Not a canopy question, but is anyone running Squid in transparent mode config with a CISCO router, I can’t get it to work.
I tested Squid for about a month at our ISP in transparent mode (using a Linux router not a Cisco) Here is my experience.
There were some sites (banking in particular) that did not work through the proxy, so basically those customers were denied access to their billpay services and it made them extremely unhappy, so I had to turn off proxying for selected customers, making it an administrative headache. Though I suspect Squid has improved since then, I still dont want to take the chance that I will deny access to random sites and not even know I am doing it. I am convinced the only proper way to implement caching is to give customer control over whether they use it; forcing it on them via transparent mode is not a good idea.
Running a transparent proxy can also make remote web site development a pain since it’s harder to get the pages to reload on a browser that is tucked away behind the proxy.
Additionally not enough customers were hitting the same sites, so cache hits were low anyway. We had probably 50 customers on Canopy at that time. With the current 200+ it might be more functional but the number of service denial problems would probably scale up too so I don’t think it’s worth it. I love the concept but I have enough other issues to address.
I do use Squid + Privoxy all the time at home, but not in transparent mode. I can’t see why anyone would NOT run an ad blocker like Privoxy. When I have problems accessing a site, I turn off the proxy manually in my browser.
One extremely useful squid (or web proxy) app that I use: I have squid running on a server on my ISP lan and can point a remote browser at it; this lets me access Canopy modules that have non-routable addresses from any place on the Internet. The squid is configured to listen on port 80 instead of 3128 (the default) so that I can even get access from places that have firewalls such as wifi hotspots or corporate client sites – everyone allows port 80 traffic.
similar results and problems… most ebanking sites are https we only point port 80 traffic even then you are correct it does give problems to some sites…
our hits are around 22% and growing, we have VSAT backbone with 600ms latency so Squid or caching is extremely beneficial to us…
I like the idea of using squid to access my private lan…
I installed Squid earlier and had no problems with e-banking websites, only time i had a problem was when i was trying to access webmin since port 10000 wasnt reconized by squid till i entered into the config as a SSL_Port.
Im quite impressed with the results, My first test was to download a 118Mb file from microsoft after the initial cacheing
I have been running squid for about 6 months, but recently it started falling over, I can’t believe I am pushing it too hard, never the less we are moving it from FC3 platform to CentOS 4.
We have had issues accessign some sites, some traffic, at the moment all traffic hits Squid and then squid decides if and when to forward it to the router gateway. In transparent mode all traffic would hit the router and wccp would take over, but I could not get it to work, we are runing WCCP 2.
This time round I might use route maps on cisco to redirect all port 80 traffic to squid, and have all traffic going to CISCO.
We pull about 20G of data/day over an expensive VSAT connection so everything helps.
It may be falling over because some fairly recent kernels have a leak in the netfilter code. Bad mojo for a transparent proxy server.
I’ve used Squid for many years - very few problems. Those banks that had some blackhole-singularity-stupid proprietary protocols working on port 80 are all gone now as far as I can tell. I had some very interesting discussions with two Canadian banks where I literally browbeat them into stammering puddles of ooze. I could not BELIEVE they could be so stupid to hijack a protocol just for their online banking.
what flavour/kernal are you running it on, also what cisco IOS WCCP version
I’ve rebuilt a CentOS box, it goes in tonight on a test client base.