[squid-users] Dual-stack IPv4/IPv6 captive portal

Amos Jeffries squid3 at treenet.co.nz
Mon Mar 2 02:33:29 UTC 2015


On 2/03/2015 4:55 a.m., Michele Bergonzoni wrote:
>> and again, a lot of software just doesn't bother to support proxies
>> these days, and it's only getting worse
> 
> You're right, it's probably part of the shift from enterprise IT to
> consumer IT (a.k.a. "consumerization"). We too find it increasingly
> difficult to support HTTP proxies.

I find its due to two factors:

1) a large number of developers who dont even consider that proxies
might exist in HTTP when they start coding to use it as if it were an
end-to-end *transport* instead of a multi-hop Transfer protocol.

 These people are plain wrong about how the basic protocol works and yet
they are treated with must-accept policies by so many networks.
 Imagine what would happen if you MUST-accept all emails delivered? or
any kind of DNS response they chose to send you? those are two other
major protcols with proxies that work just fine by rejecting bad
messages wholesale.


2) a side effect of the arms race in the past 2 decades between proxy
admin forcing proxy caches to disobey HTTP standards (all those
refresh_pattern overrides etc trying to force, badly, HTTP/1.0 proxies
to do HTTP/1.1 things).
 This widespread behaviour has turned a group of influential people in
the browser community against the idea of HTTP proxies in general and
they are actively fighting to eradicate proxies in HTTP. Even if it
completely breaks users browsing experience.



The more people intercept and accept bad traffic the more it gets worse.
The group #1 developers see their HTTP/1.x crap "working" with many
proxies (so it just _must_ be the standards compliant proxies which are
broken right? yeah No.). The group #2 people see just another evil being
perpetrated by proxies.


Now the point of this rant :-)   HTTP/2 !!

Part of the HTTP/2 design goals was to remove the port difference
barrier between proxies and origin servers. The protocol syntax oddities
are now gone and port 80 native HTTP/2 traffic can be intercepted
without needing the NAT destination tricks that cause so many problems
in HTTP/1.x. Just like email is routinely intercepted by ISPs for spam
filtering.

HTTP/2 support is already in development, hopefully for Squid-3.6 later
this year. Sponsorship is very welcome to assist speeding that up and
with testing when its a bit closer to ready.

Cheers
Amos


More information about the squid-users mailing list