Re: [squid-users] What exactly makes accelerator mode faster then transparent mode ?
I have a last question concerning this topic : Suppose I would tell you : In front of my internet server I have a WC in transparant mode and it works. the Internet DNS points the URL to the TP-WC and the TP-WC caches the content of the server. Since there is only one webserver (apart from DOS attacks, and operating system security) I do not need a Firewall to divert traffic. Is there any reason why I should change the transparent WC into an accelerator mode WC and why ? What benefit would an accelerator WC give me above the transparent one ? --- Henrik Nordstrom [EMAIL PROTECTED] wrote: On Thu, 2008-03-20 at 05:31 -0700, Raemaekers Mark wrote: What mode of WC (so transparent or accelerator) will give me the best performance and why ? Or is there no difference with respect to performance ? The different modes is not about performance but different use cases. accelerator or reverse proxy - Squid sits infront of your own web server (or one you host), offloading traffic from the web server. The DNS is registered so that Internet users visiting your site contact the Squid server. transparent interception - Squid sits in the path of your LAN users outgoing web traffic and port 80 traffic is transparently diverted to the proxy by firewall rules. This is a workaround to make all LAN client HTTP traffic go via the proxy even if they haven't configured the proxy settings correct. normal proxy - The clients is configured to use the proxy, either manuall or via automatic means such as WPAD. accelerator more is Internet users - your web server. transparent interception and normal mode is your local LAN users going out to random web servers out on the Internet. Regards Henrik Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
Re: [squid-users] What exactly makes accelerator mode faster then transparent mode ?
Raemaekers Mark wrote: I have a last question concerning this topic : Suppose I would tell you : In front of my internet server I have a WC in transparant mode and it works. the Internet DNS points the URL to the TP-WC and the TP-WC caches the content of the server. Since there is only one webserver (apart from DOS attacks, and operating system security) I do not need a Firewall to divert traffic. Is there any reason why I should change the transparent WC into an accelerator mode WC and why ? What benefit would an accelerator WC give me above the transparent one ? In squid specifically: http_port 80 vhost + Host: header de-referencing for better www simulation + full WWW-Authentication (not just Proxy-Authentication) + Support for IE reload bugs. + PMTU discovery + in-transit port alteration (vport) http_port 80 transparent -- disabled all authentication + performs NAT lookup every request -- disables PMTU discovery - may simulate the client IP (tproxy) Amos --- Henrik Nordstrom [EMAIL PROTECTED] wrote: On Thu, 2008-03-20 at 05:31 -0700, Raemaekers Mark wrote: What mode of WC (so transparent or accelerator) will give me the best performance and why ? Or is there no difference with respect to performance ? The different modes is not about performance but different use cases. accelerator or reverse proxy - Squid sits infront of your own web server (or one you host), offloading traffic from the web server. The DNS is registered so that Internet users visiting your site contact the Squid server. transparent interception - Squid sits in the path of your LAN users outgoing web traffic and port 80 traffic is transparently diverted to the proxy by firewall rules. This is a workaround to make all LAN client HTTP traffic go via the proxy even if they haven't configured the proxy settings correct. normal proxy - The clients is configured to use the proxy, either manuall or via automatic means such as WPAD. accelerator more is Internet users - your web server. transparent interception and normal mode is your local LAN users going out to random web servers out on the Internet. Regards Henrik Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] What exactly makes accelerator mode faster then transparent mode ?
On Fri, 2008-03-21 at 02:29 -0700, Raemaekers Mark wrote: I have a last question concerning this topic : Suppose I would tell you : In front of my internet server I have a WC in transparant mode and it works. the Internet DNS points the URL to the TP-WC and the TP-WC caches the content of the server. Since there is only one webserver (apart from DOS attacks, and operating system security) I do not need a Firewall to divert traffic. Thats a bad configuration for many reasons. - Your Squid thinks it's meant to be used as a Internet proxy, which means that unless you are very carefull with your http_access rules you easily create an open proxy. - You can't support obsolete clients not sending Host headers in such configuration. - You can't use authentication at the proxy in this mode to restrict access. - It's also somewhat more demanding on the host than a properly configured accelerator mode Squid as it constantly needs to query the local firewall to get details about the supposedly transparently intercepted/diverted connection. The accelerator mode is what does what you describe. It's the mode meant to be used for the job. The only reason why the transparent mode also seems to work somewhat in that configuration is because the request formats seen by the proxy is very similar, but the intended use is very different. The only drawbacks you will get from reconfiguring your Squid in accelerator mode is that you will get much better control over how your Squid operates and forwards requests to your web server(s). The configuration is very simple and can be found in the Squid FAQ chapter on reverse proxying. http://wiki.squid-cache.org/SquidFaq/ReverseProxy Regards Henrik
Re: [squid-users] What exactly makes accelerator mode faster then transparent mode ?
On Fri, 2008-03-21 at 18:32 +1300, Amos Jeffries wrote: the HTTP defines transparent proxy as any proxy that does not modify the deta. Please, don't create new definition of transparecy in proxying. Not altering the request and not being configured would be part of that 'neither can detect' I mentioned, yes? The HTTP meaning of transparent is purely semantically transparent, not network transparent. The industry have settled for not using the word transparent alone any more, but instead semantically transparent for the HTTP meaning and transparent interception for the more commonly used meaning of transparent. The ability to spoof the proxied connection using the original client ip would be fully transparent interception I guess. But it was not an option when these terms was discussed some (several) years ago. Regards Henrik
Re: [squid-users] What exactly makes accelerator mode faster then transparent mode ?
Thank you Amos, Suppose that I have to put a WC in front of ONLY ONE HTTP server and both WC and web server are behind a load balancer, so the clients will never see whether traffic comes from a WC or from the server, anyway. What mode of WC (so transparent or accelerator) will give me the best performance and why ? Or is there no difference with respect to performance ? you mention : reverse-proxy (or accelerator) - software that performs many of the service duties of a 'true' web-server What web duties can an accelerator WC do, that a transparent WC cannot do ? Thanks in advance, Mark. --- Amos Jeffries [EMAIL PROTECTED] wrote: Raemaekers Mark wrote: For me it is not clear why an accelerator mode WC is faster then a Transparant Mode webcache. This is how I understand both modes after googling for about half a day on this topic : WC IN TRANSPARANT MODE (WCTM), When an http request hits the WCTM for the second time, then the WC will send its cached contents back to the client. Since the info is in the cache, the real web server does not have to be contacted by the WCTM. WC IN ACCELERATOR MODE (WCAM) : when an http request hits the WCAM for the second time,the the WC will look if this request is in its cache and send the cached response of this request back to the client. Since the info is in the cache, the real web server does not have to be contaced by the WCAM. In both cases (from the second request onwards) the real web server is not contacted. So, what exactly makes an accelerator mode WC go faster then ? Nothing. Neither name accurately reflects the operation of the cache. Whats the confusion? proxy - software that sits between a web server and a web-client with purpose of resource saving or improving web service to the clients. intercepting proxy - software that performs as a proxy, but additionally can handle traffic redirected to it by a FW without the web-clients knowledge. Usually typed 'transparent' by those who confuse client-hidden with totally-invisible. transparent proxy - software that performs all duties of proxy and additionally spoofs/hide its IP from both parties such that neither can detect its existence. reverse-proxy - software that performs many of the service duties of a web-server. Redirecting all requests it can't handle to a separate 'true' web-server or more authoritative source. accelerator - nickname for reverse-proxy. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Re: [squid-users] What exactly makes accelerator mode faster then transparent mode ?
On 20.03.08 12:14, Amos Jeffries wrote: proxy - software that sits between a web server and a web-client with purpose of resource saving or improving web service to the clients. intercepting proxy - software that performs as a proxy, but additionally can handle traffic redirected to it by a FW without the web-clients knowledge. Usually typed 'transparent' by those who confuse client-hidden with totally-invisible. transparent proxy - software that performs all duties of proxy and additionally spoofs/hide its IP from both parties such that neither can detect its existence. many people assume transparent proxy the same as intercepting, maybe often with the meaning of not explicitly configured proxy. the HTTP defines transparent proxy as any proxy that does not modify the deta. Please, don't create new definition of transparecy in proxying. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete
Re: [squid-users] What exactly makes accelerator mode faster then transparent mode ?
On Thu, 2008-03-20 at 05:31 -0700, Raemaekers Mark wrote: What mode of WC (so transparent or accelerator) will give me the best performance and why ? Or is there no difference with respect to performance ? The different modes is not about performance but different use cases. accelerator or reverse proxy - Squid sits infront of your own web server (or one you host), offloading traffic from the web server. The DNS is registered so that Internet users visiting your site contact the Squid server. transparent interception - Squid sits in the path of your LAN users outgoing web traffic and port 80 traffic is transparently diverted to the proxy by firewall rules. This is a workaround to make all LAN client HTTP traffic go via the proxy even if they haven't configured the proxy settings correct. normal proxy - The clients is configured to use the proxy, either manuall or via automatic means such as WPAD. accelerator more is Internet users - your web server. transparent interception and normal mode is your local LAN users going out to random web servers out on the Internet. Regards Henrik
Re: [squid-users] What exactly makes accelerator mode faster then transparent mode ?
Matus UHLAR - fantomas wrote: On 20.03.08 12:14, Amos Jeffries wrote: proxy - software that sits between a web server and a web-client with purpose of resource saving or improving web service to the clients. intercepting proxy - software that performs as a proxy, but additionally can handle traffic redirected to it by a FW without the web-clients knowledge. Usually typed 'transparent' by those who confuse client-hidden with totally-invisible. transparent proxy - software that performs all duties of proxy and additionally spoofs/hide its IP from both parties such that neither can detect its existence. many people assume transparent proxy the same as intercepting, maybe often with the meaning of not explicitly configured proxy. Many people are also assuming wrong. Confusing themselves when speaking about it. I was in that boat myself until I spent a while checking the transparency operations of squid against the RFC. the HTTP defines transparent proxy as any proxy that does not modify the deta. Please, don't create new definition of transparecy in proxying. Not altering the request and not being configured would be part of that 'neither can detect' I mentioned, yes? Apologies for cut-n-pasting 'all duties', 'most duties' would be more accurate. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] What exactly makes accelerator mode faster then transparent mode ?
Raemaekers Mark wrote: For me it is not clear why an accelerator mode WC is faster then a Transparant Mode webcache. This is how I understand both modes after googling for about half a day on this topic : WC IN TRANSPARANT MODE (WCTM), When an http request hits the WCTM for the second time, then the WC will send its cached contents back to the client. Since the info is in the cache, the real web server does not have to be contacted by the WCTM. WC IN ACCELERATOR MODE (WCAM) : when an http request hits the WCAM for the second time,the the WC will look if this request is in its cache and send the cached response of this request back to the client. Since the info is in the cache, the real web server does not have to be contaced by the WCAM. In both cases (from the second request onwards) the real web server is not contacted. So, what exactly makes an accelerator mode WC go faster then ? Nothing. Neither name accurately reflects the operation of the cache. Whats the confusion? proxy - software that sits between a web server and a web-client with purpose of resource saving or improving web service to the clients. intercepting proxy - software that performs as a proxy, but additionally can handle traffic redirected to it by a FW without the web-clients knowledge. Usually typed 'transparent' by those who confuse client-hidden with totally-invisible. transparent proxy - software that performs all duties of proxy and additionally spoofs/hide its IP from both parties such that neither can detect its existence. reverse-proxy - software that performs many of the service duties of a web-server. Redirecting all requests it can't handle to a separate 'true' web-server or more authoritative source. accelerator - nickname for reverse-proxy. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.