[plug] Slightly OT? cascading proxies

Steve Grasso steveg at calm.wa.gov.au
Wed Oct 4 16:43:24 WST 2000 

On Wed, 04 Oct 2000, Denis Brown wrote:
[snip]
> What I'd like to be able to achieve is to give my users who are at the 
> "remote" site (= foreign subnet) access to the local resources.  There is 
> no chance of holes being punched in firewalls (already explored this 
> avenue) and the owners of the local subnet resources cannot / will not 
> allow for additional subnets to be part of the list of "friendly" subnets.
>
> I had thought that it might be possible to cascade proxies in such a way 
> that my remote users would authenticate through their site proxy, then link 
> to a proxy set up on the local subnet, after which they would be "seen" as 
> a friend rather than a foe.  I have a Linux box (uptime 392 days and 
> counting) on the local subnet which I'd be happy to configure to provide a 
> local proxy.  My reading of the Squid documentation suggests that 
> parent-child relationships are possible HOWEVER it seems that control would 
> need to be exercised over the remote site proxy to get it to make a local 
> Squid (or other) proxy its child.  I don't have the authority to manipulate 
> the remote site proxy and I suspect that requests to do so would be met 
> with a resounding negative!  I do have complete control over my local Linux 
> box however and am hoping that it might become part of the solution.
> 
[snip]

Configuring Squid on your local Linux box to peer with each of the proxies in
the other subnets you're interested in may do the trick -- but I'm no Squid
expert. My experience is limited to cascading the other way (local Squid
through an external parent proxy, which works fine, but yes, you do need to
configure local (in your case, remote) Squid to do that AFAIK)

Is your local Linux box visible to the Internet, or have connectivity with a
box that is and which you have write access to? Is the data you want to
grant access to accessible via HTTP/FTP? If yes to both, and the info is not
overly sensitive, it wouldn't be too difficult to mirror the info on the
Internet-visible machine, authenticating external access to the mirror
document tree via htaccess (and served from an SSL server with a self-signed
certificate if you want encryption on the cheap)

Back to you,
Steve

More information about the plug mailing list