Re: linux netfilter transparency from Gianni Tedesco on 2003-03-06 (squid-dev)

From: Gianni Tedesco <gianni@dont-contact.us>
Date: 06 Mar 2003 12:14:01 +0000

On Thu, 2003-03-06 at 11:27, Henrik Nordstrom wrote:
> Yes, certainly a feasible task.

> I do not really see any major problems in implementation, except that
> for maintenance reasons this should be done based on Squid-HEAD if
> possible (what will become Squid-3.0).. the current networking code is
> substantially different from the earlier Squid-2.5 code..

My problem with that is that this is for enhancement of an existing
product based on squid-2.5, what I will do is add the code for 2.5 then
duplicate the work for 3.0 on the basis of giving us a "clear upgrade
path"(tm).

> You have already mentioned persistent connections. As you say server
> side persistent connections should be disabled in such setup until Squid
> has connection pinning (ability to make client and server side
> connections related to each other). Connection pinning would solve this
> issue and would make the proxy much more transparent, including also
> allowing for Microsoft NTLM/Negotiate authentication to be transparently
> proxied.

Yeah, I had already thought of doing something like this to keep
persistent conns.

> Another thing you might want to look into at the same time is making
> Squid use the original destination IP address instead of the host name.
> This has some minor complications in cache consistency, but if the cache
> key is changed to include the IP address in addition to the host name on
> such requests it should not be a problem. Today the IP address is only
> used if there is no Host header in the request. This because the
> information is used when reconstructing the requested URL, not for
> forwarding the request.

Aaah right sure.

I agree that both of those changes sound like they would be better off
in squid 3.0 (both are something we would be interested in doing). Let
me look in to it :)

Thanks.

-- 
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

application/pgp-signature attachment: This is a digitally signed message part

Received on Thu Mar 06 2003 - 05:13:34 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:30 MST