Using a tcp 80 policy route to your cache farm is a good start to achieve
what TCL have done, you then check what is actually going on in that TCP
stream, however when it breaks its not transparent, in some cases you will
get error pages generated by the cache appliance as well.
Telecom has much the same setup, in that it starts with a policy route and
then some L7 magic to check its actually an HTTP request. (none of this is
news I posted about it a few times:))
The major piece of evidence its not transparent is that if you change your
DNS settings you can reap pain on your user experience, many of the
commercial products do secondary resolution of the host.
The secondary resolution in some is simply for 'security' and in others
its also used to help it work out a storage algorithm that is as optimal
according to that vendor.
You can turn it off but the vendor doesn¹t recommend it and advises your
performance will decrease and the amount of storage required will increase
which == $$$ for more hardware.
Never discount how frustrated you can make an engineer when he/she has to
hunt the wumpus on a proxy cache. Its not fun tracking multiple tcp
streams each with their own sequence numbers, especially when load
balanced across a farm of such devices...
I know it made my Friday more than once:)
On 10/10/11 2:02 PM, "Michael Fincham"
On Mon, 10 Oct 2011 13:56:55 +1300 (NZDT), Pieter De Wit wrote:
The open source solution I was thinking of would add a "bit" of work to your current Linux/Unix admins. Getting the grips with an application is, imho, 100 times easier than learning something from scratch.
In a few words, what did you have in mind? I've looked at a few systems in the past and none of them really met my requirements for 'transparentness'.
Squid w/ TPROXY support is close to OK, but it still does expectation-breaking things like returning squid-generated failure pages in some situations.
I've definitely not come across anything with the kind of level of sophistication of say, TCL's transparent proxy which (correct me if I'm wrong) seems not to jump in unless it's pretty sure you're doing HTTP on port 80. Kudos to them for putting in a minimally invasive system.
-- -Michael Fincham System Administrator, Unleash www.unleash.co.nz _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog