Example Tutorial: how to set up a layered Proxy Server

In a general network scale, using a Cache proxy server with good performance near the client can meet the needs of internal users and reduce the congestion of the egress line. However, if the internal network has been expanded to be quite complex and the number of user machines has reached tens of thousands, there may be tens of thousands of URL requests at the same time, in this case, it is very likely that a single proxy server cannot be processed in a timely manner or even paralyzed, but the proxy server will become a new bottleneck.

To effectively solve this problem, we can deploy multiple proxy servers in the internal network. The proxy servers form Hierarchies (layers) to work collaboratively, reduce load and reduce line pressure.

Configuration method

The following describes how to set up a layered proxy server based on the actual situation of our school.

It is the topological structure of the campus network. The intranet is connected to CERNET and CHINANET by two egress lines through vrouters, and is finally imported to the Internet. Most colleges and universities now use this multi-exit method, because although CERNET can give Colleges and Universities legal IP addresses, it mostly uses overseas traffic fee or monthly subscription, the cost is high and the bandwidth is limited; however, China Anet, CNCNET, and other operators have relatively low monthly subscription fees, and the egress access speed is fast. In general, CERNET is used as the portal access and necessary egress access (such as access to educational resources), while CHINANET and CNCNET are used as the majority of outbound access.

Our campus network is geographically divided into multiple areas, including libraries, teaching areas, administrative office areas, and student dormitory areas. We only use these three areas as an example. Place a proxy server in these three regions, with the domain names lib.Cache.lyac.edu.cn, adm.Cache.lyac.edu.cn, and stu.Cache.lyac.edu.cn respectively.

Among them, because the database of academic journals and papers purchased by the library must be a legal IP address (some require a fixed IP address) to access the query, and the campus network also needs to access many educational resources on CERNET, therefore, put the default egress line on CERNET and use a valid IP address. The default egress lines in the other two regions are placed on CHINANET, and the ISP usually does not provide a valid IP address to the school, therefore, we generally use two NICs on such a Cache, one using the Intranet virtual address and the other using the virtual address provided by the ISP, so that we can connect to the ISP and then forward it.

The Cache Server can be a commercial Cache Server (such as CacheFlow) consisting of a common Server and a dedicated software and hardware system ). Our school's proxy server uses Squid. The Squid proxy server uses Squid. conf is used as the configuration file. The application configuration of a single proxy server, especially the combination of ACL and http_access, has many references. We will not go into details here. We will only talk about squid. common configuration options related to the Cache level in the conf file. For detailed usage, see squid.

The following lists only layer-related configuration items in the Cache of the three regions. There are various configuration methods in combination with ACL. For example, you can use icp_access and miss_access to control the request permissions of the external Cache; the usage of some configuration options is similar. "#" Starts with a comment.

(1) Cache configuration for libraries and teaching areas
Http_port 3128
Icp_port 3130
# Define the relationship between the Cache and itself in the other two regions
Cache_peer adm.Cache.lyac.edu.cn sibling 3128 3130
Cache_peer stu.Cache.lyac.edu.cn Si bling 3128 3130
# Set that only URLs in the non-.edu.cn domain do not sometimes request Cache help from the other two regions
Cache_peer_domain adm.Cache.lyac.edu.cn !. Edu.cn
Cache_peer_domain stu.Cache.lyac.edu.cn !. Edu.cn
#10.10.0.0/16 is the Intranet virtual address used by the campus network.
Acl LocalNetIPVIR src 10.10.0.0/16
#210.44.48.0/20 is the valid IP address used by the campus network.
Acl LocalNetIPTRUE src 210.44.48.0/20
# .Lyac.edu.cn is the domain of the campus network.
Acl LocalDomain srcdomain .lyac.edu.cn
Acl all src 0.0.0.0/0.0.0.0
Cache_peer_access adm.Cache.lyac.edu.cn allow LocalNetIPVIR
Cache_peer_access adm.Cache.lyac.edu.cn allow LocalNetIPTRUE
Cache_peer_access adm.Cache.lyac.edu.cn allow srcdomain
Cache_peer_access stu.Cache.lyac.edu.cn allow LocalNetIPVIR
Cache_peer_access stu.Cache.lyac.edu.cn allow LocalNetIPTRUE
Cache_peer_access stu.Cache.lyac.edu.cn allow srcdomain
Cache_peer_access adm.Cache.lyac.edu.cn deny all
Cache_peer_access stu.Cache.lyac.edu.cn deny all
# It is set to only provide hierarchical services for the Cache of the school to prevent unauthorized use of the Cache outside the LAN
Icp_access allow LocalNetIPVIR
Icp_access allow LocalNetIPTRUE
Icp_access allow srcdomain
Icp_access deny all

(2) Cache configuration in the administrative office area (the access control list of Cache_peer_access is the same as that in the Administrative Office Area)
Http_port 3128
Icp_port 3130
Cache_peer lib.Cache.lyac.edu.cn parent 3128 3130
Cache_peer stu.Cache.lyac.edu.cn Si bling 3128 3130
# Lib.Cache.lyac.edu.cn is requested to capture objects in the cache.
Cache_peer_domain lib.Cache.lyac.edu.cn .edu.cn
Cache_peer_domain stu.Cache.lyac.edu.cn !. Edu.cn

(3) The content of the Cache configuration in the student dormitory area is roughly the same as that in the administrative office area.

There are some free caches available on the external network to Form layers. As shown in figure 1, you can apply for a proxy server D (on CERNET) and E (on the Internet) as your parent or sibling, after the application is approved, you can set the peer relationship on the local Cache to get the object.

The hierarchical Proxy Server effectively solves the coordination problem of multiple proxy servers when the local area network is too large, effectively saves bandwidth, optimizes the information flow in the network, and ensures the normal and healthy operation of the network.