On Fri, 2008-03-21 at 02:29 -0700, Raemaekers Mark wrote: > I have a last question concerning this topic : > > Suppose I would tell you : "In front of my internet > server I have a WC in transparant mode and it works. > the Internet DNS points the URL to the TP-WC and the > TP-WC caches the content of the server. Since there is > only one webserver (apart from DOS attacks, and > operating system security) I do not need a Firewall to > divert traffic. Thats a bad configuration for many reasons. - Your Squid thinks it's meant to be used as a Internet proxy, which means that unless you are very carefull with your http_access rules you easily create an open proxy. - You can't support obsolete clients not sending Host headers in such configuration. - You can't use authentication at the proxy in this mode to restrict access. - It's also somewhat more demanding on the host than a properly configured accelerator mode Squid as it constantly needs to query the local firewall to get details about the supposedly transparently intercepted/diverted connection. The accelerator mode is what does what you describe. It's the mode meant to be used for the job. The only reason why the transparent mode also seems to work somewhat in that configuration is because the request formats seen by the proxy is very similar, but the intended use is very different. The only drawbacks you will get from reconfiguring your Squid in accelerator mode is that you will get much better control over how your Squid operates and forwards requests to your web server(s). The configuration is very simple and can be found in the Squid FAQ chapter on reverse proxying. http://wiki.squid-cache.org/SquidFaq/ReverseProxy Regards Henrik
