Re: [squid-users] Transparent proxy with HTTPS on freebsd

> > On 29.04.09 04:58, nyoman karna wrote:
> > > you probably may use PAC (as Amos suggested)
> > > but IMO it ruin the basic idea of using transparent proxy
> > > (which is user does not need to put any setting in their browser)

> On Mon, 04 May 2009, Matus UHLAR - fantomas wrote:
> > the whole idea of intercepting proxy (also called transparent) is sick.

On 04.05.09 22:35, Gavin McCullagh wrote:
> Would you care to substantiate that in a bit more detail?

Making clients think they connect to the destination server when they do
not, breaks many things. It disables authentication, causes some TCP
problems (pmtu discovery?)...

> > WPAD is way to go - browser will autodetect the proxy, so user can log there
> > and all problems caused by intercepting connections will be gone.
>
> I've been down this road. We (a 3rd level college) have hundreds of users
> walking on and off a campus with their laptops, mobile phones, netbooks,
> pdas, etc. We used to have posters, docs, everything set up to tell people
> how to use the proxy. We had a proxy.pac. The support load was massive.
> The number of people coming into our office for help setting it up was
> huge. The number of applications that use HTTP but don't support proxy.pac
> files is surprisingly large.

That's bad, luckily many browsers can turn on autodetection and use it when
available.

> The users leave the campus and have to undo
> it the proxy settings, then redo them when next on campus.

Well, I always call intercepting a thing you should do in "last resort" and
all troubles caused by the interception should be pointed as client errors.

Yes, if you need, keep that there, but I hope you didn't stop providing WPAD
for anyone who supports it.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.