Hi, On Mon, 04 May 2009, Matus UHLAR - fantomas wrote: > On 29.04.09 04:58, nyoman karna wrote: > > you probably may use PAC (as Amos suggested) > > but IMO it ruin the basic idea of using transparent proxy > > (which is user does not need to put any setting in their browser) > > the whole idea of intercepting proxy (also called transparent) is sick. Would you care to substantiate that in a bit more detail? > WPAD is way to go - browser will autodetect the proxy, so user can log there > and all problems caused by intercepting connections will be gone. I've been down this road. We (a 3rd level college) have hundreds of users walking on and off a campus with their laptops, mobile phones, netbooks, pdas, etc. We used to have posters, docs, everything set up to tell people how to use the proxy. We had a proxy.pac. The support load was massive. The number of people coming into our office for help setting it up was huge. The number of applications that use HTTP but don't support proxy.pac files is surprisingly large. The users leave the campus and have to undo it the proxy settings, then redo them when next on campus. It was imperative for us to be able to give completely transparent web access. It's also a big requirement to have caching to reduce our bandwidth and give us some kind of logging. So we have transparent proxying of http traffic and we simply allow https traffic out. This policy has been hugely successful. You might argue that we should just allow all http and https traffic out but that is more expensive, slower and harder for us to keep track of (I'm not that keen on logging but it's necessary for a host of reasons). As it is now, the web just works for everyone. People are far happier and so are we. Gavin
