how-to block ads
|
shdesigns
Powered By Infinite Improbabilty Drive
Premium
join:2000-12-01
Stone Mountain, GA
 ·Atlantic Nexus
| Re: Sufficient Server? A PIII is fine for WINS and DNS server. I have a dual-PIII/512meg as a file/mail/wins/web/irc/eggdrop/dnscache server and it uses no swap and is hardly worked. It serves files via a gigabit card at over 50Mbytes/sec.
If by PVC you mean VPN, then if you add the server IP as a WINS server in the clients, then they will all be able to access PC's by name. | |
|  tonymontana
join:2001-11-01
Caldwell, NJ
| Re: Sufficient Server? thanks i figured as much since keeping a wins db and dns resolver cache don't seem like resource hogs. i plan on upping the ram once i can dig up another 256 stick
by PVC i mean private virtual circuit fractional t1 frame relay links. we have 7 remote stores with much smaller workgroups from 2-8 PC's. i believe this is doable too and the traffic generated by registering with the WINS server, and dns queries should be neglible right? It's critical that this doesn't impact of the connection betweent the stores and the terminal server. Right now there is no netbios resolution since the LAN segments are contained within PVC links so all connections to the terminal server, and file server are done by their private ip's. DNS queries all goto the same isp dns server.
now question 3. SQUID cache
with the ram upped to 512 and lets say all 80-90 pc's connected what kind of performance can i expect. the harddrive is 40gb ata100 7200rpm 8mb and i should have lots of room for the cache since only base,ssh,bind,samba, and squid are installed. As it stands users have no restrictions on internet usage and from what i've seen users are actually too busy and more mature than to spend any time downloading/streaming. there is one critical java app that accesses a 3rd party website, but i believe that is just for login authentication and local download of db. what type of impact if any would this have on our PVC? i've never setup squid before how well does it handle https sessions | |
| | 
leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
clubs: 
| Re: Sufficient Server? said by tonymontana  :what type of impact if any would this have on our PVC? You don't describe the topology change well enough to answer that question properly.
Possibility 1.: the 7 remote locations currently make direct Internet access through their ISP connection and only traffic targeted for the main office traverses the PVC. By changing the Internet access from the remote sites to go through the main office traffic through the PVCs will increase. Whether or not squid is used at the main office is completely irrelevant in this case since even cached content will go repeatedly through the PVCs. The only way to reduce some of the traffic increase would be squid caches at all the remote locations. The effectiveness of that would depend on the type of Internet accesses made. Some Internet content is really not cacheable, much more Internet content is marked not cacheable to cause browsers to always download the latest ads!
Possibility 2: the only Internet access for the remote sites is already only by going through the main office network. In this case there will be no increase in traffic on the PVCs and by caching static content on the squid server you will reduce some Internet bandwidth for the main office Internet connection.
said by tonymontana : i've never setup squid before how well does it handle https sessions It handles them really well, but there are a few things you should be aware off:
- secure content from https sessions is not cached. The main reason to use the proxy is therefore not valid with https sessions. It is still commonly done because squid also provides logging and access controls which are still meaningful even without caching. However if you don't need logging or access controls, why bother squid with the https traffic ?
- there are two ways a browser can use a proxy server for a SSL (https) connection. The common way is to use the CONNECT request which establishes a transparent pipe between browser and destination server. In this case squid only passes the bytes back and forth and does not attempt any interpretation of their content (which would be rather difficult since they are encrypted). Encryption/decryption takes place in the browser and the web server and does not involve the proxy server. However it is also possible for squid to terminate SSL connections. This is less common and as far as I know works by the browser making normal GET/POST requests with a https url. In that scenario the traffic between browser and proxy server is unprotected (usually not an issue since it is on the local lan especially if it is switched ethernet). More importantly the task of encryption and decryption moves from the browser to the proxy server. If several users make SSL connections in that way it would result in significant cpu load on the proxy server. I'm not aware off any modern browser that does not support the CONNECT method, but perhaps some may fall back to the second method if CONNECT does not work (perhaps because you decided to block certain sites? In that case be sure to block all request methods and not just CONNECT).
P.S.: Be prepared to be amazed how quickly your squid cache grows!
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire! | |
| | | |
|
