Search squid archive

Re: Transparent Vs Non-transparent proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Asim Ahmed @ Folio3 wrote:

Hi,
I need an expert opinion on best suitable setup for my requirement. I am running shorewall 4.4 on RHEL 5 for NATTING/FIREWALLING. I've installed SQUID-3.0STABLE20-1 on that same machine as well. Shorewall is REDIREC-ing port 80 traffic to squid. Currently Squid was running in transparent mode until I found that almost all users were having very frequent breaks in internet. I configured client browsers with squid-server address as http proxy with port squid was running on. This worked and internet problem solved. My question is that is that a common problem with squid running in transparent mode with shorewall? 

I have no data and can provide no answer to this question.
When I've configured client browsers with http proxy address, now it is no more a transparent proxy, is it?
To be pedantic, it was never a transparent proxy, but an intercepting proxy. That should make the answer to this question more obvious. Since the clients are knowingly sending their data to the proxy and the traffic is no longer being intercepted, it is no longer an intercepting proxy. 


so should i change it to non-transparent mode?
Yes. You should not use the same port for intercepted and non-intercepted traffic.
What is the main advantage / drawback of running squid in transparent/non-transparent mode? 

A short list off the top of my head...

Advantages of interception mode:
* No client configuration required.
* May continue to work even if the proxy fails (if the interception device monitors the proxy). 
Drawbacks for interception mode:
* Difficulty in intercepting only HTTP traffic or intercepting HTTP traffic destined to ports other than 80. 
* Violates the RFCs (see RFC 3143 section 2.2)
* It's the definition of a man-in-the-middle attack.

Advantages of non-interception:
* All HTTP traffic (and only HTTP traffic) can be sent to the proxy.
* RFC compliance.
Disadvantages of non-interception:
* May require client configuration (though WPAD makes this less of an issue)
* If the proxy fails, traffic is unlikely to flow (proxy.pac can overcome this) 



Any insight here or through any article on internet is well appriciated!



Chris
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux