Server Setup and Configuration Babu Ram Dawadi 1

Servers Minimum Server Required for Intranet/Internet Operation –DNS server –DHCP server –Proxy Server –Web Server –Authentication Server (RADIUS) –Database Server –Mail Server –More….. 2

DNS Server See the slides provided on Distributed System Classes –BIND/DJBDNS concepts and configuration –Requirement of DNS server based on network size –Benefits and drawbacks 3

DHCP Server DHCP Operation Concepts and Configuration DOCDHCP Operation Concepts and Configuration DOC 4

What is Squid Proxy Server? A caching proxy for –HTTP, HTTPS (tunnel only) –FTP –Gopher –WAIS (Wide area information server, requires additional software) –WHOIS (Squid version 2 only) Supports transparent proxying Supports proxy hierarchies (ICP protocol) 5

Other proxies Free-ware –Apache 1.2+ proxy support Commercial –Netscape Proxy –Microsoft Proxy Server –NetAppliance’s NetCache (shares some code history with Squid in the distant past) –CacheFlow ( –Cisco Cache Engine 6

What is a proxy? Firewall device; internal users communicate with the proxy, which in turn talks to the big bad Internet –Gate private address space (RFC 1918) into publicly routable address space Allows one to implement policy –Restrict who can access the Internet –Restrict what sites users can access –Provides detailed logs of user activity 7

What is a caching proxy? Stores a local copy of objects fetched –Subsequent accesses by other users in the organization are served from the local cache, rather than the origin server –Reduces network bandwidth –Users experience faster web access 8

Benefits of Caching 9 Benefits: Eliminate the need (in many cases) to: Send request to origin server (reducing delay, and link use) Send full response from origin server (reducing link use) Consequences: Reduced delay Directly benefits end-user. May benefit service providers (ISPs or web servers) by making their service more popular to end-users. Reduced traffic Reduces load on network links Reduces load on server Mask unavailability of origin server e.g. when working offline, or during faults

How proxies work (configuration) User configures web browser to use proxy instead of connecting directly to origin servers –Manual configuration for older PC based browsers, and many UNIX browsers (e.g., Lynx) –Proxy auto-configuration file for Netscape 2.x+ or Internet Explorer 4.x+ Far more flexible caching policy Simplifies user configuration, help desk support, etc. 10

How proxies work (user request) User requests a page: Browser forwards request to proxy Proxy optionally verifies user’s identity and checks policy for right to access Assuming right is granted, fetches page and returns it to user 11

Proxy – The Forward Proxy Forward Proxy –Proxy the outgoing requests, for the reason of Bandwidth saving Performance Central control –When objects requested are In cache, return the cached objects Otherwise, proxy server requests object from origin server, then cache it and return to client Request Reply Request Reply (using cached result) Request Reply client Proxy Server Original Server 12

Proxy – The Reverse Proxy Reverse Proxy –Proxy the incoming requests, for the reason of Reducing Server Load (by caching) Load Balance Fault Tolerant –Reverse proxy acts as the original server, accept incoming requests, reply corresponding result. SEAMLESS for clients! Request Reply client Reverse Proxy Server Server1 Request Reply Server1 Internet 13

Squid’s page fetch algorithm Check cache for existing copy of object (lookup based on MD5 hash of URL) If it exists in cache –Check object’s expire time; if expired, fall back to origin server –Check object’s refresh rule; if expired, perform an If- Modified-Since against origin server –If object still considered fresh, return cached object to requester 14

Lifecycle of an object 15 Last-modified: When the object was last modified at the origin server. OK to use copy Date – Last-modified suggests frequency of change Date: When the object was sent by the origin server => last time known to be fresh. + Age = Reference for checking for expiry Expires: Server’s prediction of when copies should be replaced. Age: How long the object has spent in caches

Squid’s page fetch algorithm If object is not in cache, expired, or otherwise invalidated –Fetch object from origin server –If 500 error from origin server, and expired object available, returns expired object –Test object for cacheability; if cacheable, store local copy 16

Installing Squid (overview) Get distribution from Run configure script with desired compile-time options Run make; make install Edit squid.conf file Run Squid -z to initialize cache directory structure Start Squid daemon Test Migrate users over to proxy 17

squid.conf runtime settings Default squid.conf file is heavily commented! Read it! Must set –cache_dir (one per disk) –cache_peer (one per peer) if participating in a hierarchy –cache_mem (8-16M preferred, even for large caches) –acl rules (default rules mostly work, but must reflect your address space) 18

squid.conf runtime settings Recommendations –ipcache_size, fqdncache_size to 4096 –log_fqdn off (use Apache’s logresolve offline) –Increase dns_children, redirect_children, authenticate_children based on usage statistics (see cachemgr.cgi front-end) 19

squid.conf ACL example acl manager proto cache_object acl localhost src /32 acl managerhost src /32 acl managerhost src /32 acl managerhost src /32 acl cawtech src /24 acl cawtech-internal src /16 acl all src /

squid.conf ACL example acl SSL_ports port acl gopher_ports port 70 acl wais_ports port 210 acl whois_ports port 43 acl www_ports port acl ftp_ports port 21 acl Safe_ports port acl CONNECT method CONNECT acl FTP proto FTP acl HTTP proto HTTP acl WAIS proto WAIS acl GOPHER proto GOPHER acl WHOIS proto WHOIS 21

squid.conf ACL example http_access deny manager !localhost !managerhost http_access deny CONNECT !SSL_ports http_access deny HTTP !www_ports !Safe_ports http_access deny FTP !ftp_ports !Safe_ports http_access deny GOPHER !gopher_ports !Safe_ports http_access deny WAIS !wais_ports !Safe_ports http_access deny WHOIS !whois_ports !Safe_ports http_access allow localhost http_access allow cawtech http_access allow cawtech-internal http_access deny all 22

Managing Squid the Calamaris.pl logfile analysis script, available at Use modified MRTG with Squid’s SNMP support SQUID-GRPAH 23

Content Distribution Networks (CDN) rBusiness Model: A content provider such as or Yahoo pays a CDN company (such as Akamai) to get its content to the requesting users with short delays. rA CDN provides a mechanism for mReplicating content on multiple servers in the Internet mProviding clients with a means to determine the servers that can deliver the content fastest.

Terminology Content: Any publicly accessible combination of text, images, applets, frames, MP3, video, flash, virtual reality objects, etc. Content Provider: Any individual, organization, or company that has content that it wishes to make available to users. Origin Server: Content provider ’ s server, where the content is first uploaded. Surrogate Server (sometimes called edge server): Content distributor ’ s server, where the replicated content is kept.

Players Content Provider H/W and S/W Vendor Content Distributor Hosting Provider Yahoo, MSNBC, CNN CBC Cisco, Oracle- Sun Akamai, Bell Sells servers Send content Install servers

CDN Distribution Content providers are CDN customers Content replication CDN company installs thousands of servers throughout Internet –In large datacenters –Or, close to users CDN replicates customers’ content When provider updates content, CDN updates servers origin server in North America CDN distribution node CDN server in S. America CDN server in Europe CDN server in Asia 27

CDN: Functional Components r Distribution Service r rRedirection Service r Accounting and Billing system

CDN:Distribution Service rThe content provider determines which of its objects it wants the CDN to distribute. rThe content provider tags and then pushes this content to a CDN node, which in turn replicates and pushes the content to all its CDN servers.

CDN: Redirection When a browser in a user ’ s host is instructed to retrieve a specific object (specified using a URL), how does the browser determine whether it should retrieve the object from the origin server or from one of the CDN servers? an example, suppose the hostname of the content provider is

How Akamai Works End-user cnn.com (content provider) DNS root server 12 Nearby Akamai cluster GET index. html 31 cnn.com/af/cnn.com/foo.jpg HTTP Akamai cluster Akamai global DNS server Akamai regional DNS server

CDN: Redirection Users get an html document from this could be index.html The file index.html uses a modified URL for content that has been replicated. Example: If the jpeg files are what has been replicated then may be modified as follows: The browser needs to resolve a73.g.akamai.net hostname for replicated content.

Caching and Content Distribution(CDN) 33

CDN 34

CDN 35

CDN 36

CDN: Redirection rWhat does this mean? m host part: a73.g.akamai.net mAkamai control part: /7/23 mContent URL: /af/foo.jpg

CDN: Redirection rDNS is configured so that all queries about g.akamai.net that arrive at a DNS server are sent to an authoritative DNS server for g.akamai.net. r This is referred to as a Akamai DNS server (authoritative DNS server)

How Akamai Works End-user cnn.com (content provider)DNS root server 12 Nearby Akamai cluster DNS lookup cache.cnn.com Akamai cluster 3 4 ALIAS: g.akamai.net Akamai global DNS server Akamai regional DNS server

CDN: Redirection rWhen the Akamai DNS server receives the query, it extracts the IP address of the requesting browser..

P P How Akamai Works End-user cnn.com (content provider) DNS root server 12 Akamai global DNS server Akamai regional DNS server Nearby Akamai cluster Akamai cluster ALIAS a73.g.akamai.net DNS lookup g.akamai.net

CDN: Redirection rBased on the IP address and information that it has about the Internet (called a map), the IP address of an Akamai regional server is returned to the requesting browser based on policy me.g., select the server that is the fewest hops away. rThe regional server may choose a surrogate server for content retrieval

HTTP How Akamai Works End-user cnn.com (content provider) DNS root server 12 Akamai global DNS server Akamai regional DNS server Nearby Akamai cluster Akamai cluster DNS a73.g.akamai.net Address

HTTP How Akamai Works End-user cnn.com (content provider) DNS root server 12 Akamai global DNS server Akamai regional DNS server Nearby Akamai cluster Akamai cluster GET /foo.jpg Host: cache.cnn.com

HTTP How Akamai Works End-user cnn.com (content provider) DNS root server 12 Akamai global DNS server Akamai regional DNS server Nearby Akamai cluster Akamai cluster GET /foo.jpg Host: cache.cnn.com GET foo.jpg

CDN Redirection rThe Akamai DNS server IP address is now in the cache of the local DNS server. mThis implies that it is not always necessary to go to the root DNS server. rThe TTL associated with the IP address of an Akamai server(surrogate) is relatively small. mThis is done for performance reasons. rAkamai content distribution servers are caches

CDN Redirection rWhat if content is not there? mIf the request content is not found then the surrogate will ask other surrogates within a specified region for information. m mIf requested information is still not found or is stale, then a request is made to the original web site.

CDN Selection rThe tricky issue is selecting which local content server to use for a particular request mWant to spread load evenly mWant minimal impact if server is added or removed. rIn Akamai, each surrogate server sends measurement results to the Network Operations Communications Center (NOCC). mMeasurement results include number of active TCP connections, HTTP request arrival rate, bandwidth availability, etc mThis information is used by the Akamai DNS server.

Accounting Mechanism rAccounting mechanisms collect and track information related to request routing, distribution and delivery. rInformation is gathered in real time and put into log files for each CDN component. rThis gets sent to the Network Operations Communications Center (NOCC).

Full Site Delivery vs. Partial Site Delivery r Full Site Delivery : All the contents are delivered by the CDN (including HTML, images, and other objects). rPartial Site delivery: Only images, streaming media and other bandwidth intensive objects delivered by the CDN.

Current Akamai Customers

52 Web Server: Click Here

53 RADIUS

54 RADIUS Overview RADIUS: remote authentication dial-in user service Designed to centralize the authentication process for large distributed networks Originally intended for dial-up networks Can be used for VPN servers, switches, and wireless access points Two mandatory server roles: –RADIUS client –RADIUS server

55

56 RADIUS Overview (continued) The RADIUS client accepts authentication information from users or devices and forwards the information to a RADIUS server The RADIUS server accepts authentication information from a RADIUS client

57 Radius Overview (continued)

58 Radius Overview (continued)

59 Outsourcing Dial-up Requirements A user dials into ISP, ISP forwards request to RADIUS proxy, RADIUS proxy forwards request to RADIUS server, RADIUS server passes information to domain controller for authentication

60 Outsourcing Dial-up Requirements (continued)

61 What is AAA ? Authentication Authorization Accounting

62 Authentication Verify a person’s or machine’s declared identity. Mechanisms: passwords, Public Key Infrastructure (PKI). Key aspect is Trust relationships between servers.

63 Authorization Rules or templates on what a authenticated user can do on a system. Dial up user requests can be one link or multiple.

64 Accounting Measures and tracks resources a user accesses. Include time, amount of data, session statistics, resource utilization etc. Logs sent and analyzed for billing, security servers.

65 Properties Client/server model UDP based Hop by hop security Stateless Uses MD5 for password hiding. PAP/CHAP via PPP

66 Authentication methods PAP: Password Authentication Protocol (MD5/XOR). CHAP: Challenge Handshake Authentication protocol PAP is preferred sometimes in cases where authorization must travel outside the realm of control

67

68 The CHAP 3-way handshake

69 Using RADIUS and CHAP

70

71 Ports Authentication: udp/1812 Accounting: udp/1813

72 Implementations Livingston GNU FreeRADIUS Cistron Radiator Alepo Juniper: Steel Belt.

73 Databases Oracle Informix Sybase mSQL MySQL Microsoft SQL including versions 6.5, 7 and 2000 ODBC Interbase SAP PostgreSQL SQLite