On Fri, 2008-03-21 at 02:29 -0700, Raemaekers Mark wrote:
> I have a last question concerning this topic :
>
> Suppose I would tell you : "In front of my internet
> server I have a WC in transparant mode and it works.
> the Internet DNS points the URL to the TP-WC and the
> TP-WC caches the content of the server. Since there is
> only one webserver (apart from DOS attacks, and
> operating system security) I do not need a Firewall to
> divert traffic.
Thats a bad configuration for many reasons.
- Your Squid thinks it's meant to be used as a Internet proxy, which
means that unless you are very carefull with your http_access rules you
easily create an open proxy.
- You can't support obsolete clients not sending Host headers in such
configuration.
- You can't use authentication at the proxy in this mode to restrict
access.
- It's also somewhat more demanding on the host than a properly
configured accelerator mode Squid as it constantly needs to query the
local firewall to get details about the supposedly transparently
intercepted/diverted connection.
The accelerator mode is what does what you describe. It's the mode meant
to be used for the job.
The only reason why the transparent mode also seems to work somewhat in
that configuration is because the request formats seen by the proxy is
very similar, but the intended use is very different.
The only drawbacks you will get from reconfiguring your Squid in
accelerator mode is that you will get much better control over how your
Squid operates and forwards requests to your web server(s). The
configuration is very simple and can be found in the Squid FAQ chapter
on reverse proxying.
http://wiki.squid-cache.org/SquidFaq/ReverseProxy
Regards
Henrik
Received on Fri Mar 21 2008 - 15:24:28 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT