Re: [squid-users] Transparent Vs Non-transparent proxy

From: Chris Robertson <crobertson_at_gci.net>
Date: Wed, 09 Dec 2009 13:38:54 -0900

Asim Ahmed @ Folio3 wrote:
> Hi,
>
> I need an expert opinion on best suitable setup for my requirement. I
> am running shorewall 4.4 on RHEL 5 for NATTING/FIREWALLING. I've
> installed SQUID-3.0STABLE20-1 on that same machine as well. Shorewall
> is REDIREC-ing port 80 traffic to squid. Currently Squid was running
> in transparent mode until I found that almost all users were having
> very frequent breaks in internet. I configured client browsers with
> squid-server address as http proxy with port squid was running on.
> This worked and internet problem solved.
> My question is that is that a common problem with squid running in
> transparent mode with shorewall?

I have no data and can provide no answer to this question.

> When I've configured client browsers with http proxy address, now it
> is no more a transparent proxy, is it?

To be pedantic, it was never a transparent proxy, but an intercepting
proxy. That should make the answer to this question more obvious.
Since the clients are knowingly sending their data to the proxy and the
traffic is no longer being intercepted, it is no longer an intercepting
proxy.

> so should i change it to non-transparent mode?

Yes. You should not use the same port for intercepted and
non-intercepted traffic.

> What is the main advantage / drawback of running squid in
> transparent/non-transparent mode?

A short list off the top of my head...

Advantages of interception mode:
* No client configuration required.
* May continue to work even if the proxy fails (if the interception
device monitors the proxy).
Drawbacks for interception mode:
* Difficulty in intercepting only HTTP traffic or intercepting HTTP
traffic destined to ports other than 80.
* Violates the RFCs (see RFC 3143 section 2.2)
* It's the definition of a man-in-the-middle attack.

Advantages of non-interception:
* All HTTP traffic (and only HTTP traffic) can be sent to the proxy.
* RFC compliance.
Disadvantages of non-interception:
* May require client configuration (though WPAD makes this less of an issue)
* If the proxy fails, traffic is unlikely to flow (proxy.pac can
overcome this)

>
> Any insight here or through any article on internet is well appriciated!
>

Chris
Received on Wed Dec 09 2009 - 22:39:03 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 10 2009 - 12:00:01 MST