Cisco ACNS Software Caching and Streaming Configuration Guide, Release 5.1
Chapter 6: Reverse Proxy Caching
Download this chapter
Chapter 6: Reverse Proxy CachingChapter 6: Reverse Proxy Caching
Download the complete book
Full Book PDF FileFull Book PDF File (PDF - 15 MB)
give_us_feedback

Table Of Contents

Reverse Proxy Caching

Reverse Proxy Caching Overview

Configuring Reverse Proxy Service Based on WCCP

Configuring the Content Engine for Reverse Proxy Service

Configuring the Router for Reverse Proxy Service with Output Redirection

Configuring the Router for Reverse Proxy Service with Input Redirection

Configuration Examples—Reverse Proxy with Output Redirection

Configuring Reverse Proxy Service Based on a Layer 4 Switch

Configuring the Content Engine for Reverse Proxy Service

Configuring the CSS Switch for Reverse Proxy Caching

CSS Switch Sample Configuration Output for Reverse Proxy Caching

Configuring IP Spoofing in Reverse Proxy Mode

Configuring the Content Engine for IP Spoofing

Configuring the Router for IP Spoofing


Reverse Proxy Caching

This chapter explains reverse proxy caching and shows configuration examples relevant to a Content Engine that has ACNS 5.x software installed. This chapter contains the following sections:

Reverse Proxy Caching Overview

Configuring Reverse Proxy Service Based on WCCP

Configuring Reverse Proxy Service Based on a Layer 4 Switch

Configuring IP Spoofing in Reverse Proxy Mode

Note For complete syntax and usage information for the CLI commands used in this chapter, refer to the Cisco ACNS Software Command Reference, Release 5.1.

Reverse Proxy Caching Overview

In a regular proxy cache configuration, the proxy server acts as a proxy for the client. In the reverse proxy configuration, the reverse proxy server acts as a proxy for the server. Also, a reverse proxy cache stores specific content, whereas proxy and transparent caches store frequently requested content. Reverse proxy caches serve two primary functions:

Replication of content to geographically dispersed areas

Replication of content for load balancing

In a reverse proxy cache configuration, the proxy server is configured with an Internet-routable IP address. Clients are directed to the proxy server based on DNS resolution of a domain name. To a client, the reverse proxy server appears like a web server.

To ensure fast response times, maximized service availability, and the ability to withstand an excessive number of URL hits or an excess of bandwidth requested, Content Engines with ACNS 5.x software installed can be deployed in front of a website server farm to offload traffic from busy firewalls and servers, helping to optimize the entire website infrastructure. This type of deployment is called web server acceleration, or reverse proxying. A Content Engine deployed in this manner is simply called a reverse proxy cache because the Content Engine is operating at the opposite end of the transaction, in front of the origin server.

ACNS 5.x software provides reverse proxy caching by allowing traffic redirection or interception to be performed by two types of devices: a WCCP-enabled router or a Layer 4 switch such as the Content Services Switch (CSS) 11000 series switch.

Configuring Reverse Proxy Service Based on WCCP

In the deployment scenario shown in Figure 6-1, the Content Engine interoperates with a router running WCCP Version 2 to bring reverse proxy service within the web server environment. In this deployment, the router interface connected to the Internet has an IP address of 192.168.1.1. All HTTP requests destined for the web server are routed to the router interface at 172.16.21.1. Upon receiving the HTTP request at this interface, the router transparently intercepts and redirects the request to the Content Engine with an IP address of 172.16.20.23. Thus, the Content Engine is logically in front of the web server, offloading web server HTTP traffic. The Content Engine sends a request to the web server only when it does not find the requested content in the cache.

Figure 6-1 Reverse Proxy Service with a WCCP-Enabled Router

To configure reverse proxy caching using traffic redirection through a WCCP-enabled router, refer to the following sections:

Configuring the Content Engine for Reverse Proxy Service

Configuring the Router for Reverse Proxy Service with Output Redirection

Configuring the Router for Reverse Proxy Service with Input Redirection

Note A redirect list on the router or a static bypass list on the Content Engine can be used to allow flows to bypass interception. These lists use criteria based on source and destination IP addresses.

Configuring the Content Engine for Reverse Proxy Service

To configure the WCCP reverse proxy service on a locally deployed Content Engine, follow these steps:

 
Purpose
Command

Step 1 

Enables WCCP Version 2 on the Content Engine. 

ContentEngine(config)# wccp version 2

Step 2 

Configures a router list. 

ContentEngine(config)# wccp router-list 1 172.16.20.1

Step 3 

Instructs the Content Engine to run the WCCP reverse proxy service. 

ContentEngine(config)# wccp reverse-proxy 
router-list-num 1

Step 4 

Exit global configuration mode.

ContentEngine(config)# exit

Configuring the Router for Reverse Proxy Service with Output Redirection

To configure the WCCP reverse proxy service on the router with output redirection facing the original servers, follow these steps:

 
Purpose
Command

Step 1 

Instructs the router to run the WCCP reverse proxy service. The reverse proxy service is indicated by a value of 99. 

Router(config)# ip wccp 99

Step 2 

Specifies which router interface to configure. In this scenario, Ethernet 0/1 is the router interface to the web server. 

Router(config)# interface Ethernet 0/1

Step 3 

Instructs the router to redirect TCP port 80 traffic bound for the specified interface to Content Engines that accept reverse proxy service. In this scenario, there is only one router. 

Router(config-if)# ip wccp 99 redirect out

Step 4 

Exits global configuration mode. 

Router(config)# exit

Configuring the Router for Reverse Proxy Service with Input Redirection

To configure the WCCP reverse proxy service on the router with input redirection facing the locally deployed Content Engines, follow these steps:

 
Purpose
Command

Step 1 

Instructs the router to run the reverse proxy service. The reverse proxy service is indicated by a value of 99. 

Router(config)# ip wccp 99

Step 2 

Specifies which router interface to configure. In this scenario, s0/0 is the router interface to the Internet. 

Router(config)# interface s0/0

Step 3 

Instructs the router to redirect TCP port 80 traffic received on the specified interface to Content Engines that accept reverse proxy service. 

Router(config-if)# ip wccp 99 redirect in

Step 4 

Exits interface configuration mode. 

Router(config-if)# exit

Configuration Examples—Reverse Proxy with Output Redirection

This section shows configurations of the Content Engine and the router for the deployment scenario in Figure 6-1. The reverse proxy-related commands are in bold.

Content Engine 

 !

 hostname ContentEngine

 !

 interface ethernet 0

  ip address 172.16.20.23 255.255.255.224

  ip broadcast-address 10.0.0.255

 exit

 !

 interface ethernet 1

 exit

 !

 ip default-gateway 172.16.20.1

 ip name-server 172.16.20.238

 ip domain-name cisco.com

 ip route 0.0.0.0 0.0.0.0 172.16.20.1

 !

 wccp router-list 1 172.16.20.1

 wccp 99 reverse-proxy router-list-num 1

 wccp version 2

 !

 end

WCCP-Enabled Router 

Current configuration:

 !

 version 12.1

 service timestamps debug uptime

 service timestamps log uptime

 no service password-encryption

 !

 hostname 2611-5

 !

 enable secret 5 $1$9VQ.$BTPbq8xlE2dsKwKPDDmpL/

 !

 !

 ip subnet-zero

 ip wccp 99

 !

 !

 interface Ethernet0/0

  no ip address 

  no ip redirects

  !

 interface Serial0/0

  ip address 192.168.1.1 255.255.255.224

  !

 interface Ethernet0/1

  ip address 172.16.21.1 255.255.255.224

  ip wccp 99 redirect out

!

 interface Ethernet1/0

  ip address 172.16.20.1 255.255.255.224

  !

 interface Ethernet1/1

  no ip address

  shutdown

  full-duplex

 !

 interface Ethernet1/2

  no ip address

  shutdown

 !

. . .

 ip classless

 !

 !

 line con 0

  transport input none

 line aux 0

 line vty 0 4

  login

 !

end

Configuring Reverse Proxy Service Based on a Layer 4 Switch

In the deployment scenario shown in Figure 6-2, the Content Engines interoperate with a router running WCCP Version 2 and a CSS 11000 series switch to bring reverse proxy service within the web server environment. In this deployment, the user sends the request to the CSS switch virtual IP address. All HTTP requests destined for the web server are routed to the CSS switch interface. Upon receiving the request at this interface, the CSS switch transparently intercepts and redirects the request to the Content Engine. Thus, the Content Engine is logically in front of the web server, offloading web server HTTP traffic. The Content Engine sends a request to the web server only when it does not find the requested content in the cache.

Note The sample solution shown here works only with particular web servers and in particular configurations. See Figure 6-2 for a network diagram that illustrates the topology used when you configure these devices.

Figure 6-2 Reverse Proxy Caching Network

Configuring the Content Engine for Reverse Proxy Service

To configure the WCCP reverse proxy service on a locally deployed Content Engine, follow these steps:

 
Purpose
Command

Step 1 

Ensure that the Content Engine serves requests if possible. 

ContentEngine(config)# no bypass load enable

Step 2 

Configure the Content Engine to accept traffic redirection using the Layer 4 switch. 

ContentEngine(config)# http l4-switch enable

Configuring the CSS Switch for Reverse Proxy Caching

Use the following CLI commands to configure a CSS switch for reverse proxy caching. The CSS switch must be in configuration mode in order to initiate configuration changes.

Note See the "CSS Switch Sample Configuration Output for Reverse Proxy Caching" section for a list of all configurable services and parameters needed. Refer to the CSS Advanced Configuration Guide for more information regarding caching with the CSS switch.

 
Purpose
Command

Step 1 

Specifies the owner of the CSS switch. 

CS150(config)# owner cisco

Step 2 

Creates a reverse proxy rule for the current owner. 

CS150(config-owner[cisco])# content RPCRule

Create content <RPCRule>, [y/n]:y

Step 3 

Adds services to the reverse proxy rule. In this case, Content Engine 1 is added as a service to the reverse proxy rule. 

CS150(config-owner-content[RPCRule])# add service ce1

Step 4 

Adds services to the reverse proxy rule. In this case, Content Engine 2 is added as a service to the reverse proxy rule. 

CS150(config-owner-content[RPCRule])# add service ce2

Step 5 

Assigns a virtual IP address to the CSS switch. 

CS150(config-owner-content[cisco-RPCRule])# vip address 
172.16.0.0

Step 6 

Specifies TCP as the service protocol. 

CS150(config-owner-content[cisco-RPCRule])# protocol 
tcp

Step 7 

Specifies that requests for traffic should come through on port 80. 

CS150(config-owner-content[cisco-RPCRule])# port 80

Step 8 

Defines what content is cacheable. 

CS150(config-owner-content[cisco-RPCRule])# url "/*" 
eql Cacheable

Step 9 

Exits CSS switch configuration mode. 

CS150(config-owner-content[cisco-RPCRule])# exit

CSS Switch Sample Configuration Output for Reverse Proxy Caching

The following example shows a partial configuration of the CSS switch. 

!************************** SERVICE **************************

service webserver1 

  ip address <first_webserver_ip_address>

  protocol tcp 

  port 80 

  active 


service webserver2 

  ip address <second_webserver_ip_address> 

  protocol tcp 

  port 80 

  active 


service cache1 

  protocol tcp 

  ip address <first_cache_ip_address> 

  port 80 

  type transparent-cache 

  no cache-bypass 

  active 


service cache2 

  protocol tcp 

  ip address <second_cache_ip_address>

  port 80 

  type transparent-cache 

  no cache-bypass 

  active 



!**************************** EQL ****************************

eql cacheable 

  description "This EQL contains extensions of cacheable content" 

  extension pdf "Acrobat" 

  extension fdf "Acrobat Forms Document" 

  extension au "Sound audio/basic" 

  extension bmp "Bitmap Image" 

  extension z "Compressed data application/x-compress" 

  extension gif "GIF Image image/gif" 

  extension html "Hypertext Markup Language text/html" 

  extension htm 

  extension js "Java script application/x-javascript" 

  extension mocha 

  extension jpeg "JPEG image image/jpeg" 

  extension jpg 

  extension jpe 

  extension jfif 

  extension pjpeg 

  extension pjp 

  extension mp2 "MPEG Audio audio/x-mpeg" 

  extension mpa 

  extension abs 

  extension mpeg "MPEG Video video/mpeg" 

  extension mpg 

  extension mpe 

  extension mpv 

  extension vbs 

  extension m1v 

  extension pcx "PCX Image" 

  extension txt "Plain text text/plain" 

  extension text 

  extension mov "QuickTime video/quicktime" 

  extension tiff "TIFF Image image/tiff" 

  extension tar "Unix Tape Archive application/x-tar" 

  extension avi "Video for Windows video/x-msvideo" 

  extension wav "Wave File audio/x-wav" 

  extension gz "application/x-gzip" 

  extension zip "ZIP file application/x-zip-compressed" 


!*************************** OWNER ***************************

owner www.site.com 


  content reverse_proxy_rule 		! this rule is used to map in caches for static

    vip address <published_vip>	! content.  Since this rule is more specific

    protocol tcp 				! than "web_server_rule" (url match uses an

    port 80 				! eql), this rule will be evaluated first.  Only

    url "/*" eql cacheable 		! 'cacheable' traffic will be matched and sent 

    add service cache1 			! to the Caches.

    add service cache2 

    active 



  content web_server_rule 		! this rule is used to map in the web-servers

    vip address <published_vip>	! for non-cacheable content.

    protocol tcp 

    port 80 

    url "/*" 

    add service webserver1 

    add service webserver2 

    active 


content cache_request_rule 		! this rule is used for caches requesting

    vip address <cache_miss_vip> 	! content from the web-servers.  This rule 

    protocol tcp 				! should include the web servers only

    port 80 

    add service webserver1 

    add service webserver2 

    active

Configuring IP Spoofing in Reverse Proxy Mode

With typical reverse proxy caching, a user issues an HTTP request from a web browser. This request is transparently intercepted at the service provider or data center and redirected to the Content Engine by a WCCP-enabled router. The Content Engine accepts the incoming TCP connection from the router, determines that the request is for an object not in storage (cache miss), and issues a request for the object from the origin web server. When the Content Engine contacts the origin web server, it uses the Content Engine's own IP address instead of the client's IP address, on behalf of which the Content Engine is making the request.

In contrast, with IP spoofing, the transparent redirection process can enable the Content Engine to send out the client's IP address for authentication purposes on the origin web servers. You can enable IP spoofing with the wccp spoof-client-ip enable global configuration command. You can disable IP spoofing with the no wccp spoof-client-ip enable command.

Note Before you can enable IP spoofing on the Content Engine, you must configure the router interfaces serving the client, the origin server, and the Content Engine (as described in the "Configuring the Router for IP Spoofing" section).

IP spoofing is recommended in the following scenarios:

Logging of user IP addresses

Filtering based on user IP addresses

Policy-based routing to provide some users better service than others

In normal transparent redirection using a WCCP-enabled router, the router intercepts packets sent by the client only. It then forwards the request to the Content Engine. With IP spoofing, the router also intercepts packets from the server that are destined for the client's IP address while redirecting them to the Content Engine.

You must disable traffic redirection on the router interface connected to the Content Engine, using the ip wccp redirect exclude in command to avoid loopbacks as the router tries to send the packet with the source IP address back to the Content Engine. You must also enable traffic redirection on the router interface connected to the clients.

See the "Configuring the Router for IP Spoofing" section for more information on the configuration steps needed to configure IP spoofing. In this configuration scenario, the Content Engine and the requesting clients are on different subnets, as shown in Figure 6-3.

Note In the scenario shown in Figure 6-3, the reverse proxy service and a user-configurable service group number 96 are used. The user-configurable service group numbers range from 90 to 97. See "Web Cache Communication Protocol Version 2" for a list of configurable service groups in the Content Engine.

Figure 6-3 Content Engine and Clients on Different Subnets for IP Spoofing

Configuring the Content Engine for IP Spoofing

To configure a locally deployed Content Engine for IP spoofing, follow these steps:

 
Purpose
Command

Step 1 

Enables WCCP Version 2 on the Content Engine. 

ContentEngine(config)# wccp version 2

Step 2 

Configures a router list. 

ContentEngine(config)# wccp router-list 1 10.10.20.1

Step 3 

Configures port list 1 to be associated with a WCCP service group through port 80. 

ContentEngine(config)# wccp port-list 1 80

Step 4 

Configures service group number 96, and associate router list, port list 1, and hashing parameters with the destination IP address and the source port. 

ContentEngine(config)# wccp service-number 96 
router-list-num 1 port-list-num 1 application cache 
hash-destination-ip match-source-port

Step 5 

Informs the routers in the specified router list that the Content Engine is accepting reverse proxy service. 

ContentEngine(config)# wccp reverse-proxy 
router-list-num 1

Step 6 

Enables client IP spoofing. 

ContentEngine(config)# wccp spoof-client-ip enable

Step 7 

Exits global configuration mode. 

ContentEngine(config)# exit

Step 8 

Writes the running configuration to nonvolatile memory. 

ContentEngine# write memory

Note If you have a Content Engine farm and you are using weight assignments within this farm, you must make sure that these weight assignments for the service groups assigned to IP spoofing for both outbound and inbound packets are equal on all Content Engines to prevent a break in the TCP connection. Use the wccp service-number servnumber router-list-num num port-list-num port application cache weight percentage command to establish a weight for these service groups if needed. By default, the Content Engine farm hashes appropriately with IP spoofing turned on, so assigning weights to service groups is not needed.

Configuring the Router for IP Spoofing

To configure the router for IP spoofing, follow these steps:

 
Purpose
Command

Step 1 

Instructs the router to run the WCCP reverse proxy service. 

Router(config)# ip wccp 99

Step 2 

Enables WCCP service group 96 on the router. 

Router(config)# ip wccp 96

Step 3 

Enables WCCP redirection on the interface going out to the origin server with the service that hashes on the destination IP address. (See Figure 6-3.) 

Router(config-if)# ip wccp 99 redirect out

Step 4 

Enables WCCP redirection on the interface going out to the clients with the service that hashes on the source IP address. (See Figure 6-3.) 

Router(config-if)# ip wccp 96 redirect out

Step 5 

Disables WCCP redirection on the interface connected to the Content Engine. (See Figure 6-3.) 

Router(config-if)# ip wccp redirect exclude in

Step 6 

Exits global configuration mode. 

Router(config-if)# exit