Tomasz Chmielewski wrote:
Amos Jeffries schrieb:
Why should I use all directives for configuring a reverse proxy, if
it works with the setup explained above?
Or, am I missing something important here?
Yes. Transparent/intercept only works in the presence of NAT.
It also is not possible to perform any form of authentication, HTTPS,
or request modification without causing major problems to anyone who
visits the site.
All the old problems squid 2.5 has with virtual hosted domains, broken
client software, DNS loops, and request forwarding loops can be
tracked back to the reverse-accelerator mode using the transparent
intercept mode like you describe.
Does this also mean that using Squid as a reverse proxy with website's
DNS entry pointed at Squid machine is the only way to reliably cache web
traffic to the webserver?
No any mode except offline mode will cache just as well. The problems
are all about request retrieval or HTTP transfer requirements.
I imagined I can have an accelerating/caching proxy for a webserver in
at least two different setups:
1) point webserver's DNS entry at Squid's IP; Squid will do all
caching/proxying when working in reverse (more reliable) or transparent
(less reliable) mode
2) don't change anything in DNS, but instead, make sure routing to the
webserver goes through the Squid machine, i.e.:
client -> Squid (public IP) -> webserver (public IP)
Here, we perhaps have to use transparent/intercept mode.
Still use reverse mode settings in Squid. How the packets are routed
there is of no consequence.
3) are there any other modes than 1) and 2) which could be used for
caching/accelerating traffic from a webserver?
How reliable would be to use 2), provided I use anything newer than
Squid 2.5? Your reply seem to suggest that problems with
transparent/intercept mode used for reverse proxying apply to Squid 2.5,
but it doesn't mention if newer Squid versions will work better in such
scenarios.
2.5 had major problems because its reverse mode was really transparent
mode in disguise. Newer squid work fine and faster with their real
reverse mode. If you force transparent mode to act like reverse it
breaks the same stuff no matter the version.
Oh, I forgot this too:
http://fr.securityvibes.com/vulnerabilite-CVE-2009-0801.html
its a general transparent proxy issue, but Squid is still vulnerable as
a vector. The fix is likely to scupper your plans.
Lets put it this way:
3x NAT traversals
2x DNS resolves
4x TCP links
3x request copies
3x reply copies
vs:
1x DNS resolve
2x TCP links
1x request copy
1x reply copy
which is going to be faster with less breakage points?
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
Current Beta Squid 3.1.0.6
