AAPT Home > Support Information > Proxy Servers > Proxy Cache FAQ
What are the advantages of using a proxy?
Our research shows that 50% of internet traffic is generated by the Web;
a well configured cache can easily reduce this by 50%. This reduction in
traffic can save 25% of your total external traffic.
For your users, the proxy will keep pages from their favourite sites up to date and deliver those pages more quickly than fetching them from their sources.
For more information about the advantages of using proxy caches see the Cache Now! Home Page.
What is the configuration of AAPT's caches?
The current configuration information for AAPT's Proxy cache can
be found here.
What happens if a cache fails?
If a cache fails, the Load Share Device will direct all requests to the
second cache. The Load Share Device does not have any moving parts and has
a very high mean time between failures.
How do I configure my proxy to use AAPT's cache?
Information on how to connect to AAPT's Web Proxy Cache may be found
here.
Why should parent be used, rather than sibling?
Unless you are multi-homed, that is using multiple access providers,
you should use the parent setting. This means the parent cache will fetch
objects that are not found in the cache for you. The parent cache fetches
and caches the requested object so it is there not only for you but for
other users requesting that object in the future. You can use the sibling
setting to point to other ISPs. If you use the sibling setting, your own
system will attempt to go directly to the source if the object is not found
in AAPT's proxy, rather than the parent proxy fetching the object for
you.
How do I force my customers to use the Web Proxy
Cache?
To block direct web access for your network(s) and force people to use proxies,
you should add the following access list to your router LAN port (inbound).
Here is a sample cisco router configuration:
router#configure terminal router(config)#access-list 100 permit tcp any host 192.189.54.60 eq www router(config)#access-list 100 deny tcp any any eq www router(config)#access-list 100 permit ip any any router(config)#interface Ethernet0 router(config-if)#ip access-group 100 in router(config-if)#end router#copy running-config startup-config
The option in the second line allows your users to use proxy.connect.com.au proxy autoconfig scripts. (NB: Using these scripts will bypass your proxy to use AAPT's.)
This assumes that access-list 100 was unused. If you have your own proxy and want to bypass the Connect caches (permanently or occasionally) you need an additional rule which allows the cache access to port 80.
For example:
router(config)#access-list 100 permit tcp host xx.xx.xx.xx any eq www
before the deny rule. Otherwise, you should configure your browsers to use proxy.connect.com.au, port 8080. Also, proxy.connect.com.au may be accessed for proxy auto-config.
If you are already using an inbound access-list on the LAN interface,then this has to be merged with your current list of course. The filter can alternatively be applied to the WAN interface (outbound).
How do I configure Netscape for multiple proxies
using Javascript?
You can use Javascript to automate proxies in Netscape so your clients'
Netscape browsers will try an ordered string of proxies to download a requested
object. The browser will try them in order, working through the list until
it finds the object, runs out of systems to try, or hits the keyword DIRECT
and tries to connect to the source directly as a result. The Javascript
remembers any failures and only retries the other systems a maximum of once
per half hour.
This results in a high success rate for retrieving pages.
The Netscape proxy auto configuration format is documented at http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html
How do users configure browsers to use AAPT's cache directly?
Instructions can be found here
Should I set up my own cache?
It is a very good idea to set up your own cache; it will improve the speed
of service to your customers even more and will further reduce your traffic
costs, because requests satisfied by your cache do not travel to Connect,
reducing the amount of bandwidth you use.
How do I protect against my own cache failing?
If you implement your own cache you should set up a Netscape auto configuration
file which directs your users to AAPT's proxy if yours should fail (see
above).
Should TTL (time to live) settings be used?
TTL settings allow you to control how long objects stay in your cache. They
should be set according to object type to maximise the efficiency of your
cache. Hypertext (.html) objects should have a low TTL while most others
can be set higher.
If you do not use TTL settings, pages may become outdated in the cache. Your customers will realise this and reload pages in order to ensure they have up-to-date data, defeating the purpose of having a cache.
What are the advantages of establishing neighbour
relationships with local Squid caches?
By establishing neighbour relationships with local Squid caches you have
access to more cache disk space caching more pages. This will increase the
speed of your service, as more pages can be accessed locally.
Where can I find more information?
The following Web pages provide useful information related to caches
and proxying:
Where can I find more information about Squid?
The Squid home page is located at http://www.nlanr.net/Squid/.
You can find a large amount of documentation and support there, including
addresses for mailing lists for Squid support and discussion.
Is there a commercial version of the Harvest caching
software?
A commercial version of Harvest is available under the name 'Cached'. For
further information refer to http://www.netcache.com/
What is the load share device?
The load share device is a Cisco Local Director. More information on this
device can be obtained from:
How does it work?
The load share device implements a virtual machine, which forwards requests to the server with the least connections. The server which is
currently running the fastest will service the majority of the
connections.
What happen if the load share device fails?
We have installed a second ethernet interface in one of the proxy servers
which bypasses the load share device. If the load share device is down,
an automated script shuts down the interface connecting the server to the
load share device and then enables the bypass interface. The script then
attaches the real address of the machine plus the address of the load share
device to this interface. The maximum down time in
this situation is five minutes.
What is the failover time?
If a cache fails, the load share device detects that there are no return
packets for a connection and reassigns the connection to the other server(s).
It then periodically sends packets to the disabled server and continues
to re-assign the connections until the server it responds. The decision
to re-assign a connections takes less than 5 seconds.
Can one server handle all the requests?
Each server has the capacity to handle the full traffic load generated by
AAPT's customers. If one server fails, the service will continue but
service may degrade slightly because those pages stored in the downed cache
server will be fetched from their source rather than being available from
the cache.
Why are there problems accessing certain URLs?
If you have problems accessing certain URLs, consider the following:
Why can't I access a site which I have permission
to access?
If a site is configured to allow access from specified IP addresses only,
requests made via a proxy are rejected because the request for the page
comes from the proxy rather than the original machine making the request.
This is a problem with the setup of the site rather than with the proxy
configuration.
Authentication based on source IP address is unreliable as an authentication technique. There have been many published versions of source code made available to the general public which show how to thwart such a form of defense very easily. At most, source address based authentication provides a nuisance to a determined intruder.
The access controlled site could use passwords for a similar level of security. Another security method is secure http (https) as an alternative to source based authentication.
Why don't URLs with spaces in them work?
Squid handles spaces in a URL according to the standard http specifications
which is for all spaces to be represented as %20. Although this
is the standard, some browsers allow spaces in URLs anyway but even if your
browser has accepted spaces previously, the Squid proxy does not. If you
wish to access a URL which contains spaces, ensure you replace all spaces
with %20 when you type it in. If you have stored any URLs which
contain spaces in your bookmarks you will need to bookmark them again or
manually edit the URL stored in the bookmark. Your browser's help files
will provide instructions on manually editing bookmarks if that facility
is provided.
Can Java applets be used via the proxy?
Java applets can be downloaded through the proxy. These applets can then
create any necessary network connections.
How can a corrupted page be reloaded?
A page may be corrupted if a previous user interrupted its transmission
and an incomplete page is stored in cache, or a user may wish to download
a new copy of a page to ensure it is the most up-to-date.
In Netscape Navigator, hold the Shift key and press Reload (Macintosh users should use option instead of shift). Netscape sends a special code causing all proxies on the way to bypass the cache, go directly to the source and cache the result.
Currently, Internet Explorer does not implement this facility. If you run a Squid server, you may also use the Cache Manager, cachemgr.cgi, which allows you to force a refresh of a cached object.
What if the file still can't be accessed?
If none of these answers explain the problem, contact Connect
Support with a description of the files you are trying to access. Support
will ascertain the nature of the problem and rectify it if it is within
AAPT's control.
| Copyright © AAPT Limited |
|