Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Separate Transparent HTTP Proxy for PCI DSS

    Scheduled Pinned Locked Moved Cache/Proxy
    6 Posts 4 Posters 760 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      labasus
      last edited by

      Hello,

      we need PCI DSS audit, so "one server for all" does not meet requirements (PCI Requirement 2.2.12.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)

      Maybe smb. know or can suggest how to impliment separate transparent proxy server to meet this requirements?

      Thx.

      L 1 Reply Last reply Reply Quote 0
      • L
        labasus @labasus
        last edited by

        Anybody?

        Auditor send me smth. like this.
        0_1540463900747_ef1b8e3b-cb5f-46f9-a171-cb1d4a9472ef-image.png

        In this case it is not possible to make transparent proxy or redirect to another server where squid will be in transparent mode?

        Suggestions?

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          What does running your different services on different boxes have to do with a proxy? Confused to where your proxy comes into play on your requirement..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            I believe he wants a transparent proxy but isn't allowed to run it on his pfSense box, so he's asking how to implement a transparent proxy by itself.

            Suggestions?

            Use an explicit proxy instead of transparent. Use WPAD for proxy auto-discovery.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              If your switching environment supports wccp you could use that to have a transparent proxy... But yeah best best to run proxy where its not the actual edge device like pfsense would be to just set the proxy be some discovery protocol or manual even.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                If the proxy is in a DMZ separate from the clients then it's easy to do with NAT.

                port forward in on LAN for a destination of any, port 80, sent to a target of the proxy on the proxy port
                Repeat for 443 if you're doing SSL

                Maybe exclude the firewall from that, and local things, but that's the general gist. That's all the squid package does internally, just forwards to 127.0.0.1 instead of another box.

                If the proxy is in the same subnet as the clients then it's trickier since you'd have to exclude the proxy box as a source in that rule, and work around other issues to mask the source, so don't do that.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.