Re: [squid-users] proxy.pac vs manual proxy + LiveLink

From: Joe Cooper <joe@dont-contact.us>
Date: Sat, 10 Aug 2002 16:36:46 -0500

Deb wrote:
> Brett Lymn <blymn@baesystems.com.au> had this to say,
>
>>You can do this using a proxy.pac, if you want to make all https
>>traffic direct then just match the start of the URL string for "https"
>>and return "DIRECT" as the proxy method. If it is a single site that
>>is causing the pain then just match that site. Be wary of making the
>>proxy.pac too complex though, the thing gets evaluated on every URL
>>lookup so it may affect browser performance if it is too unwieldy.
>
>
> I don't want to send all https traffic DIRECT because I have
> a virus filter through which request/responses go to after
> the proxy and before the target.
>
> I can workaround the problem by just matching the site, but
> that doesn't solve the real problem, and before I release the
> proxy to our entire Intranet usage, I need to understand what
> is happening and fix that in order to prevent similar future
> problems.
>
> I just don't know where to go from here.
>
> Help? Ideas? Anyone?

Some comments:

Your virus filter isn't doing anything with SSL connections anyway. It
is encrypted data--virus signatures cannot be compare against encrypted
data.

You can configure your proxy.pac file to only go direct for that one
site, while leaving everything else proxied as usual, or you can bypass
the proxy for all SSL traffic. There is little benefit in proxying SSL
traffic, unless you like having an application level proxy between
clients and the big bads that live on the internet. Choosing to bypass
the proxy for just one site allows you to open a small hole in the
firewall between your network and the IP causing troubles rather than
allowing all port 443 connections.

Realize that some poorly implemented sites do not work with proxies.
It's just a fact of life--we don't like it, but we probably can't get
away with beating the people responsible with sticks until they fix
their sites, either. So...we live with it by bypassing the proxy for
those sites (and secretly put voodoo hexes on them...I bet WorldCom had
a few sites that were incompatible with proxies, and you see what
happened to them).

-- 
Joe Cooper <joe@swelltech.com>
Web caching appliances and support.
http://www.swelltech.com
Received on Sat Aug 10 2002 - 15:39:48 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:35 MST