Reverse/Server-Side Proxy Caching for Windows?

frooyo asks: "I'm an currently looking for a good reverse proxy caching solution (server-side caching) for the Windows platform. This would be used as a transparent proxy between the corporate website and the outside world. Products that I have seen available include: Microsoft ISA server, Squid for NT and some others. I'm not completely opposed to using a non-windows platform for this type of solution, but I would prefer a Windows solution. I need a product that handles middle-large numbers of current users (10-30) with easy on one server. Additionally features such as caching pools and easy handling of FTP connections (since this will be used as a 'transparent' proxy) would be a much needed benefit."

Re:troll.

[Anonymous Coward]

More evidence to attest to this is calling 10-30 middle to large numbers. ?!? Mid to large for our systems is in teh several hundreds not 10-30. Well maybe for a microsoft product 10-30 is middle to large wouldnt know anymore havent used it in years. Maybe a P1 200 class machine with 256 mb of ram running FreeBSD and Squid is about right for this machine?

Re:troll.

[kcurrie]

Maybe a P1 200 class machine with 256 mb of ram running FreeBSD and Squid is about right for this machine?

At my kids school (a little under 400 people) I'm running squid on a P200 with *96MB* of RAM with absolutely no issues at all. The machine is mostly idle, and the load only goes up due to the snort and afick processes also running on the host :-)

Squid is good

[Earlybird]

Squid is a very good, well-designed, highly configurable proxy server implementation. I have not gauged its performance against other implementations, but performance, at least on Linux, seems entirely reasonable. It is popularly used to cache Zope sites.

Being a relatively ancient open-source Unix program, it adheres religiously to standards, and will correctly use headers such as Expires and Cache-Control to maintain cache coherence; Squid will correctly cache anything with a Last-Modified header.

Additionally, it supports upstream commands allowing your web server to tell Squid to invalidate cache records when content changes; you can implement this easily in server-side languages such as PHP, Java or Python (Zope's caching machinery supports this transparently).

Apache

[mikecron]

I use Apache's mod_proxy module for reverse proxying. It works very well, and if you have several upstream servers, you can use the very powerful mod_rewrite to map parts of the URL to different servers.

What the hell are you asking

[DA-MAN]

Both ISA Server and Squid do what you want?

What is it exactly that you are asking? Is there a feature you need that these don't provide? Would you like us to write a config file for you?

Please be specific enough for knowledgeable users to know what you are asking.

I read this ask slashdot as 'I need to do x, found y and z that does x.' Also if you're only going to have 10-30 users, why bother doing a reverse cache? If your web server can't handle 10-30 users, a cache isn't going to help much.

Concurrent users

[Earlybird]

If your web server can't handle 10-30 users, a cache isn't going to help much.

Depends on what the "web server" is; it might be expensive SQL stuff, for example. Or it might be a heavy-weight CMS thing; Plone [plone.org]'s default skin gives me less than 10 hits/sec on a very fast SMP box, and the lack of speed is, amazingly, mostly in the templating system. This is a case where caching would help.

10-30 concurrent users I interpret as meaning 10-30 requests per second. To put it in perspective: 10 req/s is 864,000 r

Re:Concurrent users

[DA-MAN]

Depends on what the "web server" is; it might be expensive SQL stuff, for example.

Funny I was thought the same thing, but that wasn't in the post at all. My original post was mostly about how weird of a question, if it even is a question, this posting was.

10-30 concurrent users I interpret as meaning 10-30 requests per second.

I don't. Most browsers by default have 4 connections to a server, and 30 users would have 120 requests per second max. Now at most only 30 would be dynamic requests, unless the p

Re:Concurrent users

[Earlybird]

Funny I was thought the same thing, but that wasn't in the post at all. My original post was mostly about how weird of a question, if it even is a question, this posting was.

I don't think it's a weird question. A lazy and ill-formulated question, to be sure, but not weird.

For my current project I will need to apply a caching reverse proxy myself, just so I can support the expected traffic.

The "10-30 users" metric is useless without knowing the output of the web server. If the web server is able to sus

ISA

[skinfitz]

If you want a Windows solution then ISA is the way to go.

It will handle reverse web proxying along with providing transparent caching etc.

It's also very very easy to set up.

If you want more specific into, try Thomas Shinder's site http://isaserver.org [isaserver.org]

Re:ISA

[matt_wilts]

>If you want a Windows solution then ISA is the way to go

Squid is also available for Windows [acmeconsulting.it] - I have an issue where my company will not under any means run Linux servers, however, they have agreed that I (network manager) can run certain Open Source apps.

Under Windows, Squid seems to work ok - I'm running the test server on a Celeron 333, with 128M of memory & 2 gig of cache under Windows 2000 Professional (i.e. it doesn't need a Windows server). It's currently handling about a dozen pilot use

Re:ISA

[matt_wilts]

(sorry if my post above is a little redundant - I didn't read the question properly)

At the risk of talking to myself here - I just noticed the caching pool question - I understand that we can set up "sister" caches that cut down the amount of requests to upstream caches, thus sharing the load over a cluster of Squids whilst providing a larger "virtual cache".

Dear Slashdot Users,

[DrSkwid]

My computer stopped working and when I phoned support they suggested changing something called a 'fuse' in my cable.

The plug says to use a 13A rated fuse. I went to the shop and it seems they have all sorts of these fuses. I was wondering if any Slashdotters had tried different fuses and what success they had?

Thanks.

A Dork Esq.

Novell's product

[FistFuck]

Check out iChain from Novell, it's relatively cheap and very fast. It's a reverse proxy appliance.

It does much more that what you're looking for, but some of the multihoming functionality is incredibly handy.

The per user licensing only matters if you use it to authenticate users.

Apache Mod_Proxy

[DeBaas]

First to all to all that responded that 10-30 isn't much, the asker mentioned 10-30 _current_. I assume he (or she) meant concurrent. And that can, depending on what you mean by concurrent and by the type of website served be a resource eater for which reverse proxy be an excellent tool.
For those that don't understand this I suggest to read http://perl.apache.org/docs/1.0/guide/strategy.htm l [apache.org] Note that the advantage often is not caching but buffering.

Furthermore, we use apache and mod_proxy for reversepr

Re:Go ask M$

[zero_offset]

So far, your post is the only thing insulting in this entire thread.

Why?

[Gothmolly]

You have money, time, and rackspace to burn setting up a reverse-proxy for your webserver, but no resources to devote to your actual webserver? Beef up the webserver, upgrade IIS, team your NICs, do something to fix the problem, not the symptom.

Re:Why?

[DeBaas]

Where does it say that he has the money etc. Reverse proxy can be installed on the same machine as the webserver itself and still be benificial. Not everybody is serving static html files.

Re:Why?

[psycho_tinman]

Even if you have all of that money and more to burn on webservers, a reverse proxy is still a good option and sometimes a better way to spend your cash.

Back in the dot com era, I had to work with near offshelf commodity hardware for the most part. The only specialist servers I had were the webservers (and servlet containers) running (I didnt make the decision, so dont flame me :) IIS. 20-30 concurrent connections off Loadrunner, and the CPU on the webserver maxes out (mostly because of the servlet containe

Re:Why?

[lifeless]

Please don't spread uneeded FUD...The NT port of squid is well maintained, Guido does a great job, and we're hoping before too much longer (3.1/3.2) to have it fully integrated. Oh, and squid/NT is more flexible than ISA any day of the week. Performance wise, 10-30 concurrent users of any web application I've seen translates to way less than 30 requests per second (rule of thumb from experience), which is well within squid/NT's performance envelope.

-Rob

Re:Why?

[psycho_tinman]

First and foremost, if I gave anyone the impression that I am disparaging the development work being done on Squid/NT, I apologize, such was not my intention in the slightest. I know that a good job is being done on it (because I occasionally evaluate it, I WANT choice in reverse proxies for Win32)

However, I still stand by my previous comments. Squid/NT is *not* as stable and not as scalable as the Unix based versions. Do I have documented statistics for this ? no, I do not. YMMV. I've run more than half a

Friends don't let friends use ISA Server.

[Ayanami Rei]

Put yourself out and lash a few aging machines into a peered virtual cache/distributed front end using Squid.

Write a TCL script

[EvilTwinSkippy]

TCL has HTTP and FTP handling capabilities, as well as the ability to open and respond to server sockets.

Code for an HTTP proxy is easily googleable. FTP would be a little more effort, but once you understand the principles...

try xCache

[Glog]

Try xCache - I've used it before and it's quite good: http://www.xcache.com/home/default.asp

Many Fortune 500 companies use it.

Clearifications

[frooyo]

Yes, the article was meant to say concurrent users. And yes, the current website is driven by a large CMS where all pages are dynamic (all content resides in a database).

So after some clearification, what are peoples experiences with ISA [microsoft.com] or Novell's Volera [novell.com] (which I have heard very good things about) and any other caching solution.

Does /. use a caching server? If not, why not?

Re:Clearifications

[lifeless]

I haven't used volera, but AIUI it's derived from bordermanager, which in turn harks from the Harvest project - the same place squid came from. Bordermanager has been sweet every time I've used it, but not substantively different from Squid. ISA however, doesn't share that same heritage. It's also a bundle of products, of which you'll probably only want one bit... the proxy.

-Rob

Re:Clearifications

[mfarver]

AFAIK slashdot does not cache, but instead builds static pages from the dynamic content at regular intervals. Logged in users see a dynamic page, but most users just see the static page that is built from dynamic content

IMHO if content is not different for each user it is not really dynamic. (Plenty of sites are dynamic becuase they can be, not really becuase they should be). Even if it is mostly static with just a few dynamic elements (Like a Welcome: *username*) see if your content system supports pre

Wholeheartedly Recommend ISA

[seigniory]

I have to say, I've been using ISA for 2+ years now and am very familiar with its capabilities & performance.

ISA's proxying is great, but does cost $$$ on top of your Windows 2K licensing and Hardware. Here's the setup of every ISA box I've spec'd in teh last few months:

1. Dell GX50 Celeron 1GHz, 1GB RAM, 20GB 7.2k RPM HD, Adaptec 4-port NIC. About $900
2. Windows 2000 Server. About $800
3. MS ISA Server. About $1100

Total: about $2800

That said, it's expensive for use as "just a proxy". ISA offers much much more which is why I recommend using it in a more fully featured fashion. If you're planning on leveraging the Firewall, VPN, Secure-NAT, and PPTP Pass through capabilities at the same time, by all means, I can't recommend a better small/medium business security device.

(FWIW: ISA is the only commercial firewall I know that can do both PPTP and L2TP/IPSec in a NAT configuration with more than 1 connection at a time on the same external IP address - true that PIXs and similar ones can do PPTP through NAT, but you need a 1:1 mapping ratio for private to public IPs to do it. I've had over 150 private IPs set up simultaneous PPTPs through my ISA box on a single external IP, but I digress...)

ISA's proxying is suprisingly fully-featured. Want to scan all uploads & download for viruses? No problem, ISA's got a ton of plugins. Want to harden security on a single box instead of 10 individual web servers? No problem, apply all kinds of rules to the proxy service and block or allow things at the file or even mime-type level. Want to use NT/AD user certificates on Apache or non-IIS servers? No problem... with Feature Pack 1, ISA will provide authentication based on all these and "non-MS-ize" the auth data to your backend servers. Want redundancy? Just add another ISA server in array mode - 2 boxes, single config point, double the performance,

There's so many other ISA features to mention. I can't say enough good things about it. My only wish list item is better logging.

Squid for *nix

[Raven42rac]

Just use Squid for *nix. You can use any old box you have laying around. You don't even need an x-window-environment. You can do everything from the CLI. I use it for a 250 user network and it works splendidly. Squid=$0. Your favorite Linux distro. (Don't want to start a war, but look at Debian, easy to update/secure/install programs.)=$0. Old PC laying around =$0. So $3,000 vs. $0 and you would have to do the same amount of reading and studying up on both. $3,000 could buy an awful lot of better things.