Hi, On Wed, 06 May 2009, Matus UHLAR - fantomas wrote: > On 04.05.09 22:35, Gavin McCullagh wrote: > > Would you care to substantiate that in a bit more detail? > > Making clients think they connect to the destination server when they do > not, breaks many things. It disables authentication, causes some TCP > problems (pmtu discovery?)... Many thanks for the extra info. Disabling authentication is unfortunate, but anyone managing a network and proxy server who decides to use transparent proxying necessarily makes the decision not to use authentication. PMTU discovery is not something I had thought about I must say. At a guess the main issue is that if a router between client and proxy sends a "datagram too big" to the proxy, it'll have the IP of the upstream host on it and will not get to the proxy. In our case (where the MTU is consistent across the whole path), that won't be an issue but I can see how it could be. I guess you could turn off PMTU disovery on the proxy to solve this, though that's a bit of a sledgehammer. There would also be an ambiguous MTU for the client (ie that of the client<->proxy and the client<->server) which would depend on what port the client was connecting on (eg it could mix http and https). I'd guess, perhaps wrongly (and assuming the icmps are not blocked) the client should just end up with the minimum MTU for both paths? > That's bad, luckily many browsers can turn on autodetection and use it when > available. You mean the browser downloading http://wpad.<domain>/wpad.dat? This has been pretty flakey in our experience. In most cases you seem to have to turn it on explicitly which is a huge pain as students don't know how. > Well, I always call intercepting a thing you should do in "last resort" and > all troubles caused by the interception should be pointed as client errors. Fair enough. > Yes, if you need, keep that there, but I hope you didn't stop providing WPAD > for anyone who supports it. We still provide it alright, though I don't think it gets used much. One of our networks, where we require authentication still use it all the time. Gavin
