Re: Proxying PHP Pages from Henrik Nordstrom on 1998-12-13 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 13 Dec 1998 15:03:35 +0100

Mike Sage wrote:

> We are considering setting up a transparent proxy. How does this mess
> with TCP/IP?

You get two hosts with the same IP address at different locations, and
it is very hard to determine which ICMP packets that should go to which
host and TCP/IP relies partially on ICMP. It also makes a big mess of
any backup or secondary routes you have (if you have one transparent
proxying won't work properly).

> Other than not doing it, are there certain guidelines or squid.conf options
> that can help minimize problems?

Well, only some basic configuration. The problems is at the IP protocol
level and not much an application can do.

# Transparen proxy support
httpd_accel_host virtual
httpd_accel_user_host_header on
httpd_accel_with_proxy on

# My recommended squid.conf settings for any Squid
quick_abort_min 0
half_closed_clients off
persistent_client_posts off

# If your clients are doing a lot of reloads
reload_into_ims on

and DON'T use any refresh patterns with a min age other than 0 unless
you really know what you are doing (see previous discussion about PHP).

> Any ideas or pointers to further research would be appreciated.

If you are to set up transparent proxying then you MUST look into the
following areas prior to implementing it:

* Routing selection. All traffic from the end user must always reach the
transarent proxy. There can't be any backup or secondary routes
bypassing the proxy.
* ICMP integration. It is important that ICMP packets is handled
properly both by the transparent proxy and the redirector (router or
switch). This affects primarily path MTU discovery but may have effects
on other parts of TCP/IP as well.

If you do what some others have done and block port 80 traffic with a
message that they must configure their browser to use a proxy (and
preferably instructions on how to do so) then you do not need to bother
with any of these TCP/IP problems, and you would probably get about the
same amount of support calls if the page is designed properly.

---
Henrik Nordstrom
Spare time Squid hacker

Received on Sun Dec 13 1998 - 07:12:22 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:38 MST