Re: Virtual hosts on other boxes?

Jason Haar <jason@oit.co.uk> wrote:

>We have a situation where there's a Web server within our firewall (i.e.
>no direct access) that we want to make available to the Internet. Instead
>of physically moving the box into our DMZ or hooking up some
>proxy-redirector, I wondered if I could use Squid to achieve the same
>effect.
>
>I see that Squid supports virtual interfaces when they're on the squid
>host only - is there a (complicated no doubt ;-) reason for this?

If you're talking about proxying requests through to the internal
server, you would be well advised to seriously consider the security
ramifications of doing this. Consider:

  * I was easily able to, based on information in security alert
    bulletins, write a tool that allowed me to execute any command on a
    misconfigured NCSA or Apache web server, including starting an
    xterm with a shell back on my system; a great effect when wanting
    to impress others with the importance of proper server
    configuration. Various NT web servers have had similar holes. If
    the server's inside a firewall, I presumably couldn't get an xterm
    back to me, but I could still wreak all sorts of havoc. Going
    through a proxy wouldn't protect from this particular attack; I
    implemented it through one. See:
      ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code

  * The CIA web server that was recently hacked was (reportedly)
    located outside their firewall where it was directly exposed to the
    internet (with _stupid_ security holes unplugged, allegedly). If
    it had been inside their firewall, its compromise could easily have
    been a stepping stone to bigger prizes inside. (See
    http://www.skeeve.net/cia/ for a mirror of the content placed on
    the CIA server by Swedish hackers. Warning: it's slow.)

Perhaps you should consider some sort of automatic mirroring software
to copy your internal server's contents to an external server, if live
content or DB access is not involved. Otherwise, consider how you
could firewall the internal server on the internal LAN to minimize the
impact of its compromise on the rest of your internal security.

That said, a technical how-to question deserves a technical answer...

If you have the capability of allowing a TCP connection from an
externally available Squid proxy to the internal Web server, you can
configure Squid to connect to the internal server for URLs that
reference it. You don't mention the type of firewall you're using. If
it's a filtering router, you'll need to open up a hole for that
specific connection. If it's a proxy firewall, you'll need to
configure a tcp gateway (ala plug_gw) for the connection and tell squid
to use the firewall as a proxy.

I've not done it with squid, but I did exactly this with the Harvest
cache some time ago:

    cache_host fwall parent 80 7
    cache_host_domain fwall www.foo.com

Fwall had a plugboard proxy to crossconnect connections to its port 80
from the cache to port 80 on www.foo.com. I presume that this or
something quite similar would work with Squid.

--
KH