Re: [squid-users] Dynamic Client Bypass

From: Francisco Obispo <fobispo@dont-contact.us>
Date: Wed, 17 Jul 2002 16:15:34 -0400

Joe Cooper wrote:

> Henrik Nordström wrote:
>
>> Francisco Obispo wrote:
>>
>>> Is there a way to implement Dynamic Client Bypass as specified in
>>>
>>> http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/net_cach.htm#xtoci
>>>
>>> d13
>>
>>
>>
>> Yes, by writing a small daemon that monitors Squid access.log for
>> such errors, and reconfigures the TCP interception on the Host where
>> Squid is running to not intercept traffic for the detected
>> client,server IP pair.
>>
>> No changes to Squid is really needed for doing this.
>>
>> If you are using Linux-2.4 iptables then look into the ippools
>> iptables feature (in iptables patch-o-matic). Should make these kinds
>> of rules easier.
>
>
> Worth noting: Francisco is using WCCP. This presents the additional
> problem of how to get past the router without the packet being
> redirected back to the cache in a theoretical infinite loop, because
> the IP when routing through the cache machine will remain the client
> IP. The only way around this I know of is to use policy routing on the
> router, wherein the last-hop is checked and WCCP is bypassed if the
> cache is the last hop. As I understand it, the ability to route based
> on last-hop is not a common feature on most Ciscos and requires an
> upgrade to an advanced policy routing module (I don't know enough
> about Cisco routers or the various IOS branches to know the specifics
> of this).

Well... I wonder how Cisco Cache Engine Deals with this... because
according to
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/net_cach.htm#xtocid13

<CiscoSite>
if the server responds to the cache engine with certain HTTP error
return codes (such as 401-Unauthorized request, 403-Forbidden, or
503-Service Unavailable), the cache engine will invoke the dynamic
client bypass feature. The cache engine will dynamically store a client
IP-destination IP address bypass pair, so that future packets with this
IP address pair will bypass the cache engine. The cache engine sends an
automatic HTTP retry message to the client's browser.

</CiscoSite>

it doesn't say anything about the router being involved in the
process... also, the Cisco Cache Engine will send and automatic HTTP
retry message, which has to be sent in this case by squid which has the
active conection with the client.

I don't see an easy solution to this... except acls in the router, which
will lead to mantain a very very large list of sites with ip-based
authentication. :^/

-francisco
Received on Wed Jul 17 2002 - 14:15:41 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:17 MST