Here's a simple, common network problem.

You've got a network, and you would like to have a caching proxy server. You realize that Squid is a very good choice. You decide to set it up.

But wait! Squid is a large, complex program. You don't want to run it on an exposed machine. You've read Cheswick and Bellovin, and you know that keeping your cache logs on the perimeter machine is just plain stupid. So you put Tinyproxy on the bastion machine, and get it running. Great, you've now got a simple, hopefully reasonably secure proxy setup.

But wouldn't that cache still be nice?

Yes, of course it would. You put it on an internal server. Here's how you tell it to use Tinyproxy as an upstream server.

You need these lines in your squid.conf:

never_direct allow all
cache_peer <tinyproxy server name or IP address> parent <tinyproxy port number> 0 no-query no-digest default

never_direct tells Squid to never contact origin servers directly. This is good, because the whole point of this howto is to get you running squid behind the firewall. No-query tells squid to not send ICP requests to tinyproxy. This is good, because tinyproxy doesn't support ICP. no-digest tells squid to not bother downloading a cache digest from tinyproxy. Since tinyproxy is a non-caching server, it doesn't keep a digest, and so this is also good. I put 0 here for the ICP port; squid.conf tells me to put 7, and set up my bastion server's inetd.conf in a particular way. This seems to not matter with no-query enabled.

There you go. That's it. Setting up tinyproxy is easy, and there are many howtos on squid configuration and tuning. Email me if you have any questions, but be patient: I get a lot of email. :)