18 September 2008

IPCOP's Transparent Proxy Problem.

IPCOP's Transparent Proxy is a well known trouble maker. It'd be best to stay away from it...

The issue is with what the transparent proxy is... It intercepts port 80 requests and forces these through to the proxy as if the browser made the connection itself. This is a kludge at best and it causes all sorts of horrible issues because it breaks browser behavior. It also prevents other traffic being routed via the proxy, such as FTP and SSL requests. There has been ongoing (heated) debate about it in the squid mailing lists for years.

When a browser knows it is being proxied, it changes it's behavior - it has to - to make some kinds of transaction work properly via a proxy. There are settings for this in most browsers. Even SSL can be tunneled over squid quite happily, provided the browser is aware that the proxy is there.

As a network admin, I'd imagine that you want your browsers to use the proxy for everything, including SSL, and you want your browsers to work properly through the proxy, so using transparent proxying is a Very Bad Idea. Many sites will work, many others will not - it's just down to how the network admin has configured their web server/appserver/load balancer.

I'd strongly recommend that you move away from the horrible kludge that is "transparent proxy" and use the proxy as it is intended to be used - as part of an open conversation with the client (browser). Hence my recommendation to use BOT if you must control your outbound traffic.


Post a Comment

Feel free to comment here... ^^b Thank you for your time.