[plug] Slightly OT? cascading proxies

Denis Brown dsbrown at cyllene.uwa.edu.au
Wed Oct 4 14:22:50 WST 2000 

Dear Plug members,

I'm faced with a geographically distributed environment involving machines 
on several different subnets.  Users at a "remote" site authenticate to 
their site's proxy server for net access and as such are "seen" to be 
associated with a particular subnet.  For all other intents and purposes 
they are rigidly behind a firewall and this is appropriate for their site 
circumstances, a large Government department dealing with sensitive 
data.  On the "local" subnet certain resources are set up to refuse 
connections from "foreign" subnets, thus protecting copyright materials, 
etc.  Again this is fair enough for the circumstances.

What I'd like to be able to achieve is to give my users who are at the 
"remote" site (= foreign subnet) access to the local resources.  There is 
no chance of holes being punched in firewalls (already explored this 
avenue) and the owners of the local subnet resources cannot / will not 
allow for additional subnets to be part of the list of "friendly" subnets.

I had thought that it might be possible to cascade proxies in such a way 
that my remote users would authenticate through their site proxy, then link 
to a proxy set up on the local subnet, after which they would be "seen" as 
a friend rather than a foe.  I have a Linux box (uptime 392 days and 
counting) on the local subnet which I'd be happy to configure to provide a 
local proxy.  My reading of the Squid documentation suggests that 
parent-child relationships are possible HOWEVER it seems that control would 
need to be exercised over the remote site proxy to get it to make a local 
Squid (or other) proxy its child.  I don't have the authority to manipulate 
the remote site proxy and I suspect that requests to do so would be met 
with a resounding negative!  I do have complete control over my local Linux 
box however and am hoping that it might become part of the solution.

Any thoughts on this would be appreciated.  Especially if they had a 
Linux-solution flavour :-)  Replies off-list might be appropriate given the 
OT nature of the query and I'm happy to post a summary if others are 
interested in the topic.

TIA,
Denis

More information about the plug mailing list