Date: Sat, 1 Oct 1994 15:12:12 +0100
Message-Id: <199410011410.PAA13576@gammix.tunix.kun.nl>
From: "Jeroen Vanheste" <jeroen@tunix.kun.nl>
To: Multiple recipients of list <www-proxy@www0.cern.ch>
Subject: Re: security questions about proxy configuration
Hello,
>> -I am able to associate an Protect template with certain URL's, for instance
:
>>
>> Protection PROTNAME {
>> GetMask ...
>> }
>>
>> Protect http:* PROTNAME
>>
>> The GetMask defines the hosts that the server will proxy for. However,
>> I want to be able to limit the *destination* hosts: for instance, I do
>> not want proxy operation when the *destination* is X, Y, or Z. Am I right
>> that the CERN server cannot be configured in this way?
>> If so, I consider this to be a major shortcoming.
>
>No - this is possible. You have to use the `no_proxy' environment
>variable when you start up the proxy client. Here you can specify
>destinations where the proxy should not be consulted. More information
>at
>
> http://info.cern.ch/hypertext/WWW/Daemon/User/Proxies/ProxyClients.html
>
In fact, this is not what I meant. I should make my point more clear.
What I meant was that I want *the server* to be able to decide that he will
not be proxy-server for certain client-destinations combinations.
Let me explain this. We have set up a proxy-server in the network of
a large corporation, consisting of many subnetworks. Of course, the
proxy-server is meant for protecting the corporate network against the
Internet and for caching. However, there is a side-effect we don't like:
before, communication between different subnetworks of this corporation
was only possible in a limited way. For example:
Firewall
|
--------
| |
subnet1 subnet2
Communication between subnet1 and subnet2 might not be allowed, but
communication between either subnet1 or subnet2 and the firwall is allowed.
Now, using the proxy-server, subnet1 might pass a URL ftp://host.subnet2.com
and succeed in this! The proxy-server should pass ftp URL's to the Internet,
but ftp URL's to the subnet2 should not be passed.
Hence my question: can proxy-operation be configured *on the server*
on the basis of the *destination*?
Of course I looked at the manual, and I think maybe I could try something
like
Protect ftp://*.subnet2.com/*
but this is not enough: I want as much generality as possible, for example:
machine A on subnet1 is allowed to communicate with B on subnet2, but C
on subnet1 is not allowed to communicate with B on subnet2, and so on.
In general, I do not want that the existence of the proxy-server lowers
the level of internal corporate security we had before.
I am very interested in your comments on this. Maybe it is the case that
the proxy-server is not designed for this kind of problems - i.e. that it
is designed just for internet-external communications?
Kind regards, Jeroen.
________________________________________________________________________________
Jeroen Vanheste Tel: +31 80 528819 jeroen@tunix.kun.nl
TUNIX Open System Consultants P.O. Box 31070 6503 CB Nijmegen, The Netherlands
________________________________________________________________________________