Re: [squid-users] what is the difference between transparent and reverse proxy?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 18 Mar 2009 00:06:30 +1300

Tomasz Chmielewski wrote:
> Amos Jeffries schrieb:
>
>>> Why should I use all directives for configuring a reverse proxy, if
>>> it works with the setup explained above?
>>> Or, am I missing something important here?
>>>
>>
>> Yes. Transparent/intercept only works in the presence of NAT.
>> It also is not possible to perform any form of authentication, HTTPS,
>> or request modification without causing major problems to anyone who
>> visits the site.
>>
>> All the old problems squid 2.5 has with virtual hosted domains, broken
>> client software, DNS loops, and request forwarding loops can be
>> tracked back to the reverse-accelerator mode using the transparent
>> intercept mode like you describe.
>
> Does this also mean that using Squid as a reverse proxy with website's
> DNS entry pointed at Squid machine is the only way to reliably cache web
> traffic to the webserver?

No any mode except offline mode will cache just as well. The problems
are all about request retrieval or HTTP transfer requirements.

>
> I imagined I can have an accelerating/caching proxy for a webserver in
> at least two different setups:
>
> 1) point webserver's DNS entry at Squid's IP; Squid will do all
> caching/proxying when working in reverse (more reliable) or transparent
> (less reliable) mode
>
>
> 2) don't change anything in DNS, but instead, make sure routing to the
> webserver goes through the Squid machine, i.e.:
>
> client -> Squid (public IP) -> webserver (public IP)
>
> Here, we perhaps have to use transparent/intercept mode.

Still use reverse mode settings in Squid. How the packets are routed
there is of no consequence.

>
> 3) are there any other modes than 1) and 2) which could be used for
> caching/accelerating traffic from a webserver?
>
>
> How reliable would be to use 2), provided I use anything newer than
> Squid 2.5? Your reply seem to suggest that problems with
> transparent/intercept mode used for reverse proxying apply to Squid 2.5,
> but it doesn't mention if newer Squid versions will work better in such
> scenarios.

2.5 had major problems because its reverse mode was really transparent
mode in disguise. Newer squid work fine and faster with their real
reverse mode. If you force transparent mode to act like reverse it
breaks the same stuff no matter the version.

Oh, I forgot this too:
http://fr.securityvibes.com/vulnerabilite-CVE-2009-0801.html
its a general transparent proxy issue, but Squid is still vulnerable as
a vector. The fix is likely to scupper your plans.

Lets put it this way:
   3x NAT traversals
   2x DNS resolves
   4x TCP links
   3x request copies
   3x reply copies

vs:
   1x DNS resolve
   2x TCP links
   1x request copy
   1x reply copy

which is going to be faster with less breakage points?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.6
Received on Tue Mar 17 2009 - 11:05:52 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 17 2009 - 12:00:03 MDT