Changes between Version 8 and Version 9 of Documentation/Community/HowTo/SelectRightHTTPproxyDesign

Show
Ignore:
Timestamp:
05/23/12 09:48:35 (12 months ago)
Author:
christian (IP: 178.250.211.240)
Comment:

typos, rephrasing and HTTPS on non std ports

Legend:

Unmodified
Added
Removed
Modified

  • Documentation/Community/HowTo/SelectRightHTTPproxyDesign

    v8 v9  
    1616Proxy can be deployed either on Intranet for internal servers or between Intranet and Internet. This is the main usage of Zentyal Proxy component. 
    1717 
    18 Proxy can be configured either in transparent or non transparent mode. This document aims at explaining difference between these 2 designs so that you can make the right choice, understanding pros and cons of each design. 
     18Proxy can be configured either in '''transparent''' or non transparent ('''explicit''') mode. This document aims at explaining difference between these 2 designs so that you can make the right choice, understanding pros and cons of each design. 
    1919 
    2020Before starting such discussion, let's clarify some points: 
    2121Proxy, because this is one more component in the middle between client and server, will not improve performance until, if cache is used, there is a significant number of users benefiting from cache. 
    22 Latency will not be shorter except for pages in cache but there is more and more “PRAGMA NO CACHE” tags :-([[BR]] On the other hand, proxy will bring a lot of added value in term of security and control. 
     22Latency will not be shorter except for pages in cache but there is more and more “PRAGMA NO-CACHE” tags :-([[BR]] On the other hand, proxy will bring a lot of added value in term of security and control. 
    2323 
    24 Let's assume proxy is deployed on Zentyal server with one connection inside (Intranet) and one connection outside (Internet) as described in the “Perfect Zentyal Gateway setup” document. 
    25  
     24Let's assume proxy is deployed on Zentyal server with one connection inside (Intranet) and one connection outside (Internet) as described in the “Perfect Zentyal Gateway setup” document. [http://trac.zentyal.org/wiki/Documentation/Community/HowTo/GatewaySetup 
     25] 
    2626=== Transparent proxy mode: === 
    2727 
     
    3636   * Transparent proxy '''MUST''' be deployed at subnet default gateway otherwise clients will never reach it. 
    3737   * As this is transparent, no authentication and therefore profiling based on name or group membership can apply. This also means no access control. 
     38   * Doesn't work (easily) if Zentyal has only one NIC. 
    3839 
    39 === Non transparent proxy mode: === 
     40=== Explicit (non transparent) proxy mode: === 
    4041 
    41 In this mode, browser “knows” there is a proxy to be used. Different mechanisms can be involved to provide this information that will be explained later. 
     42In this mode, browser “knows” there is a proxy to be used. Different mechanisms can be implemented to automatize client setup. 
    4243 
    4344==== Pros: ==== 
    44    * Proxy can be deployed anywhere on Intranet, no need to match default gateway IP. 
    45    * Authentication and therefore access control and profiling ''can'' be enable. 
    46    * HTTPS is handled by proxy. No need for extra firewall rules. Content filtering doesn't work because of encrypted session between client and server (TLS). Domain filtering works. No need for extra firewall filtering rules. 
     45   * Proxy can be deployed anywhere on Intranet, no need to match default gateway IP. (thus is works with "single NIC Zentyal") 
     46   * Authentication and therefore access control and profiling ''can'' be enabled. 
     47   * HTTPS is handled by proxy. No need for extra firewall rules. Content filtering doesn't work because of encrypted session between client and server (TLS) but domain filtering works. 
     48   * No need for extra firewall filtering rules. 
     49   * WPAD can bring additional control on how proxy is used. 
    4750==== Cons: ==== 
    4851   * Browser configuration: if browser is not configured to use proxy, it doesn't work. 
    4952   * Users are aware that proxy is used (and therefore control and logs can be enabled) 
    50   
    51 On large environments, maintaining configuration on each and every machine (client) can be painful and time-consuming. This is the reason why: 
     53   * HTTPS to "non standard" HTTPS ports (i.e. 443) requires customized configuration. 
     54 
     55On large environments, maintaining configuration client side can be painful and time-consuming. Many services aim at easing this: 
    5256   * DNS exist to avoid local /etc/hosts file management 
    5357   * DHCP exists to avoid configuring IP address on each device. (IP address is a shortcut. DHCP can manage much more network related stuff) 
     
    105109If you have set up such name in your DNS pointing to web server described above, you're done :-)  [[BR]] 
    106110 
    107 Another option, starting with Zentyal 2.2, is to maintain SRV and TXT records. Notice I didn't try it yet. I will do soon. 
     111Another option, starting with Zentyal 2.2, is to maintain SRV and TXT records. 
    108112{{{ 
    109113wpad            IN      A       192.168.0.10  (your wpad address here... if CNAME is not used)