Transparent proxying (formally known as interception proxying/caching) is gaining popularity with more and more ISPs. It involves intercepting packets that normally would go directly to web servers, and redirecting them to
go through your proxy first.
This can be accomplished by a number of methods:
- Installing Squid, MS Proxy Server, or similar software along with firewalling/IP filtering software on a router that your web traffic normally passes through. Note that this router now has to bear the burden of the proxy software, along with its normal routing/filtering functions.
- If the proxy is not on the traffic path, you can configure a router to redirect packets to your proxy (Cisco routers using the route-map function, Linux routers with iptables, ipchains, or ipfwadm).
- An access router (Cisco again, or others) can be configured to redirect traffic from dialups or other interfaces to send packets to your proxy.
- Newer Cisco IOS versions (11.x and later) have the WCCP (Web Cache Coordination Protocol) which can be used not only to redirect packets to a proxy, but to load-balance them among several proxies.
- Layer-4 switches like the Alteon ACE-Director or the Foundry Networks ServerIron can not only redirect by target port (the above methods only redirect traffic to port 80, for example) but can detect which packets carry web traffic, allowing them to redirect non-port 80 traffic.
Transparent proxies have a number of benefits:
- You can cache incoming web data, gaining most of the benefits of a proxy cache, without requiring users to point their browsers specifically to your proxy.
- You can force users to use your proxy, allowing password checking,web filtering, and other functions.
- You can allocate your traffic to go out other gateways aside from your default, without needing to use load-balancing software or BGP.
Of course, I've found a few drawbacks in practice:
- Without a layer-4 switch, you can only redirect port 80, which means you don't intercept non-http traffic, such as ftp, https and other potentially cacheable or proxyable applications.
- When your proxy goes down, its a bear to set up backups (as some of the methods outlined above don't allow for alternate routes). As WWWWolf mentioned, it's even worse when the cache goes wonky without cutting out completely.
- You get complaints from users trying non-standard stuff; also, some websites don't cache well, and you can run into problems trying to access these sites.
All in all, transparent proxying would be easier if you can afford the bigger hardware, as these have fewer problems and more advantages, than trying to run transparent proxying using cheaper/older hardware. For less than a hundred users, I've found that it's easier to get them to fix their browsers from time to time.
Some details taken from the Squid FAQ (www.squid-cache.org) as well from noding my homework.
JerboaKolinowski: Most modern proxy servers handle cookies fine, if set up properly. Your problem most likely stems from an overly-aggressive cache setup (i.e. cache everything, regardless of Expiry-date or Content-type). Complain to your admin.
With regards to proxy logs - most targeted advertising schemes work via spyware; if you're on an ISP that stoops low enough to use a transparent proxy to insert ads, by all means, switch.