Nathan Ward wrote:
Simon Lyall wrote:
It breaks a few places that use the IP address to auth http sessions, apparently some sites don't believe these weird cookie thingies are ready for prime time.
Hmm. This would be a problem if your requests for the same site were going to different proxy servers. I don't think that happens with Foundys, by default. If it does, it's easily 'fix'-able.
We had an issue at Maxnet that was a site which broke in this manner. Essentially they 'authenticated' the customer off the IP address of the proxy, which using WCCP was reasonably static unless a proxy failed. However, after the initial authentication, it then redirected them to an SSL site on 443/tcp, which obviously was not going through the
On Wed, 9 Mar 2005 11:34:09 +1300 (NZDT), "Alastair Johnson"
cache farm, and the customer was (correctly) not configured to use a cache.
So the request suddenly came from the customer's IP address. Result: The site would refuse to allow them in.
A stupid way of doing it, and we solved the problem by excluding the site from the cache. For the life of me, I can't remember what it was, but I recall the site was black and popular. I think it might have been some games thing.
The other negative of Non-Transparent-Proxying that this brings to mind is the relative difficulty that ISPs have identifying persons who abuse web based services (websites, forums, et al) - The logs which collect 'cache?.xyz.co.nz' aren't exactly going to give the ISP information used to resolve user accounts and specific individuals. And most ISPs with the above issue don't log their proxies either, or if they do, can only log for a short period of time due to the sheer volume of log data created. So TransProxying, or none at all, would be my personal choice. (I hear that in at least one cases the amount of $ saved by transproxying was being re-spent in maintaining the boxes themselves - so they were pulled out due to lack of value vs inconvenience. And theyre now saving money.) Mark. All IMHO, as usual.