Re: transparent proxying

From: Henrik Nordstrom <>
Date: Thu, 10 Sep 1998 01:40:31 +0200

Ghilde@Arizona.EDU wrote:

> I noticed the Squid Caching Update link. In the Stan Barber's Notes
> section there was mention of Squid being able to do transparent
> proxy. This was in the Q & A area.
> I would like to know if anyone has implemented this, how reliable it
> is, and how was it done.

Squid has been able to do transparent caching for a long time. It relies
on external components to rewrite/process TCP in such a way that it
arrives to Squid, and it is in this area that most technical problems
with transparent proxying lies.

There are two widely used TCP hacking implementations that are in use by
people running transparent proxies:

1) Linux 2.0 ipfwadm support (fully supported by Squid).
2) The ip-filter package for many other platforms (partially supported
by Squid).

For full HTTP functionality together with ip-filter redirection a
external daemon is required that interfaces to the address translation
tables maintaned by ipfilter (transproxyd). I have a preleminary patch
that adds the ip-filter lookup functionality to Squid but I have not yet
received a single report wether this patch works or not (I can't test it
myself due to limited resources.. have no machine where ipfilter runs).

It is hard to tell which redirection mechanism that is the best one of
the two. Linux ipfwadm is fast but it has some MTU related problems
(does not work well together with MTU path discovery Squid->client). I
do not know much of the ip-filter implementation, but I would guess that
it shares the same problem at most locations.

Henrik Nordström
Sparetime Squid Hacker
Received on Thu Sep 10 1998 - 03:09:53 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:41:55 MST