Re: [squid-users] Help getting squid configured

Ok, the site is http://chem.sis.nlm.nih.gov/chemidplus. The problem is
that if you search for a chemical (accessing the site through the proxy
server) you don't always get the correct chemical. It is very hit and
miss. However, if you go directly to the site (bypassing the squid
proxy), the site works 100% of the time. There is no authentication
required for this site. So I don't think the two problems listed apply.

While I have a work-around (opening a hole in our firewall for this site),
I would really like to understand why it does not work through squid.

(some chemicals to try are: Registry numbers: 5137-55-3, 61789-87-5,
71-43-2
                             Name: benzene, propane, methane)

Joe Cooper <joe@swelltech.com>
08/23/2002 03:21 PM

 
        To: zoilo@xs4all.nl
        cc: ChrisHoover@safety-kleen.com, squid-users@squid-cache.org
        Subject: Re: [squid-users] Help getting squid configured

Zoilo wrote:
> On Friday 23 August 2002 20:55, Joe Cooper wrote:
>
>>You say, "I know this is true", and then proceed to say that you want a
>>magical solution anyway.
>>
>>Again, Squid is operating at the application layer. You /cannot/ do
>>what you're asking within Squid--you /can/ do what you're asking by
>>allowing clients (or causing clients) to bypass Squid for that one site.
>> I'm sorry you need to access a site that won't allow proxied
>>connections--if you need to proxy all connections, and access this site,
>>you'll need to take it up with maintainers of the problem site. Squid
>>cannot accept the connection, and then not be a proxy--when Squid
>>accepts that connection the proxy is already in the path, and all Squid
>>could ever do would be to close the connection or make the request on
>>behalf of the client. Closing the connection will cause and error,
>>making the request means the request is proxied.
>
>
> OK, OK.....
>
> But back to the real problem: why would squid mess up this site??

I don't think Squid is messing the site up. I think the site is messed
up, and Squid is getting the blame for it.

> Shouldn't that be the right level to fix this problem?

Maybe, but probably not.

> If a direct browser connection can handle things properly, then why
wouldn't
> squid be able to do so?

Probably because the site willfully prevents a proxied connection from
working.

The following are the most common reasons a site won't work, and the
reasons why it is bad for a website to use them:

o IP based authentication. This is just silly, and everyone except
those three website maintainers hanging onto IP based auth know it. IPs
are easily spoofed, frequently change for dialup or DSL/cable users, and
is an all-around silly way to identify someone. A proxy can never work
well with such a scheme.

o NTLM authentication. This protocol cannot be proxied, not even by
Microsofts proxy product. It will not work through proxies.

Anyway, Squid is extremely compatible these days. Very very few sites
have problems with Squid, and the ones that I know of that do have one
of the two reasons above as the cause of the trouble.

If this site is not using some technique that cannot be proxied, and
Squid still doesn't work with it, then yes, it should be fixed. But I'd
be shocked if it is a compatibility problem in Squid rather than a
brokenness on the origin server.

-- 
Joe Cooper <joe@swelltech.com>
Web caching appliances and support.
http://www.swelltech.com