Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1072
Views
0
Helpful
4
Replies

CSS11501 + Squid as Reverse Proxy

drummerrj
Level 1
Level 1

‎11-30-2011 10:58 AM

Hi all,

I'm getting confused about a reverse proxy implementation using CSS11501 and Squid as a proxy engine.

My topology is as follows:

I have 2 public networks each one in its own VLAN.

- The VLAN1 - Have the IP range for content VIPs that are configured in CSS.

- The VLAN2 - Have the IP range for services that are behind the CSS.

The origin server is at the same network as the cache is, witch is VLAN2.

I've configured CSS following that documentation:

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00800941e8.shtml

Follow my CSS service and content config:

service cache

  type transparent-cache

  ip address xxx.xxx.xxx.xxx

  no cache-bypass

  active

=========================

owner CACHE

  content cache_request_rule

    vip address xxx.xxx.xxx.101

    add service webcontent

    protocol tcp

    port 80

    url "/*"

    no persistent

    active

  content reverse_proxy_rule

    add service cache

    protocol tcp

    port 80

    url "/*" eql cache

    vip address xxx.xxx.xxx.103

    no persistent

    balance domain

    failover bypass

    active

  content web_server_rule

    vip address xxx.xxx.xxx.103

    add service webcontent

    port 80

    protocol tcp

    url "/*"

    no persistent

    active

===========================

When I test, I'm pointing my hosts file to make requests to the VIP configured for content "reverse_proxy_rule" witch have IP xxx.xxx.xxx.103

The cache is configured to reach the origin server at content "cache_request_rule" witch have the VIP xxx.xxx.xxx.101, for MISS content.

As I understand from the above document is the content "web_server_rule" is to provide the content in case the request doesn't match the EQL extension list rule.

Is there some missconcept, missconfiguration on that approach?

Best regards,

Fabiano Martins

Labels:
0 Helpful
4 Replies 4

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

‎12-02-2011 03:02 AM

Hi Fabiano,

At first sight, I don't see anything wrong with your configuration. Are you facing issues with it? If so, can you please give more details?

Thanks

Daniel

0 Helpful

drummerrj
Level 1
Level 1
In response to Daniel Arrondo Ostiz

‎12-02-2011 04:54 AM

Ok Daniel! Thanks!

So, the one of the issues I'm facing is that there are  no entries on cache logs during the requests. It looks like the eql  rules are not being applied and the client requests aren't getting the  cache.

The other thing is when I make a request from my  browser to test, the content takes too long to be delivered, and all  the files that match extensions listed in eql, are not being  delivered...

The troubleshooting section from the document listed on my first post, tells that if the "sh summary" command  doesn't show any hit on cache content rule, the problem is in the  cache. But, if I go to the cache console, and fire up a browser, I can  get the content perfectly, witch is to say that the cache can provide  the content that is in the orgin server and while I'm doing that I can  see entries on cache log (some MISS and HIT), indicating that the cache  is doing its own work.

Do you know tell me where  is the right place should I point the cache to get the content from  origin server? Should I point it to the content rule from CSS or  directly to origin server IP address that is in the same cache VLAN?

I'm sorry... I know the hole thing sounds confusing... But, that is the problem I'm facing.

Best regards,

Fabiano Martins

0 Helpful

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee
In response to drummerrj

‎12-02-2011 11:51 PM

Hi Fabiano,

The cache needs to point to the origin server directly, otherwise, if you point to the CSS, you are again going to be sent back to the cache, which will break connections.

At this point, I would suggest you to get simultaneous traffic captures on both sides of the CSS. It's the best way to see what is really happening with the connecitons.

Regards

Daniel

0 Helpful

drummerrj
Level 1
Level 1
In response to Daniel Arrondo Ostiz

‎12-08-2011 04:02 AM

Thank you Daniel!

I've pointed as you mentioned on previous post, and I captured packets on the cache and on the orgin server. It looks like the CSS is doing its work because I see traffic on both devices. What happens now is so curious:

The page loads but without the content that is declared on EQL...

So, I'll follow your advise and I'll capture traffic in every device and all involved interfaces. If I have another doubt, I'll post back here.

Thanks again!

Best regards,

Fabiano Martins

0 Helpful
Customers Also Viewed These Support Documents