trans proxy ppt
TRANSCRIPT
![Page 1: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/1.jpg)
Transparent Caching
The art of caching network traffic without requiring user / browser side
configuration.
![Page 2: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/2.jpg)
Who am I?
![Page 3: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/3.jpg)
Overview
• What is transparent caching, and why use it?• Tools available• How to set it up• Common problems• Alternatives
![Page 4: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/4.jpg)
What is transparent caching?
• Transparently proxying / caching network traffic without requiring user configuration or knowledge.
• A way to simplify caching for the end user• Forces all users to use the cache.
![Page 5: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/5.jpg)
Why use transparent caching?
• Ease of use. No configuration required by the end user.
• Catching all users. No users can bypass the cache.
![Page 6: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/6.jpg)
Reasons to not use it
• It is not a magical tool without problems.• Technical issues
– Networking issues. “Woodo magic”– Stability / Reliability– Only port 80– FTP not supported– To be efficient modern browsers are required
![Page 7: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/7.jpg)
Reasons to not use it (cont.)
• Political reasons– What is an internet connection?– Privacy
• No user control. Users can’t bypass the cache.
![Page 8: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/8.jpg)
What is involved?
• TCP level routing• Reverse NAT or related technology to hijack
port 80 traffic.• A proxy with some knowledge of transparent
proxying• A cache
![Page 9: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/9.jpg)
Tools available
• TCP level Routing– Policy routing / route maps– TCP / layer 4 switches
• with or without NAT– Cisco WCCP
• Host level NAT– Linux firewall code– FreeBSD firewall code– IP-Filter
![Page 10: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/10.jpg)
Using policy routing to redirect traffic
• A standard router configured to route TCP port 80 to the cache server.
Router
Cache Server
Internet
User 1User 2
User ..User 3
![Page 11: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/11.jpg)
Policy routing (cont.)
• Benefits– Can usually be deployed without extra hardware
• Drawbacks– Only static routing– No fault tolerance. Port 80 traffic disrupted if cache
server fails.– More CPU load on the router
![Page 12: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/12.jpg)
Running the cache on a router
• Small network / firewall. Host used as router.
Router / Cache Server
Internet
User 1User 2
User ..User 3
![Page 13: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/13.jpg)
Caching router / firewall
• Benefits– Less hardware required– Well suited for small to medium sized firewalls.
• Drawbacks– Stability / reliability. Can disrupt all
communication.– If running on a firewall: make sure the firewall
protects the cache software.
![Page 14: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/14.jpg)
Cisco Web Cache ControlProtocol (WCCP)
• Developed by Cisco for Cisco• Automated configuration. Proxy servers
announce their presence to the router.• Load balancing• Fault recovery• Commercial Licensing required. Not currently
an option for free software.
![Page 15: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/15.jpg)
TCP level / layer 4 switching
• The use of a smart and efficient network device to redirect traffic.
CacheServer
Internet
Router TCP SwitchUser 1User 2
User ..User 3
...
![Page 16: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/16.jpg)
TCP switch benefits
– Can bypass the cache if it malfunctions– Good reliability– Can distribute the load on multiple cache servers– Can do the required NAT, allowing the use of any
OS on the cache server.– Some do HTTP proxy translation, allowing the use
of any proxy software.
![Page 17: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/17.jpg)
TCP switch drawbacks
– One more expensive box to purchase– Using NAT requires switch vendor support in the
proxy software to support old browsers.
![Page 18: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/18.jpg)
Request formats
• Proxy requestTCP connection from client to proxy
GET http://www.example.com/file HTTP/1.0...
• Server requestTCP connection from client to server IP
GET /path/to/file HTTP/1.0Host: www.example.com (if supported)...
![Page 19: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/19.jpg)
Problems related to request formats
• A transparent proxy must reconstruct the URL of the request.
• Host: headers not always available. HTTP/1.1 feature or 1.0 add-on.
• IP address from NAT translation.
![Page 20: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/20.jpg)
What happens at the TCP level?
• Normal communication / proxying– IP based routing– TCP is end-to-end– One IP address, one Host
• Transparent proxying– TCP based routing– TCP is no longer end-to-end– One IP address, “multiple hosts”
![Page 21: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/21.jpg)
Problems at the TCP level
• TCP normally relies on two IP protocols. TCP and ICMP. Of these only TCP can be reliably redirected.
• ICMP is required for Path MTU discovery.• TCP resets if a single packet travels another
path bypassing the redirection.
![Page 22: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/22.jpg)
Things to consider when configuring OS level NAT
• Try not to disturb traffic to/from the cache server host.
• Make sure that the proxy traffic is not redirected back to the proxy.
• Be prepared to do packet level traces, preferably from a separate box.
![Page 23: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/23.jpg)
Recommended steps when building a transparent proxy
• Think it over. Is it really required?• Build and test the proxy server• Configure NAT on the proxy server• Test it using a local LAN client• Set up TCP level routing.
![Page 24: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/24.jpg)
Common problems
• Communication hangs for some users– Most likely caused by MTU related problems.
• Connection reset errors– Usually misconfigured NAT or TCP routing.
• Bad performance– Possibly CPU bottleneck in the router.
![Page 25: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/25.jpg)
TCP Reset errors (cont.)
• Error messages seen from the proxy.– TCP routing or NAT affects traffic generated by the
proxy.• Error messages seen by the browser (popup)
– TCP routing or NAT failure, causing some client traffic to bypass the redirection.
![Page 26: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/26.jpg)
Alternatives
• PAC files• Blocking port 80
– Selectively or everything– Possibly with an automated message
![Page 27: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/27.jpg)
Selectively blocking port 80 with a message
• A good alternative to transparent proxying• Uses the same techniques as transparent
proxying for hijacking port 80, but only to deliver the instructions.
![Page 28: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/28.jpg)
Blocking port 80, benefits
• Forces the users to configure their proxy settings• Users are automatically provided with configuration
instructions when needed. Less calls to support line.• Users get the information on why caching is good
for them.• PAC file allows easy configuration of exceptions
![Page 29: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/29.jpg)
Blocking port 80, drawbacks
• Not all browsers supports proxy settings• Users are required to be capable of following
instructions.
![Page 30: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/30.jpg)
Summary
• Transparent caching is a good tool in most configurations to ease user side configuration.
• It has some important limitations. Not a full replacement for standard proxying.
• For many automatic instructions on how to configure proxy settings achieves the same goals.
![Page 31: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/31.jpg)
Sources for more information
– Squid FAQhttp://squid.nlanr.net/Squid/FAQ/
– Router manuals on policy routing– IP-Filter home page
http://cheops.anu.edu.au/~avalon/ip-filter.html– Linux 2.0 ipfadm
http://www.xos.nl/linux/ipfwadm/– Linux 2.2 ipchains
http://www.rustcorp.com/linux/ipchains/
![Page 32: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/32.jpg)
Questions
![Page 33: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/33.jpg)
Example Cisco IP policy route map
• Policy route map, routing port 80 (www) to server 10.11.12.13! Enable policy routinginterface Ethernet0 ip policy route-map proxy-redirect! Route to proxy serverroute-map proxy-redirect permit 10 match ip address 110 set ip next-hop 10.11.12.13! Only policy route client www trafficaccess-list 110 deny tcp any any neq wwwaccess-list 110 deny tcp host 10.11.12.13 anyaccess-list 110 permit tcp any any
![Page 34: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/34.jpg)
Example Linux ipfwadm NAT
• Linux 2.0 redirecting eth0 TCP port 80 to Squid on port 3128– Kernel options:
CONFIG_IP_FIREWALL=y
CONFIG_IP_ALWAYS_DEFRAG=y
– ipfwadm ruleset# Accept local trafficipfwadm -I -a accept -W eth0 -D this.host# Redirect port 80 to Squid on 3128ipfwadm -I -a accept -W eth0 -P tcp -D 0.0.0.0/0 80 -r 3128
![Page 35: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/35.jpg)
Example Linux ipchains NAT
• Linux 2.2 redirecting eth0 TCP port 80 to Squid on port 3128– Kernel options:
CONFIG_IP_FIREWALL=y
CONFIG_IP_ALWAYS_DEFRAG=y
– ipchains ruleset# Accept local trafficipchains -A input -j ACCEPT -i eth0 -d 10.11.12.13/32# Redirect port 80 to Squid on port 3128ipchains -A input -j REDIRECT 3128 -i eth0 -p tcp -d 0.0.0.0/0 80
![Page 36: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/36.jpg)
Example IP-Filter NAT
• ipnat ruleset redirecting TCP port 80 to Squid on port 3128# Redirect direct web traffic to local web server.rdr de0 10.11.13.13/32 port 80 -> 127.0.0.1 port 80 tcp# Redirect everything else to squid on port 3128rdr de0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcp
![Page 37: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/37.jpg)
![Page 38: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/38.jpg)
Running Squid on Linux
![Page 39: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/39.jpg)
What is Linux
• Linux is like any other UNIX• POSIX standards• GNU tools• Best of SysV and BSD families
![Page 40: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/40.jpg)
Filesystem performance
• To few performance counters for I/O to make any good measurements
• Asynchronous writes by default (like fastfs on Solaris)
• noatime mount option
![Page 41: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/41.jpg)
Kernel performance / tuning
• Memory freelist tuning on smaller systems– /proc/sys/vm/freepages
• Filedescriptor limits– Default 256
– Later revisions of 2.2 may allow 1024– Patches available for higher limits
![Page 42: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/42.jpg)
![Page 43: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/43.jpg)
Hands on transparent caching
• Linux configuration– Kernel configuration
• Firewalling & Transparent proxy support– ipfwadm configuration
ipfwadm -I accept -D thishostipfwadm -I accept -P tcp -D 0.0.0.0/0 80 -r 3128
![Page 44: Trans Proxy ppt](https://reader034.vdocument.in/reader034/viewer/2022052513/56d6bfaf1a28ab3016973890/html5/thumbnails/44.jpg)
Hands on transparent caching (cont.)
• Squid configurationhttpd_accel_host virtualhttpd_accel_uses_host_header on