Using a tcp 80 policy route to your cache farm is a good start to achieve what TCL have done, you then check what is actually going on in that TCP stream, however when it breaks its not transparent, in some cases you will get error pages generated by the cache appliance as well. Telecom has much the same setup, in that it starts with a policy route and then some L7 magic to check its actually an HTTP request. (none of this is news I posted about it a few times:)) The major piece of evidence its not transparent is that if you change your DNS settings you can reap pain on your user experience, many of the commercial products do secondary resolution of the host. The secondary resolution in some is simply for 'security' and in others its also used to help it work out a storage algorithm that is as optimal according to that vendor. You can turn it off but the vendor doesn¹t recommend it and advises your performance will decrease and the amount of storage required will increase which == $$$ for more hardware. Never discount how frustrated you can make an engineer when he/she has to hunt the wumpus on a proxy cache. Its not fun tracking multiple tcp streams each with their own sequence numbers, especially when load balanced across a farm of such devices... I know it made my Friday more than once:) On 10/10/11 2:02 PM, "Michael Fincham" <michael(a)unleash.co.nz> wrote:
On Mon, 10 Oct 2011 13:56:55 +1300 (NZDT), Pieter De Wit wrote:
The open source solution I was thinking of would add a "bit" of work to your current Linux/Unix admins. Getting the grips with an application is, imho, 100 times easier than learning something from scratch.
In a few words, what did you have in mind? I've looked at a few systems in the past and none of them really met my requirements for 'transparentness'.
Squid w/ TPROXY support is close to OK, but it still does expectation-breaking things like returning squid-generated failure pages in some situations.
I've definitely not come across anything with the kind of level of sophistication of say, TCL's transparent proxy which (correct me if I'm wrong) seems not to jump in unless it's pretty sure you're doing HTTP on port 80. Kudos to them for putting in a minimally invasive system.
-- -Michael Fincham System Administrator, Unleash www.unleash.co.nz _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog