Reverse/Server-Side Proxy Caching for Windows?

frooyo asks: "I'm an currently looking for a good reverse proxy caching solution (server-side caching) for the Windows platform. This would be used as a transparent proxy between the corporate website and the outside world. Products that I have seen available include: Microsoft ISA server, Squid for NT and some others. I'm not completely opposed to using a non-windows platform for this type of solution, but I would prefer a Windows solution. I need a product that handles middle-large numbers of current users (10-30) with easy on one server. Additionally features such as caching pools and easy handling of FTP connections (since this will be used as a 'transparent' proxy) would be a much needed benefit."

Squid is good

[Earlybird]

Squid is a very good, well-designed, highly configurable proxy server implementation. I have not gauged its performance against other implementations, but performance, at least on Linux, seems entirely reasonable. It is popularly used to cache Zope sites.

Being a relatively ancient open-source Unix program, it adheres religiously to standards, and will correctly use headers such as Expires and Cache-Control to maintain cache coherence; Squid will correctly cache anything with a Last-Modified header.

Additionally, it supports upstream commands allowing your web server to tell Squid to invalidate cache records when content changes; you can implement this easily in server-side languages such as PHP, Java or Python (Zope's caching machinery supports this transparently).

What the hell are you asking

[DA-MAN]

Both ISA Server and Squid do what you want?

What is it exactly that you are asking? Is there a feature you need that these don't provide? Would you like us to write a config file for you?

Please be specific enough for knowledgeable users to know what you are asking.

I read this ask slashdot as 'I need to do x, found y and z that does x.' Also if you're only going to have 10-30 users, why bother doing a reverse cache? If your web server can't handle 10-30 users, a cache isn't going to help much.

Re:troll.

More evidence to attest to this is calling 10-30 middle to large numbers. ?!? Mid to large for our systems is in teh several hundreds not 10-30. Well maybe for a microsoft product 10-30 is middle to large wouldnt know anymore havent used it in years. Maybe a P1 200 class machine with 256 mb of ram running FreeBSD and Squid is about right for this machine?

Concurrent users

[Earlybird]

If your web server can't handle 10-30 users, a cache isn't going to help much.

Depends on what the "web server" is; it might be expensive SQL stuff, for example. Or it might be a heavy-weight CMS thing; Plone's default skin gives me less than 10 hits/sec on a very fast SMP box, and the lack of speed is, amazingly, mostly in the templating system. This is a case where caching would help.

10-30 concurrent users I interpret as meaning 10-30 requests per second. To put it in perspective: 10 req/s is 864,000 req/day. 30 req/s is 2,592,000 req/day. If every page in your system is 30 KB in size, then 10 req/s is equivalent to a constant bandwidth usage of 300 KB/s.

Re:Concurrent users

[DA-MAN]

Depends on what the "web server" is; it might be expensive SQL stuff, for example.

Funny I was thought the same thing, but that wasn't in the post at all. My original post was mostly about how weird of a question, if it even is a question, this posting was.

10-30 concurrent users I interpret as meaning 10-30 requests per second.

I don't. Most browsers by default have 4 connections to a server, and 30 users would have 120 requests per second max. Now at most only 30 would be dynamic requests, unless the pictures are generated dynamically.

To put it in perspective: 10 req/s is 864,000 req/day. 30 req/s is 2,592,000 req/day. If every page in your system is 30 KB in size, then 10 req/s is equivalent to a constant bandwidth usage of 300 KB/s.

He said users 10-30 users not requests, stop changing the posts meaning. 10 - 30 users on any site is nothing. Think those ten users hit refresh every goddamn second of their lives to fill 300 KB/sec of bandwidth?

Re:Concurrent users

[Earlybird]

Funny I was thought the same thing, but that wasn't in the post at all. My original post was mostly about how weird of a question, if it even is a question, this posting was.

I don't think it's a weird question. A lazy and ill-formulated question, to be sure, but not weird.

For my current project I will need to apply a caching reverse proxy myself, just so I can support the expected traffic.

The "10-30 users" metric is useless without knowing the output of the web server. If the web server is able to sustain an output of hundreds of pages per second, you don't need a caching web server.

He said users 10-30 users not requests, stop changing the posts meaning. 10 - 30 users on any site is nothing. Think those ten users hit refresh every goddamn second of their lives to fill 300 KB/sec of bandwidth?

How does he know there are 10-30 users doing nothing? He doesn't. You don't. Nobody knows. It's a nonsensical metric.

To illustrate, I could tell you my web server got a million users per second, only they weren't doing anything. See how meaningless this is as a statistic? You can only realistically track the number of page views.

10-30 users per second means 10-30 users are at any time accessing the site. And accessing the site involves downloading a document or other page-related asset, not just sitting there doing nothing.

Translating this into 10-30 requests per second gives you a useful lower bound. Graphics and other assets such as CSS further add to the numbers, but I was making a point.

ISA

[skinfitz]

If you want a Windows solution then ISA is the way to go.

It will handle reverse web proxying along with providing transparent caching etc.

It's also very very easy to set up.

If you want more specific into, try Thomas Shinder's site http://isaserver.org

Re:ISA

[matt_wilts]

>If you want a Windows solution then ISA is the way to go

Squid is also available for Windows - I have an issue where my company will not under any means run Linux servers, however, they have agreed that I (network manager) can run certain Open Source apps.

Under Windows, Squid seems to work ok - I'm running the test server on a Celeron 333, with 128M of memory & 2 gig of cache under Windows 2000 Professional (i.e. it doesn't need a Windows server). It's currently handling about a dozen pilot users perfectly adequately, but I have pushed about 900 users through it in early testing & it held up OK.

Matt

Re:ISA

[matt_wilts]

(sorry if my post above is a little redundant - I didn't read the question properly)

At the risk of talking to myself here - I just noticed the caching pool question - I understand that we can set up "sister" caches that cut down the amount of requests to upstream caches, thus sharing the load over a cluster of Squids whilst providing a larger "virtual cache".

Dear Slashdot Users,

[DrSkwid]

My computer stopped working and when I phoned support they suggested changing something called a 'fuse' in my cable.

The plug says to use a 13A rated fuse. I went to the shop and it seems they have all sorts of these fuses. I was wondering if any Slashdotters had tried different fuses and what success they had?

Thanks.

A Dork Esq.

Novell's product

[FistFuck]

Check out iChain from Novell, it's relatively cheap and very fast. It's a reverse proxy appliance.

It does much more that what you're looking for, but some of the multihoming functionality is incredibly handy.

The per user licensing only matters if you use it to authenticate users.

Re:Novell's product

oh yeah- avoid ISA Server like the plague, I haven't seen it perform well in a reasonably loaded environment.

Apache

[mikecron]

I use Apache's mod_proxy module for reverse proxying. It works very well, and if you have several upstream servers, you can use the very powerful mod_rewrite to map parts of the URL to different servers.

Apache Mod_Proxy

[DeBaas]

First to all to all that responded that 10-30 isn't much, the asker mentioned 10-30 _current_. I assume he (or she) meant concurrent. And that can, depending on what you mean by concurrent and by the type of website served be a resource eater for which reverse proxy be an excellent tool.
For those that don't understand this I suggest to read http://perl.apache.org/docs/1.0/guide/strategy.htm l Note that the advantage often is not caching but buffering.

Furthermore, we use apache and mod_proxy for reverseproxy. It is a little more resource eating that squid, but it keeps server configuration nice and central since our sites are served by apache as well. I assume this will work nicely on Windows as well. Our company however uses only Linux (even on the desktops) so I cannot tell from experience how well this works using Windows.

Go ask M$

[tab0wling]

Hmmm.... I want a M$ solution, so I'll go ask a bunch of predominantly gnu/linux folks their advice. But I prefer the advice to lead me to a M$ product. Let's see, which speed dial did I have Linus on? Oops, that was Alan...

Ok, now I need some help getting gcc to compile some stuff on my debian box. Let's see, which speed dial did I have Billy on again? Oops, that was Stevie.

I know, I'm a smart@ss who is probably being harsher on you than you deserve. The community loves helping others and sharing the knowledge. It was just the way in which you said you would prefer a M$ solution that really seemed insulting. As if a FREE solution wasn't inferior.

Re:Go ask M$

[zero_offset]

So far, your post is the only thing insulting in this entire thread.

Re:Go ask M$

It was just the way in which you said you would prefer a M$ solution that really seemed insulting. As if a FREE solution wasn't inferior.

What he meant by "MS solution" was he wanted his existing Windows box to do the job, not go out and get another box.

He did mention Squid, which is free.

So, you are not being a smartass, afterall. You are being a dumbass.

Re:Go ask M$

[tab0wling]

Really, I can't seem to find the sentence where he claims he wants to run it on the same box. What he does say is that he's considering "Squid for NT." Note the "NT" at the end of that. That means squid will run on his existing platform. According to your logic, this should make him happy. But it doesn't.

Why?

[Gothmolly]

You have money, time, and rackspace to burn setting up a reverse-proxy for your webserver, but no resources to devote to your actual webserver? Beef up the webserver, upgrade IIS, team your NICs, do something to fix the problem, not the symptom.

Re:Why?

[DeBaas]

Where does it say that he has the money etc. Reverse proxy can be installed on the same machine as the webserver itself and still be benificial. Not everybody is serving static html files.

Re:Why?

[psycho_tinman]

Even if you have all of that money and more to burn on webservers, a reverse proxy is still a good option and sometimes a better way to spend your cash.

Back in the dot com era, I had to work with near offshelf commodity hardware for the most part. The only specialist servers I had were the webservers (and servlet containers) running (I didnt make the decision, so dont flame me :) IIS. 20-30 concurrent connections off Loadrunner, and the CPU on the webserver maxes out (mostly because of the servlet container, to be fair). So, while the highly paid CTO types were off ordering more Dell servers, I got together with the main network admin and put in 3 RedHat 7.0 Squid machines to reverse proxy. These were mere 500MHz Intel machines, with some extra RAM popped in.

Net result: they canned the orders for the servers, and just ordered a load balancer (FreeBSD based specialized device, which cost about $400, IIRC). The webservers now handled twice the load without even running hot. We stopped testing after 100 concurrent connections (because the site never got that kind of traffic anyway, it wasnt Slashdot)

My answer to the original question, if you *must* stick with Win32, then use ISA. That wasnt an option for me at the time, but subsequent gigs made me realize that ISA can get the job done. But if you have dedicated machines for reverse proxy, please DO use Squid (running on a Unix-ish OS, dont buy into the myth that the NT version runs as well, it doesnt), or use mod_proxy on Apache.

Heh, you can still find one of my log analyser tools and a sample config for Squid posted on the mailing list archives. Its ridiculously easy to setup.. just try it.

Re:Why?

[lifeless]

Please don't spread uneeded FUD...The NT port of squid is well maintained, Guido does a great job, and we're hoping before too much longer (3.1/3.2) to have it fully integrated. Oh, and squid/NT is more flexible than ISA any day of the week. Performance wise, 10-30 concurrent users of any web application I've seen translates to way less than 30 requests per second (rule of thumb from experience), which is well within squid/NT's performance envelope.

-Rob

Re:Why?

[psycho_tinman]

First and foremost, if I gave anyone the impression that I am disparaging the development work being done on Squid/NT, I apologize, such was not my intention in the slightest. I know that a good job is being done on it (because I occasionally evaluate it, I WANT choice in reverse proxies for Win32)

However, I still stand by my previous comments. Squid/NT is *not* as stable and not as scalable as the Unix based versions. Do I have documented statistics for this ? no, I do not. YMMV. I've run more than half a dozen reverse proxy deployments (2 of them were in the 200+ req/sec range) and this is what I've observed. I've met more than a few people who've told me that it is (hence my use of the term "myth", which it is).

Further, I prefer the flexibility that Squid offers.. If I had any choice in the matter, I definitely wouldnt push for ISA, but please stop spreading FUD of your own by implying it doesnt do its core job (of proxy and reverse proxy) as well as Squid. It gets the job done. I prefer not to hit against one of the published limitations of Squid/NT and find out ONLY after I put it into production.

thanks for listening.

Friends don't let friends use ISA Server.

[Ayanami+Rei]

Put yourself out and lash a few aging machines into a peered virtual cache/distributed front end using Squid.

Write a TCL script

[EvilTwinSkippy]

TCL has HTTP and FTP handling capabilities, as well as the ability to open and respond to server sockets.

Code for an HTTP proxy is easily googleable. FTP would be a little more effort, but once you understand the principles...

Re:Write a TCL script

Wow. Just what we needed -- a TCL troll. :P

Let us know when your sweet TCL-based proxy server is up on Sourceforge, dood.

try xCache

[Glog]

Try xCache - I've used it before and it's quite good: http://www.xcache.com/home/default.asp

Many Fortune 500 companies use it.

Clearifications

[frooyo]

Yes, the article was meant to say concurrent users. And yes, the current website is driven by a large CMS where all pages are dynamic (all content resides in a database).

So after some clearification, what are peoples experiences with ISA or Novell's Volera (which I have heard very good things about) and any other caching solution.

Does /. use a caching server? If not, why not?

Re:Clearifications

[lifeless]

I haven't used volera, but AIUI it's derived from bordermanager, which in turn harks from the Harvest project - the same place squid came from. Bordermanager has been sweet every time I've used it, but not substantively different from Squid. ISA however, doesn't share that same heritage. It's also a bundle of products, of which you'll probably only want one bit... the proxy.

-Rob

Re:Clearifications

[mfarver]

AFAIK slashdot does not cache, but instead builds static pages from the dynamic content at regular intervals. Logged in users see a dynamic page, but most users just see the static page that is built from dynamic content

IMHO if content is not different for each user it is not really dynamic. (Plenty of sites are dynamic becuase they can be, not really becuase they should be). Even if it is mostly static with just a few dynamic elements (Like a Welcome: *username*) see if your content system supports precompiling templates or the like.

If your content changes slowly, and you're just using the db stuff to ease administration and content management, consider doing a pull from the CMS to static files.

Almost all webservers are tuned to stream data from disk to net _fast_. An apache box in a low end Pentium system can saturate a T1 pretty easily servering dynamic content. Almost all modern hardware should be able to do much more.

Another option is to speed up the database stuff... 20-30 concurrent users isn't all that much. Have you implemented connection pooling, and properly tuned your indicies for the more common queries. (Some db servers cache queries quite well). For example oracle connections can take up to 2 seconds, and an average of about 500ms to setup. If you are creating and destroying a db connection for each page request, it really slowes things down... connection pooling means only connecting to the db at first page load.

Otherwise, just use squid. It works. I would recommend setting up a linux box on some outdated piece of hardware. Yeah its not windows, but this is going to be a appliance like application. Just set and forget. You gain to added advantage that the squid/linux box will diversify your network a bit, and it protects IIS against many attacks.

Wholeheartedly Recommend ISA

[seigniory]

I have to say, I've been using ISA for 2+ years now and am very familiar with its capabilities & performance.

ISA's proxying is great, but does cost $$$ on top of your Windows 2K licensing and Hardware. Here's the setup of every ISA box I've spec'd in teh last few months:

1. Dell GX50 Celeron 1GHz, 1GB RAM, 20GB 7.2k RPM HD, Adaptec 4-port NIC. About $900
2. Windows 2000 Server. About $800
3. MS ISA Server. About $1100

Total: about $2800

That said, it's expensive for use as "just a proxy". ISA offers much much more which is why I recommend using it in a more fully featured fashion. If you're planning on leveraging the Firewall, VPN, Secure-NAT, and PPTP Pass through capabilities at the same time, by all means, I can't recommend a better small/medium business security device.

(FWIW: ISA is the only commercial firewall I know that can do both PPTP and L2TP/IPSec in a NAT configuration with more than 1 connection at a time on the same external IP address - true that PIXs and similar ones can do PPTP through NAT, but you need a 1:1 mapping ratio for private to public IPs to do it. I've had over 150 private IPs set up simultaneous PPTPs through my ISA box on a single external IP, but I digress...)

ISA's proxying is suprisingly fully-featured. Want to scan all uploads & download for viruses? No problem, ISA's got a ton of plugins. Want to harden security on a single box instead of 10 individual web servers? No problem, apply all kinds of rules to the proxy service and block or allow things at the file or even mime-type level. Want to use NT/AD user certificates on Apache or non-IIS servers? No problem... with Feature Pack 1, ISA will provide authentication based on all these and "non-MS-ize" the auth data to your backend servers. Want redundancy? Just add another ISA server in array mode - 2 boxes, single config point, double the performance,

There's so many other ISA features to mention. I can't say enough good things about it. My only wish list item is better logging.

Novell BorderManager

Novell BorderManager's cache servers are the fastest ones available. According to the cache server bake-off reports I've read, I believe BorderManager consistently wins.

However, last I looked, BorderManager's firewall doesn't live up to modern standards. It doesn't do statefull connection tracking, and it's probably only twice as secure as an NT/2000 box exposed to the Internet. Still, it's great at what it does, so if you're willing to spend the money, go with it and use it's cache servers. If you need greater security, put it behind another firewall, such as a properly configured Debian box, or an OpenBSD system.

Re:troll.

[kcurrie]

Maybe a P1 200 class machine with 256 mb of ram running FreeBSD and Squid is about right for this machine?

At my kids school (a little under 400 people) I'm running squid on a P200 with *96MB* of RAM with absolutely no issues at all. The machine is mostly idle, and the load only goes up due to the snort and afick processes also running on the host :-)

Squid for *nix

[Raven42rac]

Just use Squid for *nix. You can use any old box you have laying around. You don't even need an x-window-environment. You can do everything from the CLI. I use it for a 250 user network and it works splendidly. Squid=$0. Your favorite Linux distro. (Don't want to start a war, but look at Debian, easy to update/secure/install programs.)=$0. Old PC laying around =$0. So $3,000 vs. $0 and you would have to do the same amount of reading and studying up on both. $3,000 could buy an awful lot of better things.