RE: [squid-users] advice for proxy architecture

From: Chris Robertson <crobertson@dont-contact.us>
Date: Fri, 14 Jan 2005 10:01:18 -0900

> -----Original Message-----
> From: lderuaz@free.fr [mailto:lderuaz@free.fr]
> Sent: Friday, January 14, 2005 1:50 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] advice for proxy architecture
>
>
> Hello to all,
>
> Here is my squid architecture :
> I am using Squid Version 2.5.STABLE7 and Samba 3.0.9 on Red Hat ES3.0.
> I've got two internal proxies on which are performed the NLTM
authentication of
> the users. There are configured to forward request to some remote proxies
(in
> other sites of the company), or to two redundant external proxies used for
> internet access.
>
> I am studying how to optimise my proxy architecture, and am looking for
advices.
>
> Based on your own experience, is it better to keep the architecture 1 :
>
> Client <--> internal proxies <--> FW <--> External proxies <--> Internet
>
> or the architecture 2
>
> Client <--> internal proxies <--> FW <--> Internet
>
>
> Do find some particular advantages to have additionnal external proxies
(in term
> of performances, security, ......)
>
> or do you think that having only two internal proxies for all trafic
(remote
> site, internet traffic) is sufficient and not risky ?
>
> Thanks by advance for your help.
>
> Lionel

From my experience, parent proxies give diminishing returns. The customer
premise proxies are achieving ~50% hit rates (both byte and request), but
the central parent proxies struggle to achieve 15% hit and almost never rise
above 5% byte. OTOH, the central servers would not be hurt (and would
likely be greatly helped) by increasing their cache space. YMMV.

As for security, the more boxes you have, the more targets you have for
attack, and dependant on your firewall setup, putting boxes outside the
firewall just makes them more vulnerable.

Without knowing the exact details of your situation, I would advise keeping
it simple (go with architecture 2).

Chris
Received on Fri Jan 14 2005 - 12:02:41 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST