Unidentified subject!

From: Merton Campbell Crockett <[email protected]>
Date: Mon, 14 Jun 1999 18:10:22 -0700 (PDT)

I am implementing a Squid proxy cache hierarchy to solve a problem. In the
following figure, TITAN is a Gauntlet Firewall that is, simply, overloaded.
JANUS is an external mail hub and DNS server that was recently converted to
a bastion host that sits astride the "firebreak" (===).

Not shown on the external LAN is a Web server that uses "virtual hosting" to
provide access to several "public" Web sites. It, also, provides access to
Web sites on the internal LAN to authorized users. The "virtual host" name
for internal Web server is the same as its internal name but the IP address
is different. In addition, all connections through the "virtual host" is
encrypted and requires a login in and password.

                              Internet
                                  ^
                                  |
                              +---+---+
                              | CISCO |
                              +---+---+
                                  |
                         <--+-----+------+-->
                            | |
                        +---+---+ +---+---+
                 =======| TITAN |====| JANUS |===========
                        +---+---+ +---+---+
                            | |
                   <--+-----+------+-----+---------+-->
                      | | |
                 +----+---+ +----+---+ +---+----+
                 | PROXY1 | | PROXY2 | . . . | PROXYn |
                 +--------+ +--------+ +--------+

One other point about JANUS is that it has no knowledge of internal systems.
What I found happening when I brought up Squid 1.1.22 on JANUS was that
internal users would connect to the external "virtual hosts" instead of the
internal Web server. This problem was resolved by adding PROXY1 and PROXY2
to serve different parts of the campus.

While everything appears to be working correctly, I am not sure that I am
getting what I want after reading Duane Wessels' paper. Perhaps, what I
want is not what I think I want. :-)

I want all users to configure their browsers to use the proxy that serves
their area of the campus.

I want the local proxy servers (PROXY1, PROXY2, etc.) to acces internal Web
servers directly and cache the responses. I use "local_ip" to force a DNS
lookup and to get around a problem discovered with Netscape Navigator in the
initial configuration. (It doesn't perform a DNS query when an exception
block is defined. It does a simple string compare that fails to catch local
servers that are referenced by a simple host name.)

I don't use the "local_domain" as it extends beyond the "firebreak" and
there are Web servers outside the firewall that I don't want to have
accessed directly as that would go through TITAN which I'm trying to
offload.

If the destination is not local, I want the proxy servers to go to JANUS. I
have used "cache_host" to define JANUS as the default parent on each proxy.
(Each proxy is defined as a sibling in JANUS' configuration.) As siblings
are not queried, I want JANUS to cache the responses as well as the proxy
making the request to make the data available to eliminate the need to go to
the Internet for information retrieved through another proxy.

Do systems defined as "siblings" query each other? Each proxy server has
its "siblings" defined. If they do, would it be advisable to have them use
multi-cast to minimize load on the local backbone?

One thing that I want to do is to use TITAN the Gauntlet Firewall in the
event that JANUS fails. What is the best way of doing this?

Merton Campbell Crockett
Received on Mon Jun 14 1999 - 18:03:26 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:46:51 MST