I am using Squid to create a proxy server for framework related to an application. My users sit on a private network in 191.xx.xx.xx space and my proxy sits in a different private network in 188.xx.xx.xx space. There will be a NAT in place to allow bidirectional communications but is there an issue with the users accessing the proxy through a translated ip????
I appreciate all the help, this is a first time for me!
No more than without the proxy server. You may lose some identity information if the NAT assigns addresses and ports from a pool. The obvious place to put a proxy is on the firewall network boundary, that is to say, within the local no-NAT domain, so you get the identity right, and let the proxy have access, perhaps bypassing NAT/that-firewall. Of course, if you serve many such behind-NAT spaces, you need a NIC or tunnel so they can all locally connect to the proxy, or many proxy servers. If the power/resources are right, a proxy on a firewall with a local DNS server on the firewall is not a bad model -- just a different way through the same firewall. The proxy server is a very heavy DNS user, so a local DNS cache can be a nice idea. There is a wonderful feeling when you prevent a packet from needing to go out on a network!
DG Thank You, was very educational about proxy servers, do you ever have to deal with ACL's? I need to allow a large scope of 7,700 IPs and block everything else?
Many firewalls allow you to drop in a subroutine of your own. I would put the 8K IPs into a hash map for quick testing, with a hash designed for the form (ascii is slower, bulkier). 8K rules might be a bit bulky. Of course, I imagine they are in specific nets. RWHashTable
Thanks DG I am looking for constant expressions in the url, instead of doing by IP. Instead of allowing by 7000+ IPs there is some consistency in the context of the url patterns.
Be careful, there should not be a back door by using an IP.