Re: [squid-users] Dynamic Client Bypass

From: Francisco Obispo <fobispo@dont-contact.us>
Date: Wed, 17 Jul 2002 16:40:16 -0400

Ok... we'll run some test with telcom department to see how it does
tomorrow..

but what about the HTTP retry message?

-francisco

Joe Cooper wrote:

> Francisco Obispo wrote:
>
>> Joe Cooper wrote:
>
>
>>> Worth noting: Francisco is using WCCP. This presents the additional
>>> problem of how to get past the router without the packet being
>>> redirected back to the cache in a theoretical infinite loop, because
>>> the IP when routing through the cache machine will remain the client
>>> IP. The only way around this I know of is to use policy routing on
>>> the router, wherein the last-hop is checked and WCCP is bypassed if
>>> the cache is the last hop. As I understand it, the ability to route
>>> based on last-hop is not a common feature on most Ciscos and
>>> requires an upgrade to an advanced policy routing module (I don't
>>> know enough about Cisco routers or the various IOS branches to know
>>> the specifics of this).
>>
>>
>>
>> Well... I wonder how Cisco Cache Engine Deals with this... because
>> according to
>> http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/net_cach.htm#xtocid13
>>
>>
>> <CiscoSite>
>> if the server responds to the cache engine with certain HTTP error
>> return codes (such as 401-Unauthorized request, 403-Forbidden, or
>> 503-Service Unavailable), the cache engine will invoke the dynamic
>> client bypass feature. The cache engine will dynamically store a
>> client IP-destination IP address bypass pair, so that future packets
>> with this IP address pair will bypass the cache engine. The cache
>> engine sends an automatic HTTP retry message to the client's browser.
>>
>> </CiscoSite>
>>
>>
>> it doesn't say anything about the router being involved in the
>> process... also, the Cisco Cache Engine will send and automatic HTTP
>> retry message, which has to be sent in this case by squid which has
>> the active conection with the client.
>>
>> I don't see an easy solution to this... except acls in the router,
>> which will lead to mantain a very very large list of sites with
>> ip-based authentication. :^/
>
>
> Actually, there is one easy solution (which Henrik pointed out in a
> private email) which is to put the cache on another network interface
> which is not redirected via WCCP. This has its own potential pitfalls
> (minor and easily worked around, assuming you have a spare interface
> you can put your Squid machine on), but makes bypassing in the cache
> very easy. Using last-hop policy routing also works around it and
> prevents you from needing the access list to be maintained on the
> router. In these two cases (which are reasonable in many
> environments, but not all) all decisions for bypassing can be handled
> in the cache itself. Otherwise it gets complicated...and the
> situations where it gets complicated are the most common, in my
> experience.
Received on Wed Jul 17 2002 - 14:40:22 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:17 MST