[squid-users] Squid as transparent in 'caching layer'

[Amos Jeffries]

On 10/05/2015 6:31 p.m., Ibrahim Lubis wrote:
> Hi,
> 
> Most of all know about tiered network
> topology(access,aggregation/dist,core) from core than to firewall and then
> to router. For redundancy usually there 2 core and 2 firewall. I was
> thinking adding a transparent caching layer between core and firewall,just
> adding squid box. It is okay just adding 2 independent squid box or I need
> some sync between squid box ? What if I add not 2 but 6 and doing
> active-active on both core n firewall? Can anybody give me insight ? Btw My
> objective is to save some bandwidths from user for internet access.

Go with independent Squid boxes until you are happy that they are
operating properly and you know whats going on. Number of Squid does not
matter much, so long as they each can handle the traffic load you put
through. If you are new to this start with just one and put only a small
amount of the traffic through, then increase gradually until you need 2,
and so on.

Sync'ing between the Squid caches, and interception proxying can each
have unwanted side effects. Its best to deal with those in separately to
avoid confusion and troubles.


"active-active on both core n firewall" does not matter. You MUST NOT
perform destination-NAT (or TPROXY) on any machine other than the Squid
box receiving the TCP connection from client(s). The firewalls and core
only perform *routing* (perhapse over a tunnel) to get the TCP packets
to the right Squid box. This has the nice side effect of greatly
reducing the amount of data the firewalls need to sync.


Hints for beginners:

 Caching can make some traffic appear slower - all MISS and some REFRESH
transactions. There is extra packet processing done by the proxy and
latency getting the packets around. This is the tradeoff for bandwidth
saving. Super-fast HITs and traffic optimization can make up for that,
but not always.

Amos