Re: [squid-users] How does squid work between a firewall and a web server in the transparent proxy mode from Amos Jeffries on 2010-02-02 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 03 Feb 2010 00:42:27 +1300

yjyj wrote:
> Yes, I know that the reserver proxy mode can solve the problem.
> Howerver, if that, I need to change DNS. And the more impormant is

DNS is a minor issue compared to the troubles and extra work you
introduce by using NAT.

> that if there is any problem with the squid server, clients cann't
> viisit the website.

transparent mode does not solve that problem. When Squid dies the NAT
firewall will send connection errors to the client. Same as if they were
connecting to Squid directly.

The best way to make a website always available with Squid is to use
multiple reverse proxies all in the DNS. That way if one goes down
others still handle the traffic. Meanwhile they are all sharing the load
to reduce the chance of any one overloading.

The current squid releases since 2.6 are all built to stay running and
if they die unexpectedly restart automatically with only a short downtime.

With the transparent mode, I don't need to change
> anything.

Wrong. With transparent proxy you have to setup NAT and the firewall.
You are only adding these problems on top:

* you have to specially configure NAT and the firewall
* you increase the load on your kernel networking I/O tracking NAT
* if NAT fails the website becomes unavailable
* you have extra complicated configuration to make Squid secure
* secure authentication is unavailable
* you need to trust your visitors are not going to try and hack you
through CVE-2009-0801 loopholes
* you are limited to a single squid per web server. zero scalability.
* you double the load on your DNS servers

The reverse proxy mode was created based on transparent mode, to solve
these problems which transparent mode creates for your required setup.

Amos

>
> 2010/2/2 Amos Jeffries <squid3_at_treenet.co.nz>:
>> On Tue, 2 Feb 2010 11:25:21 +0800, yjyj <yangjing001001_at_gmail.com> wrote:
>>> Hi,
>>>
>>> I want to use the squid as a transparent bridge proxy, which is put
>>> behind a firewall and in front of a web server. The web server works
>>> in a local net with a different port from that clients visits, so the
>>> firewall need to do nat and port mapping.
>> What you are trying to do is called reverse-proxy.
>>
>> http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
>>
>> Amos
>>
>>
>
>
>

-- 
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23
  Current Beta Squid 3.1.0.16

Received on Tue Feb 02 2010 - 11:42:37 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 02 2010 - 12:00:03 MST