1 / 37

代理伺服器 Proxy

代理伺服器 Proxy. 大綱. 簡介 Proxy Explanation of squid.conf. Research issues. Benchmark tools and reports Suggestions for Axtronics Related software Other notes. 代理伺服器 ( Proxy ). 原為防火牆的一部分 為增加安全性而設計的一種「應用程式閘道」 內部系統和外界系統都只能看到 Proxy 可在 Proxy 任意一層加入檢查安全性資料的過濾機制 Proxy 只有一個 IP

shyla
Télécharger la présentation

代理伺服器 Proxy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 代理伺服器 Proxy

  2. 大綱 • 簡介 Proxy • Explanation of squid.conf. • Research issues. • Benchmark tools and reports • Suggestions for Axtronics • Related software • Other notes

  3. 代理伺服器 ( Proxy ) • 原為防火牆的一部分 • 為增加安全性而設計的一種「應用程式閘道」 • 內部系統和外界系統都只能看到 Proxy • 可在 Proxy 任意一層加入檢查安全性資料的過濾機制 • Proxy 只有一個 IP • 必須透過 Protocol Number 和 Port Number 來區分連線

  4. Proxy 的原理

  5. Proxy 的運作(1/4) • 輸入一個 URL 並且按下 Enter,Client 1 瀏覽器會發出一個要求(Request 1)指向 Proxy Server • Proxy Server 檢查自己的磁碟內有沒有 Client 1 所需要的資料 • 如果沒有,則向同儕代理伺服器(Sibling Proxy Server)發出 ICP_QUERY,看看有沒有Client 1 所要的資料

  6. Proxy 的運作(2/4) • 如果 Sibling Proxy Server 沒有資料,Proxy Server 會再送出 ICP_QUERY 給他的 Parent Proxy • 如果還是沒有,Proxy Server 將這一個要求(Request 1)傳給他的 Parent Proxy Server • Parent Proxy Server 負責 Forward 這一個 Request,向目地的WWW伺服器擷取資料

  7. Proxy 的運作(3/4) • Parent Proxy Server 將擷取回來的資料傳給下一級的 Proxy Server,並且將資料在自己的電腦裡面做個備份 • 下一級的 Proxy Server 也同樣的備份快取資料,並且將資料傳給使用者。

  8. Proxy 的運作(4/4) Parent1 Sibling1 If no ‘ICP_MISS’ replies Requested Object (URL) Local Proxy Server With ‘query-icmp’ enabled Sibling2 RTT=2 Parent2 Fresh or Stale ? Sibling3 RTT=3 Parent3 RTT will be checked Client 1. : ICP_QUERY 2. : ICP_REPLY 3. : ICP_NOFETCH 4. : Retrieving object

  9. Proxy 的命令格式 • ICP & SQUID • ICP header format • ICP query algorithm

  10. ICP Header format OPCODE VERSION PACKET LENGTH REQUEST NUMBER OPTIONS SENDER HOST ADDRESS PAYLOAD (Ex:Receiver’s address , piggyback..etc) OPCODE: Message type,for ex: ICP_HIT , ICP_MISS , ICP_NOFETCH…etc VERSION: Version of ICP protocol REQUEST NUMBER: identifier to match queries and responses.

  11. ICP Query flow chart Other Cache server Multicast Group Extract & parse the URL Neighbor selection 1.Round Robin 2.RTT Hierarchy-stop List (Ex: cgi-bin) Access Control List ICP_QUERY (ICP_DECHO)for non-icp proxies ICP_DENIED Authen passed ICP_DENIED (authen) Object (URL) Lookup ICP_MISS No Object Size IPC_HIT_OBJ (Piggyback) ICP_HIT Redirector ? IPC_NOFETCH Network Failure Or don’t want to handle this req Yes Blank page or other URL Client Remote peer

  12. Explanation of squid.conf • Part 1 :General options • Part 2 :Ops which affect the neighbor selection algorithm • Part 3 :Options which affect the cache size • Part 4 :Logfile pathnames and cache directories • Part 5 :Options for external support programs • Part 6 :Options for tuning the cache • Part 7 :Timeout • Part 8 :Access Controls • Part 9:Other important tags

  13. Part 1 :General options(1)

  14. Part 1 :General options(2)

  15. Part 2 : Ops which affect the neighbor selection algorithm(1) Ex: cache_peer proxy.nctu.edu.tw parent 3128 3130 no-digest cache_peer_domain proxy.edu.tw .jp cache_peer_domain proxy.nctu.edu.tw ! .nctu.edu.tw

  16. Part 2 : Ops which affect the neighbor selection algorithm(2) Ex: cache_peer proxy.nctu.edu.tw parent 3128 3130 [options] neighbor_type_domain proxy.nctu.edu.tw sibling .com .net neighbor_type_domain proxy.nctu.edu.tw sibling .au .de

  17. Part 2 : Ops which affect the neighbor selection algorithm(3) Ex: acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY

  18. Part 3 : Options which affect the cache size(1) The tag determining the cache disk space is in later table. (cache_dir)

  19. Part 3 : Options which affect the cache size(2)

  20. Part 4 : Logfile pathnames and cache directories(1) Cache_dir /usr/local/squid/cache 100 16 256

  21. Part 4 : Logfile pathnames and cache directories(2)

  22. Part 4 : Logfile pathnames and cache directories(3)

  23. Part 5 :Options for external support programs(1) ftp_user squid@ynlin.cis.nctu.edu.tw

  24. Part 5 :Options for external support programs(2)

  25. Part 6 :Options for tuning the cache(1) refresh_pattern ^ftp: 1440 20% 10080

  26. Part 6 :Options for tuning the cache(2) quick_abort_min 1KB quick_abort_max 16KB quick_abort_pct 95

  27. Part 7 :Timeout

  28. Part 8 :Access Controls(1) Example: 1. acl Cooking1 url_regex cooking acl Recepie1 url_regex recepie http_access deny Cooking1 http_access deny Recepie1 PS: case-sensitive for all regular expression 2. acl Cooking2 dstdomain gourmet-chef.com http_access deny Cooking2 http_access allow all

  29. Part 8 :Access Controls(2) Example: 1. acl game dst 210.62.177.70 139.175.208.190 http_access deny game 2. acl ncturc src 140.113.0.0 http_access allow ncturc http_access deny all

  30. Part 9:Other important tags acl localneighbors src 140.113.23.0 miss_access allow localneighbors

  31. Benchmarking tools and reports(1) • Web Polygraph • SPA ( Squid Proxy Analysis ) • Wisconsin Proxy Benchmark 1.0 • Perfect Benchmark • NetCache Load Generator • CacheFlow Performance Testing Tool • Inktomi Large Scale Benchmark

  32. Benchmarking tools and reports(2) • On performance of Caching Proxies • Generating Representative Web Workloads for Network and Server Performance Evaluation • Squid Performance as a Factor of the Number of Disk Utilized • Benchmark of Squid2.2 Stable3 • SPA ( Squid Proxy Analysis )

  33. Benchmarking tools and reports(3) • The First IRCache Web Cache Bake-off (The Official Report ) • A Survey of Proxy Cache Evaluation Techniques

  34. 未來研究項目 • Prefetching mechanism • Mechanisms for locating the best server to ask for documents • Other possible proxy models

  35. Related Software • Cachemgr.cgi • echoping: A nifty Unix utility that pings your proxy with a test HTTP request. Can be used from cron to warn you if the cache is down. • Squirm: squid cache redirector

  36. Other notes: The difference between ipcache and fqdncache FQDN Cache Contents: IP-Number Flags TTL N Hostname 130.149.17.15 C -45570 1 andele.cs.tu-berlin.de 194.77.122.18 C -58133 1 komet.teuto.de 206.155.117.51 N -73747 0 Flags: C --> Cached D --> Dispatched N --> Negative Cached L --> Locked TTL: Time-To-Live until information expires N: Count of names IP Cache Contents: Hostname Flags lstref TTL N [IP-Number] gorn.cc.fh-lippe.de C 0 21581 1 193.16.112.73 lagrange.uni-paderborn.de C 6 21594 1 131.234.128.245 www.altavista.digital.com C 10 21299 4 204.123.2.75 ... 2/ftp.symantec.com DL 1583 -772855 0 Flags: C --> Cached D --> Dispatched N --> Negative Cached L --> Locked lstref: Time since last use TTL: Time-To-Live until information expires N: Count of addresses

  37. 未來研究項目 • 內部/外部防火牆 • 處理加密/解密資料 • 主機與使用者的認證 • One-Time 密碼認證系統 • Scalability

More Related