bandwith management with proxy
TRANSCRIPT
-
8/4/2019 Bandwith Management With Proxy
1/20
Bandwidth Management with
the Squid Caching Proxy Server
-
8/4/2019 Bandwith Management With Proxy
2/20
Quick Overview of Squid
Squid is a caching proxy server.
Its the open-source equivalent of products
like Novells BorderManager, MicrosoftsISAS, and Ciscos ACNS.
You can download it for free at
http://www.squid-cache.org/
-
8/4/2019 Bandwith Management With Proxy
3/20
How Squid Fits Into Your
Network
order Firew ll
c in ro Ser er lient o uters
The Internet
-
8/4/2019 Bandwith Management With Proxy
4/20
Bandwidth Control Features in
Squid Delay Pools
Access Control Lists
Redirectors Authenticators
Well talk about each of
these in turn, and then
look at some examples
that show how they can
all fit together
-
8/4/2019 Bandwith Management With Proxy
5/20
Delay Pools
Delay pools are Squids answer to
bandwidth management.
They allow you to control the amount ofbandwidth a particular computer, subnet or
proxy server may use.
-
8/4/2019 Bandwith Management With Proxy
6/20
SQUID contains a bandwidth mgmt.
system called Delay Pools
Uses the token bucket algorithm
Downloads up to pool size not limited
Throughput limited thereafter to restore
value
Delay Pools in Squid
Delay PoolBytes in fromoutside
Bytes out to user/users
-
8/4/2019 Bandwith Management With Proxy
7/20
Effect of Delay Pools
Heavy users are limited to data rate set
by delay pool
file downloads and media-heavy sites areslow
Normal users get reasonable response
not significantly limited
congestion reduced by limiting heavy users
-
8/4/2019 Bandwith Management With Proxy
8/20
Modifications to Delay Pools
Evaluate the current load on the pool
Change the data rate parametersdynamically
Parameters vary between the min & maxdepending upon load
However, this does not change the basicdesign of delay pools
-
8/4/2019 Bandwith Management With Proxy
9/20
Multiple Delay Pools
Multiple distinct user communities exist
e.g., departments, staff/students
Each community may be allocated somebandwidth
Bandwidth usage by one community
should not affect other communities
Can be implemented by configuring one
delay pool per community
-
8/4/2019 Bandwith Management With Proxy
10/20
Access Control Lists
Traditionally used to define who can
access what
But in reality have a lot more flexibility Which allows us to write rich rule sets to
match our needs
e.g. All student public labs are onlyallowed to access academic sites during
working hours.
-
8/4/2019 Bandwith Management With Proxy
11/20
Redirectors
Redirectors allow us to re-write URLs
before we fetch them
For instance, we could rewrite a popularsite to a local mirror:
http://www.php.net/ http://za2.php.net/
-
8/4/2019 Bandwith Management With Proxy
12/20
Redirectors
Redirectors are simple programs and can
be easily customised:
And added to Squid:
#!/usr/bin/perl w
while () {
s{^http://www.php.net}{http://za2.php.net};
print;
}
redirect_program /usr/local/bin/myredirector
redirector_access allow all
-
8/4/2019 Bandwith Management With Proxy
13/20
Redirectors
Redirectors are commonly used to block
advertisement on web pages.
There are lots of open-source packagesthat do this, for example AdZapper
(http://adzapper.sourceforge.net/)
Advert blocking saves bandwidth but is
controversial because many sites rely on
advertising for revenue.
-
8/4/2019 Bandwith Management With Proxy
14/20
Authenticators
Authenticators are external programs thatdefine how the proxy_authACL works.
This lets you force your clients to supply ausername and password before grantingthem access good for public accesscomputers.
Like redirectors, you can only have oneauthenticator. Thats not usually aproblem though.
-
8/4/2019 Bandwith Management With Proxy
15/20
Authenticators
Authenticators are also simple programs
that read from STDIN and write to
STDOUT.
guy@walrus:~% ./sampleauthenticator
guy notmypassword
ERR
ghalse mypassword
ERR
guy mypassword
OK
-
8/4/2019 Bandwith Management With Proxy
16/20
Authenticators
Squid comes with a lot of authenticators
out-the-box: smb, ldap, pam, unix, ntlm,
yp/nis, etc.
Perhaps the most useful of these ispam_auth which uses the pluggable
authentication module architecture.
PAM allows you to chain authenticators
and use multiple authentication sources.
-
8/4/2019 Bandwith Management With Proxy
17/20
Unauthenticated Requests
One of the biggest bandwidth users these
days is software updates. In particular,
software that polls for updates every time
it detects a network connection
One way to keep some degree of control
over this is to enable proxy authentication
to require a username and password touse the web.
-
8/4/2019 Bandwith Management With Proxy
18/20
Unauthenticated Requests
The down side of this is that some
software goes mad when it gets an HTTP
407 response. Software developers dont
implement incremental back-off
algorithms.
How do we let users know whats going
on?
-
8/4/2019 Bandwith Management With Proxy
19/20
Unauthenticated Requests
Our solution forms part of the quota
system you just heard about. Its just
another quota.
Users lose access when theyve exceeded
1440 TCP_DENIED/407 messages a day,
and regain it automatically when they drop
below this.
Just another file-based ACL list.
-
8/4/2019 Bandwith Management With Proxy
20/20