Who am I?
Overview
What is involved?
TCP level routing
Reverse NAT or related technology to hijack
port 80 traffic.
A proxy with some knowledge of transparent
proxying
A cache
Tools available
TCP level Routing
Policy routing / route maps
TCP / layer 4 switches
with or without NAT
Cisco WCCP
Cache Server
User 1
User 2
User 3
User ..
Drawbacks
Only static routing
No fault tolerance. Port 80 traffic disrupted if cache
server fails.
More CPU load on the router
Internet
User 1
User 2
User 3
User ..
Drawbacks
Stability / reliability. Can disrupt all
communication.
If running on a firewall: make sure the firewall
protects the cache software.
User 1
User 2
User 3
User ..
TCP Switch
Internet
...
Cache
Server
Request formats
Proxy request
TCP connection from client to proxy
GET http://www.example.com/file HTTP/1.0
...
Server request
TCP connection from client to server IP
GET /path/to/file HTTP/1.0
Host: www.example.com (if supported)
...
Transparent proxying
TCP based routing
TCP is no longer end-to-end
One IP address, multiple hosts
Common problems
Communication hangs for some users
Most likely caused by MTU related problems.
Bad performance
Possibly CPU bottleneck in the router.
Alternatives
PAC files
Blocking port 80
Selectively or everything
Possibly with an automated message
Summary
Transparent caching is a good tool in most
configurations to ease user side configuration.
It has some important limitations. Not a full
replacement for standard proxying.
For many automatic instructions on how to
configure proxy settings achieves the same
goals.
Questions
ipfwadm ruleset
# Accept local traffic
ipfwadm -I -a accept -W eth0 -D this.host
# Redirect port 80 to Squid on 3128
ipfwadm -I -a accept -W eth0 -P tcp -D 0.0.0.0/0 80 -r 3128
ipchains ruleset
# Accept local traffic
ipchains -A input -j ACCEPT -i eth0 -d 10.11.12.13/32
# Redirect port 80 to Squid on port 3128
ipchains -A input -j REDIRECT 3128 -i eth0 -p tcp -d 0.0.0.0/0 80
What is Linux
Filesystem performance
To few performance counters for I/O to make
any good measurements
Asynchronous writes by default (like fastfs on
Solaris)
noatime mount option
Filedescriptor limits
Default 256
Later revisions of 2.2 may allow 1024
Patches available for higher limits
ipfwadm configuration
ipfwadm -I accept -D thishost
ipfwadm -I accept -P tcp -D 0.0.0.0/0
80 -r 3128