Re: [squid-users] Transparent proxy with HTTPS on freebsd

From: Gavin McCullagh <gavin.mccullagh_at_gcd.ie>
Date: Mon, 4 May 2009 22:35:53 +0100

Hi,

On Mon, 04 May 2009, Matus UHLAR - fantomas wrote:

> On 29.04.09 04:58, nyoman karna wrote:

> > you probably may use PAC (as Amos suggested)
> > but IMO it ruin the basic idea of using transparent proxy
> > (which is user does not need to put any setting in their browser)
>
> the whole idea of intercepting proxy (also called transparent) is sick.

Would you care to substantiate that in a bit more detail?

> WPAD is way to go - browser will autodetect the proxy, so user can log there
> and all problems caused by intercepting connections will be gone.

I've been down this road. We (a 3rd level college) have hundreds of users
walking on and off a campus with their laptops, mobile phones, netbooks,
pdas, etc. We used to have posters, docs, everything set up to tell people
how to use the proxy. We had a proxy.pac. The support load was massive.
The number of people coming into our office for help setting it up was
huge. The number of applications that use HTTP but don't support proxy.pac
files is surprisingly large. The users leave the campus and have to undo
it the proxy settings, then redo them when next on campus.

It was imperative for us to be able to give completely transparent web
access. It's also a big requirement to have caching to reduce our
bandwidth and give us some kind of logging. So we have transparent
proxying of http traffic and we simply allow https traffic out.

This policy has been hugely successful. You might argue that we should
just allow all http and https traffic out but that is more expensive,
slower and harder for us to keep track of (I'm not that keen on logging but
it's necessary for a host of reasons).

As it is now, the web just works for everyone. People are far happier and
so are we.

Gavin
Received on Mon May 04 2009 - 21:36:05 MDT

This archive was generated by hypermail 2.2.0 : Wed May 06 2009 - 12:00:02 MDT