[squid-users] Re: Re: transparently proxying ICQ and other messengers

From: Adam Aube <aaube01@dont-contact.us>
Date: Tue, 04 Jan 2005 17:11:45 -0500

Kinkie wrote:

>> It's no less secure than CONNECT tunneling, and from Squid's standpoint
>> it may be more secure - fewer ports on which CONNECT is allowed.

> This is the only solution in this case I think, since Squid only
> understands HTTP and not the various IM protocols.

Yes - the only way to get IM to work through Squid is to explicitly
configure the application to use a proxy (because it will then tunnel it's
protocol over HTTP via the proxy). Transparent proxying will not work.

> The only downside to it is that since DNS is never taken in the equation
> (except maybe at the time the chains are built) it is slightly more
> expensive to maintain than - say a CONNECT + dstdomain + port ACL.

In a transparent proxy environment, the clients are already doing their own
DNS lookups, so nothing changes here.

However, transparent proxying itself is a bad idea. It's a violation of the
HTTP standard, and can sometimes break unexpectedly in very strange ways
(just look at all the reports of Hotmail issues over the last week).

A more robust setup is to use proxy autoconfiguration scripts to pass proxy
settings to the clients. This also makes it easy to load balance and allow
automatic failover (using round-robin DNS).

Adam
Received on Tue Jan 04 2005 - 15:13:27 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST