ThaiSARN Hierarchical Cache Service
Frequently Asked Questions

Contents:

1. What is ThaiSARN Hierarchical Cache Service?
2. What is Proxy Server?
3. What is Cache Hierachy?
4. How big should my proxy server be?
5. How many cache servers in PubNet? And what is the different between cache1.nectec.or.th, cache2.nectec.or.th and cache.nectec.or.th?
6. Can the individual user of my campus point their web browser proxy directly to cache.nectec.or.th?
7. How can I join NECTEC proxy parenting?
8. How will NECTEC close port 80 of my institution?
9. What is the procedure to set up my proxy?
• Procedure for Netscape Proxy Server 2.5
• Procedure for Squid Proxy Server
• Procedure for Microsoft Proxy Server
10. Further Readings.
11. What is transparent proxy and how can we implement it?
12. We are a PIE-Participant (PIEP), how can we join NECTEC Cache service?
13. How can we see the statistics of our cache servers?
14. Why ThaiSarn doesn't have proxy/cache services for other application such as Real media? and does NECTEC close direct access for this kind of applications?

1. What is ThaiSARN Hierarchical Cache Service?

   ThaiSARN Hierarchical Cache Service is the service offered from NECTEC in the Thailand Cache Infrastructure Project which is run by NECTEC under the cooperation of a group of people called Cache Infrastructure Task Force

2. What is Proxy Server?

   Proxy is a way to store requested Internet objects (i.e., data available via the HTTP, FTP, and gopher protocols) on a system closer to the requesting site than to the source. Web browsers can then use the local cache as a proxy HTTP server, reducing access time as well as bandwidth consumption.

   Proxy servers are widely used to help the users of an Internet node (eg., in a company or in a university) to get faster response time in fetching a web page while reducing the line congestion between the company/university and the upstream service provider.

   It is highly recommended that we enforce "proxy" usage in a ThaiSARN node in order to preserve the valuable bandwidth of the node. That is, each academic institution should run a campus-wide proxy service and promote the use of proxy to all individual users.

   As from June 30, 1998, ThaiSARN service from NECTEC will no longer permit http access from an individual user, the proxy policy in each campus will become compulsory. The proxy server in a ThaiSARN node is the only host that can access http to the outside world through NECTEC's ThaiSARN hierarchichal cache service.

3. What is cache hierarchy?

   Cache hierarchy is the way to connect proxy server, called child, to another proxy server, called parent. Proxy server can usually act as both child and parent. Cache hierarchy provides a more efficiency of caching. NECTEC provides you with parent caches called cache1.nectec.or.th, and cache2.nectec.or.th which you (your proxy server) can point to as a child.

4. How big should my proxy server be?

   This depends on the operational target of your site. If you have large communication lines (eg. 512 kbps or more) and thousands of users, you may like to invest on a moderate size proxy server running multi-spindle disk of some 4 GB or more.  Make sure that the CPU has a lot of memory to provide fast response time and the system is safe from power outage. It is advisable to use high-reliablilty disk file system if you can afford it. Multi-unit SCSI disk drives work faster than few larger capacity disks.

   When running the proxy server, please make sure that you promote the use of the proxy well to monitor the system performance such as the amount of hit and savings per day for outside-line access.

   At NECTEC, the current cache server is based on
   

   • cache1: Digital AlphaServer 4100 2x5/466 system with 512MB RAM and 25 GB disk storage with Squid proxy server software.
   • cache2: Digital AlphaServer 4100 2x5/300 system with 512 MB RAM and 15 GB disk storage with Squid proxy server software.

5. How many cache servers in PubNet? And what is the different between cache1.nectec.or.th, cache2.nectec.or.th and cache.nectec.or.th?

   NECTEC runs physically 2 cache servers, cache1.nectec.or.th and cache2.nectec.or.th for both load balancing and redundancy. cache.nectec.or.th is the virtual name pointing to either cache1 or cache2 at a time, according to the avalibility of cache1 and cache2 and our redundancy management mechanism.

   If your proxy/cache software can set its parent to more than 1 server, please set it to both cache1.nectec.or.th and cache2.nectec.or.th. But if not, please point to cache.nectec.or.th.

6. Can the individual user of my campus point their web browser proxy directly to cache.nectec.or.th?

   No, we cannot allow that. If that happens, the whole purpose of hierarchical cache service is defeated, and your campus leased line will still be congested.

7. How can I join NECTEC cache hierachy?

   First of all you have to be the system administrator of the ThaiSARN node. Then please familiarize yourself with the concept and techniques of the hierarchical cache. Please refer to reading materials below for reference.

   Next step would be setting up your own proxy server and get ready to be connected with NECTEC.

   To register your node with ThaiSARN hierarchical cache service, please send an e-mail to cachemaster@nectec.or.th including following information:

   • Name: (can be more than one person)
   • E-mail:
   • Institution name:
   • Proxy server name: (can be up to 2 machines)
   • Proxy server IP: (according to the server name)
   • Cache/proxy software: (eg. squid, Netscape, Microsoft)
   • HTTP port:
   • ICP port: (if use ICP)

   We will then make arrangement with your particular proxy server setting.

8. How will NECTEC close port 80 of my institution?

   Here is the filter list that we will apply at ThaiSARN gateway router to your institution interface,

   The format is
   (allow/deny) source/(source IP)/(source port) dest/(destination IP)/(destination port)
   "*" means "anything"
   

   
   allow source/(your_proxy_1_ip_address)/*	dest/*/80
   allow source/(your_proxy_2_ip_address)/*	dest/*/80
   deny source/*/*	destination/*/80
   allow everything else
   
   

   It can be easily described that only 2 proxy servers in your institution can go out fetch "World Wide Web" data (port 80) directly from the internet. For other PC or server in your institution, you have to point to to either 2 of your proxy servers in order to use the WWW application.

9. What is the procedure to set up my proxy?

   That will depend on the kind of proxy server that is used at your campus. So far, NTL-NECTEC has tested three kinds of proxy servers which may be employed as the campus proxy and linked to ThaiSARN as a child of cache.nectec.or.th.

   
   Procedure for Netscape Proxy Server 2.5

   1. Browse you proxy server configuration via web browser, just type http://proxyservername:port for example: http://yourcache.yourdomain:8081
   2. Select http link to view configuration.
   3. Select Routing on horizontal bar located on the top.
   4. Select Routing on verticle bar located on the left.
   5. Go to Editing, choose http://.* .
   6. From circle radio button below, select choose proxy server then write cache.nectec.or.th and 8080 at port.
   7. Save and apply changes.
   
   
   Procedure for Squid Proxy Server
   1. Add these line into squid.conf (in squid/etc directory)
      cache_host cache1.nectec.or.th parent 8080 3130
      cache_host cache2.nectec.or.th parent 8080 3130
      
   2. Restart squid by issuing the following commands
      kill -1 squidpid
   
   
   
   
   Procedure for Microsoft Proxy Server

   The newest version of Microsoft Proxy Server is 2.0 beta (September 1997). We recommend you not to use this beta version as a permanent proxy server. You should upgrade as soon as the real version is avialable. This configuration is based on Window NT 4.0 with service pack 3. Also MS proxy server requires you an NTFS partition.

   1. Edit MS proxy server configuration.
   2. Select Routing tab.
   3. In Upstream Routing, check Use Web Proxy or array box. Then click Modify.
   4. Enter cache.nectec.or.th in Upstream Web Proxy Server at Proxy box and 8080 at Port.

10. Further Readings

    • survey of the functionality and effectiveness of current caching systems (in html) from Utrecht Univ. for the DESIRE Caching project.
    • ICM's Caching Survey Results (Interdisciplinary Centre for Mathematical and Computational Modelling)
    • Optimizing Response Time, Rather than Hit Rates, of WWW Proxy Caches by Roland Wooster (MS Thesis for Virginia Tech)
    • Squid Proxy Analysis (SPA) results of a project by David Marwood and Brad Duska (Marwood is a MS student at U of British Columbia)
    • http://squid.nlanr.net/Squid/
    • http://home.netscape.com/comprod/server_central/product/proxy/index.html
    • http://www.microsoft.com/products/prodref/130_ov.htm
    • http://ircache.nlanr.net/Cache/cache-stats-links.html - Cache statistics from all over the world.
    • http://ircache.nlanr.net/Cache/nlb/analysis.html
11. What is transparent proxy and how can we implement it?
    Transparent proxy is the way to transparently redirect web traffic to cache servers without any extra configuration at users' web browser. Normally, when we implement cache servers, we have to inform users to modify their browser settings to point to the cache servers.

    There are 3 main procedures to do transparent proxy.

    1. Redirect traffic to a specified host
       There must be an agent running on the gateway router/host that will capture all the traffic and redirect the traffic with destination port 80 (web) to a specified host.
    2. Redirect traffic to the proxy port
       At the specified host, traffic which is redirected form the first procedure will be fetched by a daemon. The data will be manipulated to match the proxy request format and redirected to the proxy port of cache/proxy servers.
    3. Cache/proxy server
       This is normally the cache/proxy servers. Traffic which are redirected from the second procedure will go in to cache/proxy servers.
    These three procedures can be implemented in one machine or more.

    If you are using NECTEC Linux-SIS, here is the step to do transparent proxy.

    1. Make sure the Linux-SIS machine stays in gateway position (it means that every traffic form users must past this machine before going out to the net). The machine must have 2 network interfaces.
    2. If you have 2 LAN cards, edit the file /etc/rc.d/rc.local and uncomment the "ifconfig eth1" section, you might want to change the IP address (of /dev/eth1, the second ethernet interface) to match your need (The default IP address of /dev/eth1 is 192.168.1.1/255.255.255.0).
    3. Edit /etc/rc.d/rc.local and uncomment the "firewall" section on the line , replace "/etc/rc.d/rc.firewall" to "/etc/rc.d/rc.firewall.easy".
    4. If you don't change the IP address of /dev/eth1 from the default, the transparent proxy is working now. Or you have to modify /etc/rc.d/rc.firewall and replace 192.168.1.* with IP address of /dev/eth1
    Remark By using /etc/rc.d/rc.firewall.easy, your network will be at a medium security level. If you want to learn more about firewall, please take a look at Firewall-HOWTO and see the example of configuration at /etc/rc.d/rc.firewall.

    For more information about transparent proxy for other platforms, you could also see SQUID FAQ.

12. We are a PIE-Participant (PIEP), how can we join NECTEC Cache service?
    In present, NECTEC offers cache sibling service for PIEP's cache/proxy servers, more information at PIE FAQ.

    To be able to be our sibling, you cache/proxy server program must support ICP protocol (eg. squid software).

    Here is the configuration for squid software:

    cache_host cache1.nectec.or.th sibling 8080 3130
    cache_host cache2.nectec.or.th sibling 8080 3130

    If you don't want to duplicate the entry in NECTEC's cache servers to your server and you can access our cache servers with high-speed (it means that your link to PIE is not too congested), you can use "proxy-only" option. In this case, if the object is in NECTEC's cache servers, your server will fetch it from us without saving a copy at your server. This will more efficiently use your disk space.

    Here is the configuration for squid software for proxy-only option:

    cache_host cache1.nectec.or.th sibling 8080 3130 proxy-only
    cache_host cache2.nectec.or.th sibling 8080 3130 proxy-only

    After you configuration is completed, please send an e-mail to cachemaster@nectec.or.th contains following information:

    • Name: (can be more than one person)
    • E-mail:
    • ISP name:
    • Proxy server name: (can be up to 2 machines)
    • Proxy server IP: (according to the server name)
    • Cache/proxy software: (eg. squid, Netscape, Microsoft)
    • HTTP port:
    • ICP port: (if use ICP)

    We will then make arrangement with your particular proxy server setting.

13. How can we see the statistics of our cache servers?

    There is an instruction web page about squid statistics at Linux-SIS Tips and tricks homepage, the URL is www.school.net.th/linux-sis/tips/squidstat.html.

14. Why ThaiSarn doesn't have proxy/cache services for other application such as Real media? and does NECTEC close direct access for this kind of applications?

    Proxy/Cache service will be useful only if the application has many duplicate requests such as www, which many users normally request for the same object so the cache service is helpful. Applications such as video or audio normally doesn't have high duplicate request so it is not worth proxying/caching. NECTEC doesn't close or filter direct access for any application except www (port 80). ThaiSarn users can use Real Media application without any need of proxy/cache server.

FAQ | Milestones | Services | Statistics