RE: [squid-users] Transparent proxy - some pages show up blank

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 11 Mar 2004 09:28:15 +0100 (CET)

On Wed, 10 Mar 2004, Ted Kaczmarek wrote:

> Transparent is fool proof(assuming you do your homework)

Fact: Only about 1% of the people deploying transparent proxying do the
homework on what this actually involve at the protocol level, and at least
95% does so in an environment where it can not be done correctly.

> but implicit is definitely more robust. In Fail over situation
> transparent really starts to shine. It is very simple to originate a
> default route through a L4 redirect, with implicit the only good option
> is dns timeout.

It is not complex to add a load balancer infront of a farm of proxies. In
addition PAC scripts provide very easy paths.

> If you really a crackpot you can redirect both for fail over. Service
> and health checks are a sweet thing.

These are ortogonal to the transparent vs configured proxy question.

> I opted for transparent because the administration is fool proof and
> auth is not required.
> Just works.......

Transparent mode does not "just works".

Transparent mode does most often work for the majority, but there is a big
can of worms which will bite sooner or later.

Some of the most noticeable include:

 - Path MTU discovery issues, seen if any client as a Path MTU smaller
than the normal, such as a dialup tuned for interactive use or a VPN
client.
 - Authentication not possible as you already mentioned
 - Browsers not expecting a proxy and therefore not sending the same
information as when using a proxy (Reload button not working etc..)

But when it works it "feels great".

Regards
Henrik
Received on Thu Mar 11 2004 - 01:28:19 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:02 MST