /Mats |