bandwith management with proxy

8/4/2019 Bandwith Management With Proxy

1/20

Bandwidth Management with

the Squid Caching Proxy Server


2/20

Quick Overview of Squid

Squid is a caching proxy server.

Its the open-source equivalent of products

like Novells BorderManager, MicrosoftsISAS, and Ciscos ACNS.

You can download it for free at

http://www.squid-cache.org/


3/20

How Squid Fits Into Your

Network

order Firew ll

c in ro Ser er lient o uters

The Internet


4/20

Bandwidth Control Features in

Squid Delay Pools

Access Control Lists

Redirectors Authenticators

Well talk about each of

these in turn, and then

look at some examples

that show how they can

all fit together


5/20

Delay Pools

Delay pools are Squids answer to

bandwidth management.

They allow you to control the amount ofbandwidth a particular computer, subnet or

proxy server may use.


6/20

SQUID contains a bandwidth mgmt.

system called Delay Pools

Uses the token bucket algorithm

Downloads up to pool size not limited

Throughput limited thereafter to restore

value

Delay Pools in Squid

Delay PoolBytes in fromoutside

Bytes out to user/users


7/20

Effect of Delay Pools

Heavy users are limited to data rate set

by delay pool

file downloads and media-heavy sites areslow

Normal users get reasonable response

not significantly limited

congestion reduced by limiting heavy users


8/20

Modifications to Delay Pools

Evaluate the current load on the pool

Change the data rate parametersdynamically

Parameters vary between the min & maxdepending upon load

However, this does not change the basicdesign of delay pools


9/20

Multiple Delay Pools

Multiple distinct user communities exist

e.g., departments, staff/students

Each community may be allocated somebandwidth

Bandwidth usage by one community

should not affect other communities

Can be implemented by configuring one

delay pool per community


10/20

Access Control Lists

Traditionally used to define who can

access what

But in reality have a lot more flexibility Which allows us to write rich rule sets to

match our needs

e.g. All student public labs are onlyallowed to access academic sites during

working hours.


11/20

Redirectors

Redirectors allow us to re-write URLs

before we fetch them

For instance, we could rewrite a popularsite to a local mirror:

http://www.php.net/ http://za2.php.net/


12/20

Redirectors

Redirectors are simple programs and can

be easily customised:

And added to Squid:

#!/usr/bin/perl w

while () {

s{^http://www.php.net}{http://za2.php.net};

print;

}

redirect_program /usr/local/bin/myredirector

redirector_access allow all


13/20

Redirectors

Redirectors are commonly used to block

advertisement on web pages.

There are lots of open-source packagesthat do this, for example AdZapper

(http://adzapper.sourceforge.net/)

Advert blocking saves bandwidth but is

controversial because many sites rely on

advertising for revenue.


14/20

Authenticators

Authenticators are external programs thatdefine how the proxy_authACL works.

This lets you force your clients to supply ausername and password before grantingthem access good for public accesscomputers.

Like redirectors, you can only have oneauthenticator. Thats not usually aproblem though.


15/20

Authenticators

Authenticators are also simple programs

that read from STDIN and write to

STDOUT.

guy@walrus:~% ./sampleauthenticator

guy notmypassword

ERR

ghalse mypassword

ERR

guy mypassword

OK


16/20

Authenticators

Squid comes with a lot of authenticators

out-the-box: smb, ldap, pam, unix, ntlm,

yp/nis, etc.

Perhaps the most useful of these ispam_auth which uses the pluggable

authentication module architecture.

PAM allows you to chain authenticators

and use multiple authentication sources.


17/20

Unauthenticated Requests

One of the biggest bandwidth users these

days is software updates. In particular,

software that polls for updates every time

it detects a network connection

One way to keep some degree of control

over this is to enable proxy authentication

to require a username and password touse the web.


18/20


The down side of this is that some

software goes mad when it gets an HTTP

407 response. Software developers dont

implement incremental back-off

algorithms.

How do we let users know whats going

on?


19/20


Our solution forms part of the quota

system you just heard about. Its just

another quota.

Users lose access when theyve exceeded

1440 TCP_DENIED/407 messages a day,

and regain it automatically when they drop

below this.

Just another file-based ACL list.


20/20

bandwith management with proxy

Documents