• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Separate Transparent HTTP Proxy for PCI DSS

Scheduled Pinned Locked Moved Cache/Proxy
6 Posts 4 Posters 769 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    labasus
    last edited by Oct 24, 2018, 10:35 AM

    Hello,

    we need PCI DSS audit, so "one server for all" does not meet requirements (PCI Requirement 2.2.12.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)

    Maybe smb. know or can suggest how to impliment separate transparent proxy server to meet this requirements?

    Thx.

    L 1 Reply Last reply Oct 25, 2018, 10:39 AM Reply Quote 0
    • L
      labasus @labasus
      last edited by Oct 25, 2018, 10:39 AM

      Anybody?

      Auditor send me smth. like this.
      0_1540463900747_ef1b8e3b-cb5f-46f9-a171-cb1d4a9472ef-image.png

      In this case it is not possible to make transparent proxy or redirect to another server where squid will be in transparent mode?

      Suggestions?

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by Oct 25, 2018, 10:49 AM

        What does running your different services on different boxes have to do with a proxy? Confused to where your proxy comes into play on your requirement..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • K
          KOM
          last edited by Oct 25, 2018, 1:34 PM

          I believe he wants a transparent proxy but isn't allowed to run it on his pfSense box, so he's asking how to implement a transparent proxy by itself.

          Suggestions?

          Use an explicit proxy instead of transparent. Use WPAD for proxy auto-discovery.

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by Oct 25, 2018, 1:43 PM

            If your switching environment supports wccp you could use that to have a transparent proxy... But yeah best best to run proxy where its not the actual edge device like pfsense would be to just set the proxy be some discovery protocol or manual even.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Oct 25, 2018, 6:00 PM

              If the proxy is in a DMZ separate from the clients then it's easy to do with NAT.

              port forward in on LAN for a destination of any, port 80, sent to a target of the proxy on the proxy port
              Repeat for 443 if you're doing SSL

              Maybe exclude the firewall from that, and local things, but that's the general gist. That's all the squid package does internally, just forwards to 127.0.0.1 instead of another box.

              If the proxy is in the same subnet as the clients then it's trickier since you'd have to exclude the proxy box as a source in that rule, and work around other issues to mask the source, so don't do that.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received