yjyj wrote: > Yes, I know that the reserver proxy mode can solve the problem. > Howerver, if that, I need to change DNS. And the more impormant is DNS is a minor issue compared to the troubles and extra work you introduce by using NAT. > that if there is any problem with the squid server, clients cann't > viisit the website. transparent mode does not solve that problem. When Squid dies the NAT firewall will send connection errors to the client. Same as if they were connecting to Squid directly. The best way to make a website always available with Squid is to use multiple reverse proxies all in the DNS. That way if one goes down others still handle the traffic. Meanwhile they are all sharing the load to reduce the chance of any one overloading. The current squid releases since 2.6 are all built to stay running and if they die unexpectedly restart automatically with only a short downtime. With the transparent mode, I don't need to change > anything. Wrong. With transparent proxy you have to setup NAT and the firewall. You are only adding these problems on top: * you have to specially configure NAT and the firewall * you increase the load on your kernel networking I/O tracking NAT * if NAT fails the website becomes unavailable * you have extra complicated configuration to make Squid secure * secure authentication is unavailable * you need to trust your visitors are not going to try and hack you through CVE-2009-0801 loopholes * you are limited to a single squid per web server. zero scalability. * you double the load on your DNS servers The reverse proxy mode was created based on transparent mode, to solve these problems which transparent mode creates for your required setup. Amos > > 2010/2/2 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >> On Tue, 2 Feb 2010 11:25:21 +0800, yjyj <yangjing001001@xxxxxxxxx> wrote: >>> Hi, >>> >>> I want to use the squid as a transparent bridge proxy, which is put >>> behind a firewall and in front of a web server. The web server works >>> in a local net with a different port from that clients visits, so the >>> firewall need to do nat and port mapping. >> What you are trying to do is called reverse-proxy. >> >> http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator >> >> Amos >> >> > > > -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23 Current Beta Squid 3.1.0.16
