Professional Documents
Culture Documents
USER GUIDE
Service Provider Edition
Published By:
ApplianSys Limited
ApplianSys House
Harry Weston Road
Coventry, CV3 2UB
Copyright © 2017 ApplianSys Ltd. All Rights Reserved. No part of the contents of this document may be reproduced or
transmitted in any form or by any means electronic or otherwise without the written permission of ApplianSys Limited.
15 Sept 2017
A soft copy of the latest user guide can be found at: www.appliansys.com/url/cb-spe-userguide
CACHEBOX Service Provider Edition User Guide
Contents
Using This Guide 2
SECTION 1: PLANNING DEPLOYMENT 5
Introduction to Caching 6
CACHEBOX Overview 13
SECTION 2: GETTING STARTED 21
Initial Installation 22
Completing Network Integration 46
Checking Your Deployment 73
SECTION 3: CONFIGURATION REFERENCE 77
Introduction 78
System Menu 78
Network Menu 111
Cache Menu 133
Content Menu 162
Reports Menu 171
SECTION 4: FREQUENTLY ASKED QUESTIONS 189
Deployment 190
Appliance Management 191
Security 191
Hardware 191
APPENDICES 192
Appendix A: SSH Command Line Access 192
Appendix B: HTTP Status Codes 194
Appendix C: IP-KVM option 195
Notes 201
CACHEBOX Service Provider Edition User Guide
Products Covered
This guide will help you deploy and configure CACHEBOX web cache appliances.
It applies to all current models in the CACHEBOX range:
CACHEBOX050
CACHEBOX110
CACHEBOX130
CACHEBOX210
CACHEBOX230
CACHEBOX310
CACHEBOX420
These models all share the same software and core features. A few software features
are hardware dependent so see minor variations in different models. These variations
are noted in the guide.
The remaining sections are for you to refer to whenever you need a specific
piece of information:
- ‘CONFIGURATION REFERENCE’ - describes in detail each of the screens
you can find in your appliance’s web administration interface
- ‘FREQUENTLY ASKED QUESTIONS’ – on deployment, support, managing the
appliance, performance, security and hardware
- ‘APPENDICES’ – further information you might need in specific scenarios
‘Menu Option'
Fieldname
ON SCREEN BUTTON
URLs: www.example.com
Alert: be aware of a potential issue - something you should avoid or something you are
advised to do. You will find a description of the risk and how to resolve or avoid it in the
Alert format.
Critical Alerts are written in a bold, red font. It is very important that you pay attention to
these.
Note: extra information, not directly part of the instructions or reference material, but
which may still be useful for you to know
Tip: advice to help you make faster or more efficient use of the product with
workarounds and timesaving techniques
SECTION 1:
PLANNING DEPLOYMENT
PLANNING DEPLOYMENT I 5
CACHEBOX Service Provider Edition User Guide
Introduction to Caching
A proxy is a network device used to create connections on behalf of other computers.
A caching proxy or cache keeps copies of the data requested, so that it can serve
future requests for the same content without downloading it again. This saves
bandwidth and decreases response times.
Web caches are widely deployed to boost delivery of web content (primarily HTTP
content on port 80). They have two specific uses:
Forward caches are deployed near to users to speed up delivery of general web
traffic over the internet. CACHEBOX is an example of a forward cache
Reverse caches are deployed in front of web servers to accelerate responses to
requests from the internet. CACHEBOX does not act as a reverse cache.
Forward caches are deployed by service providers to save bandwidth and to improve
web performance for their customers.
Here we will look at the possible options and help you decide which are best for you.
Transparent vs Explicit
In transparent deployments, client computers do not need to be reconfigured and web
traffic is automatically rerouted via the cache. In this mode, users are not aware of the
cache.
In explicit deployments, the user's client software (usually web browser) is configured to
make requests directly via the cache.
Because it entails configuring client devices, Explicit Mode is not a sensible option for
service providers (and is not discussed further in this edition of the manual).
All the options presented below involve transparency of the cache to the clients.
Redirection vs Interception
There are several ways of achieving transparent deployments. They involve either:
HTTP Redirection - web traffic is diverted via the cache, while the remaining network
traffic remains on its original route. The cache doesn’t need to handle unnecessary
traffic so can do more caching.
HTTP Interception - all traffic is directed via the cache. HTTP traffic is intercepted and
processed by the caching software, while non-HTTP traffic is passed straight through the
device.
The relevant factors if you have more than one option could include:
Internet traffic resilience – what happens if the cache fails?
- Does non-HTTP traffic continue to flow anyway?
- Does HTTP traffic continue to flow automatically?
- Or if intervention is required, how much?
- Does ensuring internet resilience involve extra cost (e.g. extra hardware)?
Outbound (client > web server) transparency – can you send requests with the IP
addresses of your users, rather than that of the cache?
- This is often a requirement for service providers. It is relevant if you want to
identify the IP addresses which requests originate from, to help monitor
and control web usage
- Equally, there are often cases where transparency is not needed – the
service provider is happy for the IP address of the cache to be identified
with the HTTP request, rather than the IP address of the client.
- The issue is whether transparency is needed, and if so, whether and how it
can be achieved.
How much do you need to make changes in your network? Physical changes?
Reconfiguration of network equipment or client devices?
Scalability – can this mode support a cluster of caches, or just a single device?
In the following pages, the three remaining options are assessed in detail.
WCCP
The Web Cache Communication Protocol (WCCP), developed by Cisco Systems,
specifies interactions between one or more routers (or Layer 3 switches) and one or
more web caches. The purpose of the interaction is to establish and maintain the
transparent redirection of selected types of traffic flowing through a group of routing
devices. The selected traffic is redirected to a group of web caches with the aim of
optimizing resource usage and lowering response times.
CACHEBOX supports version 2 of the WCCP protocol.
Requires
Router, switch or firewall (typically Cisco) which supports WCCP. This means
having a suitable Cisco IOS version - see recommended IOS versions in
deployment guide.
Source Address Spoofing enabled on cache if you want to maintain outbound
(client -> web server) transparency
Changes made to the router’s routing policy
Pros
No client configuration required
Redirection - only HTTP traffic is redirected to the cache
Full resilience - no traffic loss in case of cache failure
Can scale and introduce redundancy by clustering multiple caches
No physical network changes needed
Cons
Relatively complex Cisco router and cache configuration required to achieve
source address spoofing
A potential issue when using a standard WCCP ‘Web-cache’ deployment is that
CACHEBOX will originate all HTTP requests from its primary IP address. This can be
a problem for some web sites.
WCCP GRE can result in higher router load where L2 redirection is not available
So what
If your network uses Cisco routers, L3 switches or firewalls, then WCCP may be
your best deployment option
It fits requirements where ISPs are looking at clustering multiple caches to scale
and/or for redundancy.
Bridge Mode
When a cache is configured in Bridge mode, two of its network interfaces are used to
create a special bridged interface. The cache is then connected in-line into the
network and all network traffic passes over the bridge.
This is a simple in-line deployment with a minimum of changes required to your network.
Bridge mode is a form of HTTP Interception caching. As such, it would normally be
deployed with Source Address Spoofing to minimise the impact on the logical network.
One of the potential issues with Bridge mode deployments is that in a simple scenario it
can become a single point of failure; if the device fails, then all internet connectivity is
lost. This could be avoided with a Fail-to-Wire option, as it is in CACHEBOX.
Requires
Source Address Spoofing enabled on cache if you want to maintain outbound
(client > web server) transparency
To avoid single point of failure leading to possible traffic loss, fail-to-wire capability
on cache
A cache with at least 2 NICs
Pros
No client configuration required
Minimal physical changes required to the network
Relatively simple to bypass the cache should it become necessary. With Fail-to-
Wire card, bypass is automatic in case of cache failure.
Cons
Requires physical deployment
Without Fail-to-Wire, cache is a single point of failure for all network traffic
All traffic passes through cache
So what
High availability solution – either with Fail-to-Wire option or by deploying on
redundant trunk links
Requires
Router capable of Policy-Based Routing
Router capable of preserving outbound (client > web server) transparency, if you
need it: needs to be able to distinguish traffic direct from the client vs traffic
diverted the cache (e.g. Cisco equipment does this using the MAC addresses)
You to modify the router’s routing policy
You to enable Source Address Spoofing on the cache if you want to maintain
outbound (client > web server) transparency
Pros
Redirection - only HTTP traffic is redirected to the cache. So the cache doesn’t
need to handle unnecessary traffic and can do more caching.
No client configuration required
No physical network changes needed
Cons
If cache fails, users lose web access. You will need to reconfigure your routing
device to restore web traffic - some devices are able to perform this
automatically e.g. Mikrotik
Scalability by clustering not possible
So what
This can be a sensible deployment option for small ISPs with low-cost routing
devices – as long as they support PBR.
Can be clustered
Ease of installation
So what
If you have appropriate network equipment which supports WCCP, this is the
recommended deployment method
Bridge Mode – with a Fail-to-Wire option – is preferred to Policy-Based Routing in
most situations:
- Resilience is the key factor giving Bridge Mode a clear advantage
- In terms of other factors, Bridge Mode edges it on balance
CACHEBOX Overview
CACHEBOX is a web caching appliance designed to help you save bandwidth and/or
improve the speed at which your end-users can access web content. As a proxy, it also
allows network administrators to monitor and control web traffic.
It comes in a range of models which all share the same software and core feature set
but differ in hardware specification and performance.
CACHEBOX is engineered to make using it much easier for network administrators than
the alternative of installing software on a general purpose server. It is a device designed
for the specific task of caching, with fully integrated components:
Cache Application
CACHEBOX is unusual in being an appliance dedicated to web caching, rather than
including cache as just one of several workloads on the device. Its highly tuned cache
engine and cache extensions are designed to give you high performance and versatile
caching.
CACHEBOX‘s core caching engine is based on Squid, the open source, industry-
standard web caching server.
Through years of experience and extensive testing, ApplianSys’ web caching experts
have been able to tune Squid’s configuration and storage schemes to offer extremely
high performance compared to a standard installation of Squid on a Linux server.
Key caching features are:
Flexible Deployment Options
CACHEBOX can be deployed within multiple network scenarios, in transparent or
Explicit mode, with optional Source Address Spoofing and support for Bridge
mode.
Pre-Loader: Pre-caching
The content of websites can be automatically downloaded at predefined times
(such as during the night) and cached ready for clients to access.
WCCP Support
Multiple CACHEBOXes can be transparently clustered together for performance
and high availability on fast links utilising Cisco routers and switches.
Custom ACLs
Advanced configuration parameters can be entered that control the way that
CACHEBOX handles requests.
Appliance Management
CACHEBOX does not require specialist training to deploy and manage.
After initial set-up using a monitor and keyboard; CACHEBOX can be administered using
the secure web interface. This allows configuration to be performed from any computer
with a web browser, without the need for additional software to be installed.
The interface provides easy access to product features. These include:
Reporting Tools
CACHEBOX automatically produces reports on bandwidth usage and savings.
Alerting
CACHEBOX can be configured to send emails and SMS messages if problems
such as overheating or the failure of a fan are detected.
Logging Support
Log files can be generated showing every request that is placed via CACHEBOX.
These can then be automatically uploaded to another file server. This allows logs
to be analysed off-box and centrally stored in order to comply with data
retention laws.
Upgrade
Upgrades provided by ApplianSys (adding features, improving performance,
responding to newly discovered security flaws, etc) can be applied via the web
interface.
Operating System
The Linux based operating system used by CACHEBOX is a custom-built “distribution”
developed by ApplianSys to optimise its appliance products. It is designed to maximise
security, reliability and ease of use.
All programs, services and files found on a standard Linux distribution that are not
required for effective web caching are not included, making CACHEBOX faster and
more secure than a standard Linux server.
The operating system runs from RAM once booted, writing to the flash card storage only
when configuration changes are made or alerts sent.
CompactFlash
CompactFlash cards are used for the operating system and settings. These allow for
faster boot times and give more resilience to hardware failure than traditional hard
drives. If you suffer an unexpected power outage, the risk of configuration data and
application corruption is minimised.
Cards can be ejected from each unit, allowing them to be moved to a spare or new
appliance in the unlikely event of failure, retaining all settings and license information.
You should only eject cards AFTER disconnecting power to the appliance. Failure to do
so could result in data corruption.
Hardware
CACHEBOX uses specially selected hardware to ensure reliability and high performance
without high cost.
There are several different models in the CACHEBOX range. All models use the same
software but differ in terms of hardware and performance. This allows them to support
different types of deployment.
CACHEBOX420
Front:
The multi-processing engine is specifically recommended for networks with high RPS and
low throughput.
CACHEBOX050 and CACHEBOX100 series are entry level devices, designed for use on
small networks, such as customer sites. They differ in the following ways:
CACHEBOX050 is a small form factor (SFF) unit designed to be placed on a
desk/shelf, whereas CACHEBOX100 is a 1U rack-mountable device.
CACHEBOX050 has an external power supply, whereas CACHEBOX100 has an
internal power supply. When deploying CACHEBOX050 in cabinets with no active
ventilation, we recommend putting the power adapter outside the cabinet and
feeding the cord into it to minimise the heat generated within the cabinet.
CACHEBOX050 has a single CompactFlash card which ejects from the rear.
CACHEBOX100 series models have a pair of cards which eject from the front.
CACHEBOX110 offers the same performance as CACHEBOX050 in a 1U rack-
mountable form factor.
CACHEBOX130 is a premium light duty model featuring a higher specification
motherboard to enable Fail-to-Wire along with IP-KVM (Keyboard, Video and
Mouse) functionality to help users administer their units without having to
physically access them.
CACHEBOX100 series
Front:
CACHEBOX050
Front:
CACHEBOX050 and CACHEBOX100 models are usually shipped with either 1 or 2 Network
Interfaces, depending on which you have purchased.
Fail-to-Wire option
A Fail-to-Wire option is available on CACHEBOX130, CACHEBOX210, CACHEBOX230 and
CACHEBOX310. It is not available on CACHEBOX050, CACHEBOX110 and CACHEBOX420.
A Fail-to-Wire card allows you to use CACHEBOX in Bridge mode resiliently, without
establishing a single point of failure on your network. An expansion card electrically
connects the Ethernet ports (logically making the appliance a ‘piece of wire’) in the
event of device failure such as power loss or software error.
If you are using Fail-to-Wire (see “Introduction to Caching”: “Bridge Mode”), you will
have a minimum of three interfaces.
SECTION 2:
GETTING STARTED
GETTING STARTED I 21
CACHEBOX Service Provider Edition User Guide
Initial Installation
Introduction
This first part of “Getting Started” will help you to get CACHEBOX installed and running. It
will help you complete:
Physical Setup – unpack and physically connect CACHEBOX
Switching on and logging in – a console interface will prompt you to enter
network details and allow you to log in to CACHEBOX‘s web interface
The first stage of configuration of CACHEBOX using its web interface
After that, “Completing Network Integration” shows you how to complete deployment in
each of the modes likely in a service provider deployment.
If you want to follow this 2-stage approach, then simply working through Section 2,
starting here at the beginning, should work well.
If on the other hand, you want to go straight to stage 2 and deploy CACHEBOX
immediately in position in your live network, then to save time and avoid mistakes, you
should first read the detail on your chosen deployment mode in “Completing Network
Integration” before implementing the steps described here in “Initial Installation”.
This is because the details and topology of your network equipment and deployment
mode will determine some of the details of initial installation (e.g. which NICs on the
appliance to connect, network addresses to use in your initial configuration). If you carry
out a 2-stage approach, you may modify a few details when you go live.
You will probably find it helpful in any case to take a quick look at all the relevant
material in Section 2 before you actually get started!
If at any time you need further assistance, contact your vendor (ApplianSys Support
Partner or ApplianSys):
Physical Setup
For initial deployment you will need a keyboard, VGA monitor, a Cat 5/6 network cable
and network addressing information to hand.
Your appliance should be positioned so that adequate airflow can be achieved.
CACHEBOX050 is designed for desktop use, but can be placed on a shelf in a
rack. If placed in a rack without fan units (i.e. a wall mounted communications
cabinet), the power brick should be placed outside the rack and the cable
looped through to reduce the heat generated within the cabinet.
CACHEBOX100 can be placed in a rack without a shelf – its lugs will support its
weight. Ventilation is side to side. If placed in a rack without fan units (i.e. a wall
mounted communications cabinet), the power brick should be placed outside
the rack and the cable looped through to reduce the heat generated within the
cabinet.
CACHEBOX210, 230 and 310 must be supported from underneath when placed in a
rack (i.e. using a shelf). This is because the lugs alone cannot support its weight.
Ventilation is side to side – which is why rails are not provided. These appliances
are not suitable for use in racks without active cooling.
CACHEBOX420 is recommended to be installed with the available rail kits and
secured using the front lugs. If you are not using the available rail kits, the unit
must be supported, e.g. using a shelf.
Step 1
Unpack your server, check that all items listed on your delivery note are present and
then check for any transit damage. Please call our support line immediately if there is
any problem.
Step 2
Choose a suitable place to house your CACHEBOX and connect the appropriate
connectors to:
a mains supply
a keyboard and VGA monitor
To avoid an IP address conflict between CACHEBOX’s default IP address and any other
equipment on your network do not connect the network cable until you have
performed initial setup.
When connecting CACHEBOX to certain KVM devices, you may need to set DTR to
enable on connect and pin out to ACS. These settings are usually not necessary unless
your KVM has an option to set them.
Network Requirements
You should configure your DNS server with full forward and reverse DNS records for your
CACHEBOX. This avoids problems with remote hosts attempting reverse lookups on
connections. This can cause problematic delays.
If your network employs firewalls, then you may need to change their configuration in
order to use CACHEBOX.
The following table details TCP and UDP ports used by CACHEBOX.
* These ports are configurable via the web interface. Defaults are shown for reference.
** If you are using GRE based WCCP redirection, then you will need to allow Protocol 50
traffic between the router and CACHEBOX (if not directly connected).
Step 1
Attach the power, VGA monitor and keyboard
Plug the network cable into the network port labelled ETH0
Step 2
Power the appliance on using the power button on the front panel.
Step 3
Once booted, a series of screens allows you to set basic network settings. Once this is
done, you will be able to do all further configuration via the web interface.
Step 4
Press [ENTER] and you will be prompted for the following information:
the hostname you wish to assign to the appliance
the network address and netmask, in either dotted decimal or as a CIDR mask
the default gateway
the DNS servers that the CACHEBOX can use to resolve network addresses
Step 5
You will be asked to review all settings and type the word ‘yes’ to continue. Type ‘no’
if you need to change any settings.
It will take a few seconds for these settings to be verified and applied.
Step 6
The final step is to set the password for the Administrator. Type the word 'yes' to set
your password.
Type the same password twice: remember that it is case-sensitive. Your passwords will
not be printed to the screen.
Step 7
Your settings will then be saved and the following screen will be displayed:
Step 8
Remaining configuration is from a web browser and can be completed You can now
access the web interface for CACHEBOX using http://ipofcachebox/
If you are unable to access the interface, return to Step 7 and check that the network
settings are correct.
Many browsers will complain that the SSL certificate is not valid. This is because it is self
signed and not registered with a certifying body for the IP address that it is on.
The warning (and similar warnings on other browsers) can be safely ignored:
You must enable JavaScript in your browser if you have previously disabled it for the
interface to work correctly.
Step 9
Enter the username admin and the password that you set in Step 8. You can also select
a language preference – English (default), Spanish, French or Portuguese – from the
dropdown menu.
The interface is divided into four sections, as shown by the tabs on the top right of each
page:
Pages
Many pages are divided into sections by headers, such as:
Forms
Text entry fields that require a value are shown with a yellow background:
Errors in form submission are highlighted by red bars across the page and the text entry
field turning red:
Graphs
Pages containing real-time graphs have a header area where you can adjust the time
range used by:
Clicking the calendar icons
Using the drop down list to choose a pre-set time period
Dragging a range on the timeline
Dragging a range on any graph
If after selecting a time frame the report doesn’t change, click UPDATE.
Clicking the PDF icon will generate a downloadable PDF containing all information for
the selected time range.
By clicking a graph legend, you can turn data series on and off:
Languages
The interface is currently available in three languages – English (default), Spanish, French
and Portuguese.
You can select your choice of language from any page in the interface, including the
login page.
Section 3 of this Guide – “Configuration Reference” – reproduces the online help, with
additional notes in some places.
Step 1
Click Initial Configuration Assistant to start the assistant.
Click NEXT to continue. You will have a chance to review the information you have
entered before applying the settings. You can cancel an assistant at any time. No
changes are made to this CACHEBOX until they are committed.
Step 2
Record identification information for this CACHEBOX.
This step is optional. If you have multiple CACHEBOXes, this information will help you
identify each unit.
The Description and Location information are published by the on-box SNMP server. So if
you use an SNMP network monitoring system to monitor the CACHEBOX, it will be able to
show the description and location. Click NEXT to continue.
Step 3
Configure external servers.
Step 4
Configure the SMTP mail server settings.
CACHEBOX can be configured to send you email alert messages (for example, to send
you an email when users log in and log out).
To enable this, CACHEBOX must first be configured to use an SMTP mail server. Enter the
IP address or DNS hostname of your preferred SMTP server. Click NEXT to continue.
Step 5
Restrict access to administrative services
The Admin Network(s) setting controls which machines or networks can access the web
and SSH admin interfaces, as well as SNMP monitoring. Other services are not affected.
The use of admin networks is very important for appliances open to the internet, to
prevent automated login attempts that could compromise the device. The public IP
address(es) of the networks from which the device needs administering should be
entered in admin networks. It is also useful on a LAN, to only allow specific hosts or parts
of the network to access the device.
Enter the IP address of your trusted administrative network. More than one network can
be provided separated by space. Click NEXT to continue.
Step 6
You will now be shown a summary of the settings you have chosen. If all settings are
correct, click SUBMIT to save the changes. If there is some information you want to
correct, click PREVIOUS to go back to previous screens.
Your settings will be checked: if there are any problems, a message will show details of
the invalid data.
If you are using deployments in Gateway mode, WCCP or Bridge mode, the Basic
Caching Assistant can be used to do the initial configuration setup.
If you prefer to configure these settings later, you can do so at any time by either
accessing the Basic Caching Assistant from ‘System’ > ‘Overview’, or navigating to the
relevant pages of the Web Interface (‘Cache’ > ‘Service’ for configuring permitted
subnets and ‘Cache’ > ‘Advanced’ for enabling Source Address Spoofing).
There is no basic caching assistant for PBR as this deployment mode require the router to
be configured rather than CACHEBOX. If you are deploying in PBR mode, you should
refer directly to the ‘Next Steps’ section below.
Step 1
You should make a note of which addresses you would like to allow access to this
CACHEBOX. You should also know the mode in which you will deploy your appliance.
Step 2
Select your method of deployment from one of the four options available.
The remaining steps will vary depending on the mode you have selected.
To continue, please go to the instructions below for your chosen method.
Step 3
Tick both interfaces for the bridge and click NEXT continue.
Step 4
Add your permitted subnets. If you do not add these, your CACHEBOX will become
vulnerable to unauthorised users who may abuse it.
Step 5
Confirm that your basic Bridge mode settings are correct.
If you want to edit any configurations, click PREVIOUS to go back to the relevant step.
Otherwise, click SUBMIT.
By default, the Intercept Requests From for bridge mode settings is All IP Addresses.
If you want to customise this, you must do so from the ‘Cache’ > ‘Deployment’ menu,
under the heading Bride Mode Settings.
You have now set up the basic CACHEBOX configuration for Bridge mode. Continue
reading from “Next Steps” in the section below.
Step 3
Set global settings for WCCP deployment.
Step 4
Add your permitted subnets. If you do not add these, your CACHEBOX will become
vulnerable to unauthorised users who may abuse it.
Step 5
Confirm that your basic WCCP settings are correct.
If you want to edit any configurations, click PREVIOUS to go back to the relevant step.
Otherwise, click SUBMIT. You have now set up the basic CACHEBOX configuration for
WCCP mode.
This assistant helps you set up the most basic form of WCCP deployment. If you want to
set up Source Address Spoofing with WCCP, you must first set up your dynamic groups.
This option is not available on the basic caching assistant. You should refer to the next
section for details on how to do this.
Next Steps
The basic installation of your appliance is complete. You are now ready to carry out
remaining configuration tasks specific to your deployment, detailed in the remainder of
this Getting Started section on the following pages. The remaining tasks are:
Complete Network Integration. If you have not already done so, confirm which
deployment mode you are going to use. Then follow the steps in the appropriate
one of the following sections on how to implement a specific deployment mode:
- WCCP
- Bridge mode
- Policy-Based Routing
Check your deployment. Make sure CACHEBOX is functioning correctly after you
have completed configuration within your network.
Configure your permitted subnets. Implement important security measures to
control access to CACHEBOX. It is best to do this after configuring the cache
and checking it is working.
After that, make any further configurations you want beyond simply the steps for
“Getting Started”. For example, you may wish to set up the appliance
administration – users, logs, reporting, alerts and so on.
WCCP Deployment
WCCP (Web Cache Co-ordination Protocol) is a feature of some Cisco routers and
switches which allows you to re-route HTTP traffic to a caching device. If your network
uses routers, layer 3 switches or firewalls that support Cisco’s WCCP protocol, it is likely to
be your best deployment option. However, WCCP deployment usually involves more
complicated configuration than other options – both on the (typically) Cisco device and
on CACHEBOX.
Therefore, you should ensure that if you are carrying out WCCP deployment, you have
the necessary knowledge and information. In the following pages, you will find detail
on:
What you need to know before implementing WCCP deployment
Detailed configuration steps for each of two WCCP deployment options:
- Basic WCCP “standard” deployment
- WCCP deployment with Source Address Spoofing
Instructions on how to check your deployment
The information in this section is provided as a guide only. ApplianSys cannot be held
responsible for changes that you make to your Cisco set up. Please do not attempt to
make changes without adequate Cisco training and/or support.
Routers Switches
800 CAT3550
1000 CAT3560
2000 CAT3750
3000 CAT4500
4000 CAT4900
7000 CAT5000
10000 CAT6000
Due to the variance in Cisco hardware/software feature support, it is advised that you
check the level of WCCPv2 support available.
A list of supported features can be found in the online help of the interface: Navigate to
‘Cache’ > ‘(Deployment) Advanced’ > ‘WCCP Global Settings’ and click the icon.
If you are using 3750 series switches or similar, ensure your IOS version is suitable
You need to make sure the IOS you are running supports:
- WCCP Redirection on Inbound Interfaces
- WCCP version 2
You can check these features by using the Cisco Feature Navigator available
free on the Cisco website. Searching online for “Cisco Feature Navigator” should
give you the latest link. If your IOS does not list these features, you will need to
upgrade to a newer version of IOS that does include them.
If you are using 3750 series switches or similar, ensure your SDM template is correct
Type the "show sdm prefer" command on your switch:
C3750G-24T#conf t
Enter configuration commands, one per line. End with CNTL/Z.
C3750G-24T(config)# sdm prefer routing
Changes to the running SDM preferences have been stored, but
cannot take effect until the next reload.
Use 'show sdm prefer' to see what SDM preference is currently
active.
C3750G-24T(config)#^Z
C3750G-24T#show sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 6K
number of igmp groups + multicast routes: 1K
number of unicast routes: 8K
number of directly connected hosts: 6K
number of indirect routes: 2K
number of policy based routing aces: 0
number of qos aces: 512
number of security aces: 1K
On next reload, template will be "desktop routing" template.
C3750G-24T#
After the changes have been applied, you need to reload your switch IOS for the
changes to take effect.
Have Cisco network interfaces with VLAN support
For an ideal WCCP Source Address Spoofing implementation, we recommend
you connect CACHEBOX to a separate interface/VLAN. The main reason is the
handling of traffic redirection.
Router configuration
This configuration uses the standard WCCP “Web-cache” service for redirection.
Step 1
Back-up your Cisco router configuration
Step 2
Activate the WCCP v2 Web-cache Service
wccprouter#conf t
wccprouter(config)#ip wccp web-cache password secret
wccprouter(config)#exit
Step 3
Configure WCCP redirect inbound on the network interface
wccprouter#conf t
wccprouter(config)#interface GigabitEthernet0/2
wccprouter(config-if)#ip wccp web-cache redirect in
wccprouter(config-if)#end
Step 4
Save the Cisco configuration
If both your clients and the CACHEBOX connect to the router on the same network
interface, you will need to create specific access lists for WCCP traffic redirection in
order to avoid creating a WCCP loop. This is particularly relevant for Cisco ASA devices
which only support WCCP redirection through the same interface as the client network.
Example
Your customers and the CACHEBOX are connected to the router on interface
GigabitEthernet0/2. The CACHEBOX uses the IP address: 192.168.100.254, the rest of the
customers use IP addresses within the address range: 192.168.100.0/24. Now because
both the CACHEBOX and the customers are connected using the same interface and
because we are redirecting all HTTP traffic on that interface via WCCP, we need to
exclude the IP address of the CACHEBOX from the redirection.
In order to do that you need to create an access-list on the router:
wccprouter#configure terminal
Enter configuration commands, one per line. End with CNRL/Z.
wccprouter(config-ext-nacl)#end
Now that you have the access-list ready to use, you need to repeat "Step 2" in modified
form to apply the access-list.
wccprouter#conf t
wccprouter(config)#ip wccp web-cache password secret redirect-list 100
wccprouter(config)#exit
This will allow you to use WCCP redirection without creating a WCCP loop.
CACHEBOX configuration
Step 1
You should already have configured basic settings during “Initial Installation”. However,
you may want to check, in particular that the settings are correct to communicate with
your Cisco device:
In ‘Network > ‘Settings’ check:
Network Interface eth0 has the correct IP address and Netmask
The default route is set to the IP address of the Cisco interface facing CACHEBOX
A valid (and routable) DNS server IP address has been set
If you are not sure, check in ‘System > ‘Time’ that a valid network timeserver has been set
Step 2
Configure WCCP
Navigate to ‘Cache’ > ‘Deployment’ > ‘Mode’
Select WCCP from the dropdown list and click SAVE
The CACHEBOX proxy service will restart and it will attempt to negotiate a WCCP
connection to the Cisco router.
wccprouter#show ip wccp
Global WCCP information:
Router information:
Router Identifier: 172.100.1.1
Protocol Version: 2.0
Next Steps
Check your deployment. See details in the next section of “Getting Started”.
Configure permitted subnets. See details in the final section of “Getting Started”.
Make any further configurations you want beyond simply the steps for “Getting
Started”. See “Configuration Reference” and online help for details.
Router configuration
The following example shows annotated Cisco IOS commands which are known to work
on a Cisco 7206 router with three physical ethernet interfaces:
GigabitEthernet0/1: WAN Gateway
GigabitEthernet0/2: client network gateway
GigabitEthernet0/3: interface where the CACHEBOX is connected
Step 1
Backup your current configuration. e.g.
Step 2
Enter CISCO configuration mode
wccprouter# conf t
Step 3
Enable WCCP version 2
Step 4
Create two custom WCCP services. It is important to use the service numbers 80 and 90
Step 5
Configure the outbound WCCP service on the client network interface.
wccprouter(config)#interface GigabitEthernet0/2
wccprouter(config-if)#ip wccp 80 redirect in
wccprouter(config-if)#exit
Step 6
Configure the inbound WCCP service on the WAN gateway interface
wccprouter(config)#interface GigabitEthernet0/1
wccprouter(config-if)#ip wccp 90 redirect in
wccprouter(config-if)#exit
Step 7
Exit the config mode and copy the changes to the startup-config
This will enable WCCP redirection for all the traffic on the interfaces that have WCCP
redirection active. This is generally not a problem if that is what you want to do,
however this can be a problem when you don't want all the HTTP traffic to go via the
cache or you want to use web caching for certain customers only. In order to be able
to choose who will use the cache and who will not, you will need to define access lists
on your router and apply these access lists to the dynamic WCCP services. We've
already setup access lists for WCCP in ‘Standard WCCP setup‘ above; however
because now we're using 2 dynamic services and because we also use Source Address
Spoofing, the access lists are slightly different.
Example: The CACHEBOX IP is 192.168.100.254, the CACHEBOX is connected to the interface
GigabitEthernet0/3, the customers are connected to the interface GigabitEthernet 0/2
and the internet connection is on GigabitEthernet0/1. In this example we will use WCCP
redirection for multiple customers IP address ranges and we will use the access lists to
control WCCP redirection access. We will use 192.168.100.0/24, 172.16.100.0/24, 172.16.200.0/24 as
the requesting IP address subnets. First we will create two extended access lists to use
with the dynamic WCCP services.
Please note that the access lists CACHEBOX80 and CACHEBOX90 are different.
CACHEBOX80 permits traffic based on the source IP address while CACHEBOX90 permits
traffic based on the destination IP address. Please note that if you want to add new IP
addresses or subnets to WCCP redirection, you need to add them to both access lists
based on the examples above. This is very important, as redirection will not work
properly if you only add them to one access list.
Now that we have the access lists ready to use, we need to repeat Step 4 in a modified
form and apply the lists to the proper WCCP services.
At this point WCCP will only redirect traffic for the subnets allowed in the access lists
"CACHEBOX80" and "CACHEBOX90".
CACHEBOX Configuration
Step 1
You should already have configured basic settings during “Initial Installation”. However,
you may want to check, in particular that the settings are correct to communicate with
your Cisco device:
In ‘Network’ > ‘Settings’ check:
Network Interface eth0 has the correct IP address and Netmask
The default route is set to the IP address of the Cisco interface facing CACHEBOX
A valid (and routable) DNS server IP address has been set
If you are not sure, check in ‘System > ‘Time’ that a valid network timeserver has been set
Step 2
Enable Source Address Spoofing
Navigate to ‘Cache’ > ‘Deployment’ > ‘Mode’
Select WCCP from the dropdown list and click SAVE
Navigate to ‘Cache’ > ‘Deployment’ > ‘Advanced’
Set Source Address Spoofing to ’Enabled’
Step 3
Configure and enable the WCCP service
Set the WCCP Mode to Enabled)
In the Router/Switch IPs or hostnames field, input the IP addresses of your WCCP
routers/switches on separate lines. You can specify multiple routers if you plan to
use multiple routers for WCCP
Select the required Forwarding Method (GRE Tunnel or Layer 2 Redirect)
If GRE Tunnel has been selected, define the appropriate GRE Remote Endpoint
IP (Usually the CACHEBOX facing interface IP on the Cisco or loopback address).
For Assignment Method, chose Hash Assignment if the Forwarding Method is GRE
Tunnel. Otherwise choose Mask Assignment for ‘Layer 2 Redirect’
Ensure Rebuild Wait is Yes
Ensure the weight value is 10,000
You do not need to enter a Standard Web Cache Password as it isn’t required for
Source Address Spoofing.
If you want CACHEBOX to log statistics from the router, set Log Router Statistics to
Enabled. The logging mechanism uses SNMP to retrieve the data from the
router.
Click SAVE
Step 4
Configure WCCP Dynamic Service Group (80)
Click ADD
Enter the Service ID, in our case 80
Enter the Password, this is the WCCP password specified when you configured the
Service Group within the router
Select Protocol to tcp
Select the Flags, only check the box for src_ip_hash. Leave the others un
ticked
Set the Priority to 240
Set Ports to 80
Click SAVE
Step 5
Configure WCCP Dynamic Service Group (90)
Click ADD
Enter the Service ID, in this case 90
Enter the Password, this is the WCCP password specified when you configured the
Service Group within router
Set Protocol to tcp
Select the Flags, check only the boxes for dst_ip_hash and ports_source. The
flags for Service Group 90 are different from Service Group 80. Ensure they are set
correctly
Set the Priority to 240
Set Ports to 80 and click SAVE
Step 6
Verify Service Groups and enable WCCP
Verify that the service groups are now defined as required
The CACHEBOX proxy service will restart and it will attempt to negotiate a WCCP
connection to the Cisco router.
Step 1
Turn on WCCP debugging and watch the Cisco syslog output for WCCP debug
messages.
monitor terminal
debug ip wccp events
debug ip wccp packets
Step 2
Show the Cisco WCCP status e.g.
wccprouter#show ip wccp
Global WCCP information:
Router information:
Router Identifier: 172.100.1.1
Protocol Version: 2.0
Service Identifier: 80
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 32
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Service Identifier: 90
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Step 3
Show detail of each WCCP service
Step 4
Examine the Cisco running configuration
wccprouter#show running-config
Building configuration...
...
ip wccp 80 password secret
ip wccp 90 password secret
--More--
Next Steps
Check your deployment. See details in the next section of “Getting Started”.
Configure permitted subnets. See details in the final section of “Getting Started”.
Make any further configurations you want beyond simply the steps for “Getting
Started”. See “Configuration Reference” and online help for details.
Bridge Mode
Bridge mode – with a Fail-to-Wire option – is a preferred, resilient deployment method
where more advanced routing equipment is not available.
This is a simple in-line deployment with a minimum of changes required to your network.
Bridge mode is a form of HTTP Interception caching. As such, it would normally be
deployed with Source Address Spoofing to minimise the impact on the logical network.
The following pages give you configuration details for the main steps in setting up Bridge
mode. These are:
Check which ports should be used in your particular deployment
Configure CACHEBOX to establish a bridge interface
Configure CACHEBOX to enable Bridge mode HTTP interception
Optionally, if you have VLAN-tagged traffic passing through CACHEBOX, choose
to intercept traffic VLAN traffic interception for each VLAN
Check everything is working as intended.
Using 2 ports
Here the CACHEBOX has its default route set to the router, and is managed via the
(single) IP address on the bridge. This should not be used with Fail-to-Wire, as there
would be no connectivity to the appliance in order to diagnose faults which caused the
bridge to enter ‘bypass’ mode.
Using 3 ports
Here the CACHEBOX has an independent IP – not part of the bridge – which is used for
management. This will remain available even in the event of a Fail-to-Wire bypass
condition. The bridge should still be given an IP address in the same subnet as the
default route, to ensure that internet requests are directed towards the WAN router.
Set up a Bridge
It is possible to use any combination of network devices to create a bridge, the most
common (and recommended) scenarios are as follows:
2-port Bridge mode:
- Bridge eth0 and eth1
3-port Bridge mode:
- Bridge eth1 and eth2. Keep eth0 as an independent management
interface.
3-port with Fail-to-Wire:
- The Fail-to-Wire interfaces are typically eth2 and eth3 - these should be
bridged. Leave eth1 unused and eth0 for the management interface.
When setting up bridge mode with the Fail-to-Wire card option on, you should initially set
up eth0 to have the management IP on it and not the service IP.
Step 1
Navigate to ‘Network’ > ‘Settings’. The section ’Available Network Interfaces’ shows
available physical devices.
Step 2
For each interface that you want to be in the bridge (e.g. eth1 & eth2), click the
'Aggregation' tab, select Bridge from the dropdown menu and select the 2 interfaces
to bridge. Ensure STP is ticked and click SAVE to apply the changes.
The ‘Available Network Interfaces’ should now show the bridge “br0” made up of “eth2”
and “eth3”.
Step 3
Plug the LAN (client) side of your network and the WAN (internet) side of your network
into the bridged ports.
Step 4
Navigate to ‘Network’ > ‘Overview’ to check the status of network ports. Both bridge
ports should be green and should be reporting their negotiated port speed e.g.
1000Mb/s
Step 5
Log into a client computer (on the LAN side of the bridge) and test that it has full access
to the internet, e.g.
Ping the default gateway IP
Ping an internet IP (e.g. 8.8.8.8)
Ping an internet domain name (e.g. www.appliansys.com)
Browse internet websites
All network protocols should work exactly as before the deployment of the bridge.
The CACHEBOX proxy service will now start intercepting and caching HTTP traffic.
You can choose which traffic is intercepted by changing the Intercept Requests From
and Intercept Requests On options.
Intercept Requests From can be set to All IP Addresses or Permitted Subnets
Only. Choosing Permitted Subnets Only will make the CACHEBOX only intercept
traffic originating in the permitted subnets configured on the ‘Cache’ > ‘Basic Settings’
page.
Intercept Requests On lists the network interfaces currently configured as a bridge. By
default traffic arriving at all interfaces will be intercepted. You can stop the CACHEBOX
intercepting HTTP requests arriving at an interface by un-ticking the relevant box.
CACHEBOX will bypass all traffic - including HTTP - for VLANs or subnets that are not
specified in ‘Permitted Subnets’.
Next Steps
Check your deployment. See details in the next section of “Getting Started”.
Configure permitted subnets. See details in the final section of “Getting Started”.
Make any further configurations you want beyond simply the steps for “Getting
Started”. See “Configuration Reference” and online help for details.
Having completed “Initial Installation”, the remaining task in this scenario is typically
simply to configure your router. You need to make sure it redirects client HTTP traffic (TCP
port 80) to the CACHEBOX, while all other IP traffic continues to be routed using existing
routes.
These instructions give you a general guide to implementing Policy-Based Routing.
Actual configuration details will depend on your router hardware/software.
Usually, you cannot use Source Address Spoofing (server transparency) with Policy-Based
Routing. When Source Address Spoofing is enabled, the router cannot distinguish client
IP traffic from spoofed IP traffic (originating from the CACHEBOX).
Source Address Spoofing may be possible if your router can be configured with policy
routing rules that match source MAC addresses, or rules that match the ingress port
(assuming the CACHEBOX is attached to a specific router port).
Consult your router product manual for information about these advanced Policy-Based
Routing features.
Some routers and firewalls may be configured to monitor CACHEBOX’s IP, such that they
will automatically bypass the CACHEBOX in the event it becomes unavailable. Consult
your device’s manual, or contact support or your local vendor for more information on
your specific device.
Next Steps
Check your deployment. See details in the next section of “Getting Started”.
Configure permitted subnets. See details in the final section of “Getting Started”.
Make any further configurations you want beyond simply the steps for “Getting
Started”. See “Configuration Reference” and online help for details.
To ensure that the settings you have chosen are correct you can run a diagnostic tool
available from the CACHEBOX web interface, which will run a series of tests. Browse to
‘System’ > ‘Support’ > ‘System and Network Diagnostics’ and click RUN TESTS. Successful
tests will be displayed in green, while failed ones will be in red.
If you do not add any permitted subnets then you leave this appliance open to
unauthorised users who may abuse this system.
For example, through an open server, unauthorised users may browse anonymously, and
therefore circumvent existing internet browsing restrictions, as well as cause excessive
bandwidth usage.
The ‘Permitted Subnets’ section allows you to restrict HTTP access through the
caching server to a number of subnets. If no subnets are defined, then no
restrictions are placed on the clients' network.
2 To configure a new subnet click ADD NETWORK and add an IP address and a
Label (name) for each subnet.
If you already have a list of permitted subnets, click on the Advanced tab to
switch to a text view. You can then paste the permitted subnets you wish to
define.
Example:
192.168.1.0/24 Office network
172.16.0.0/16 Clients 1
172.31.0.0/16 Clients 2
10.129.0.0/16 Clients 3
Next Steps
Complete any further special configuration beyond the standard generic steps
detailed here in Section 2.
SECTION 3:
CONFIGURATION REFERENCE
This reference section describes in detail each of the screens you can find in your appliance’s
web administration interface.
IN THIS SECTION
Introduction 78
Content Menu 162
System Menu 78 Overview 162
Overview 79 CDN 163
Information 80 Filtering 164
Services 81 Bypass 167
Disks 82
Purge Objects 168
Alarms 84
Logging 85
Cache Backup 169
Alerting 87 Pre-Caching 171
Thresholds 88
Reports 90 Reports Menu 175
Users 92 Overview 176
Authentication 94 Periodic 177
Time 98 Performance 180
CMC 99 Statistics 182
Support 101
Settings 184
Licensing 105
Backup 106
Schedule 186
Firmware 108
Shutdown 110
CONFIGURATION REFERENCE I 77
CACHEBOX Service Provider Edition User Guide
Introduction
Once connected to the network, the secure web interface can be accessed. Visiting
http://ipofCACHEbox/ will redirect automatically to the HTTPS interface.
Many browsers will complain that the SSL certificate is not valid. This is because it is self
signed and not registered with a certifying body for the IP address that it is on. The
warning can therefore be ignored. The self-signed certificate can also be downloaded
from the login screen by clicking on the shield icon.
The default username is “admin”; the password is as configured during the initial
console_ui configuration. Once logged in you should see the ‘Overview’ screen in the
‘System’ tab.
System Menu
The ‘System’ menu is where you edit and view configuration details relating to the
appliance operating system. From here you can:
Run assistants
View system statistics
Diagnose problems
Monitor the hardware inside the appliance
Upgrade the CACHEBOX’s software or operating system using an upgrade patch
Perform system backup and restore operations
Shutdown or restart the appliance
Overview
This page shows key information about the system as well as Assistants to help you
perform initial installation tasks.
System Status If the system is working normally, System Status will display a green
tick. If a system error has occurred, such as the licence will expire
in the near future or an incorrect upgrade has been detected, a
cross will be displayed. If this is the case, go to the ‘Alerting’ page
to find out what the issue is.
System (or CPU) System Load reports on the average CPU load in the last 5
Load minutes. Place your mouse over the icon to see the five
processes consuming the most CPU time. If the status is not OK, but
the load actually now drops to an OK level, it could take minutes
before the OK message re-appears, because this is a 5-minute
average.
Service Status If the service indicator is not OK, click on SERVICE DETAILS to go to
the ‘Services’ page. Here you can view a list of key services on
CACHEBOX, showing whether any important issues have been
detected. The status of services is regularly refreshed. For further
details see the ‘Services’ section.
Licence Some services running on this appliance require a licence. If your
licence has expired (in the case of temporary licences) or has not
been installed, a cross here will indicate a problem.
Uptime Uptime tells you how long CACHEBOX has been running since it
was last booted. This is refreshed automatically every 10 seconds.
CACHEBOX ‘Assistants’ help you perform important initial configuration tasks. You can
re-run them at any time. To start an assistant click on its icon. You can cancel an
assistant at any time. No changes are made to CACHEBOX until they are committed.
Initial Helps you setup your appliance for the first time.
Configuration
Assistant
Basic Caching Helps you configure the web caching service.
Assistant
Information
This ‘Appliance Details’ section can be used to store useful information about this
CACHEBOX. Some of this information will be available for use by SNMP.
The Server Administrator Email is the email address of the local administrator of the
CACHEBOX.
Support Contact Details can be used to specify an email address, telephone number or
other contact details for the person who should be contacted when the CACHEBOX
malfunctions. This will be shown on the CACHEBOX login page.
Services
This section contains a list of services which should be running on this appliance, with
status indicators and information. These are regularly refreshed.
In the example screenshot below the cmc_client and cmc_sync services are disabled as
the CACHEBOX is not configured to connect to a CMC.
Some services require a valid licence in order to run. Provided CACHEBOX is fully
licensed and has completed its boot sequence, a tick should be shown against each
enabled service.
If a warning is shown against one of the services (if you place your mouse over it you
should then see a “not running” message), wait 30 seconds:
If the service is now shown as running then it is likely that a service restart had
been scheduled by the system, which is normal behaviour.
If the service is still not running, you should contact support.
This section will also indicate if any important issues have been detected. An hourglass
indicates a service which is currently starting.
It is normal that some services may be “stopped or disabled”. These will show a stop sign
and be greyed out.
An hourglass indicates a service which is currently starting.
The collectd service is dependent on the time having been synchronised via NTP. If
you see that NTP is not running, check that the time servers listed in ‘System’ > ‘Time’ are
reachable and working.
Disks
To view a summary of disk usage in CACHEBOX, navigate to ‘System’ > ‘Disks’. The
Overview page (default view) displays the installed disks and current disk usage. Disk
names are listed on the left; filesystems mounted on these disks are displayed on the
right.
Clicking on the Charts tab will display graphs relating to disk performance and status.
Options at the top of each page allow you to select the time frame:
Clicking the calendar icons allows you to select a date range
The drop down menu lets you select frequently used time periods
The timeline allows you to quickly drag a time period to be displayed
Disk IO This graph shows the rate at which data is being written to and
read from each of the disks in the CACHEBOX. The Disk IO data
can help diagnose problems related to the performance of the
disks.
Disk Operations This graph is related to Disk IO, but shows the number of distinct IO
operations, rather than the total amount of data written and read
to/from the disks. A few large operations may load the disk
subsystem of your CACHEBOX differently to many small operations.
Disk Health This graph shows the number of errors reported by the SMART
monitoring function of some disks. Some disks may not report
values here. For those which do, an increase in this figure can
indicate impending disk failure.
Free Space Free space for relevant filesystems is reported here. The
interpretation of these graphs depends on the use of the specific
filesystem being reported on. This information can be useful in
diagnosing problems or examining historic use.
By default times are adjusted to the local timezone offset of your web browser. Choose
a different timezone offset from the control panel if you want to view times in an
alternative timezone. Some graphs contain multiple data series. You can turn these on
and off by clicking the data series label in the top left corner of each graph.
Statistics are stored for one year and the resolution of the data decreases as it ages. For
example, data collected within the last hour is aggregated and displayed at a
resolution of ten seconds, while data which is over one month old will be aggregated
and displayed at a resolution of 3 hours.
Alarms
This page shows you any active alerts on the CACHEBOX.
Alarms should be dealt with straight away. If you require assistance then please contact
ApplianSys Support or your local vendor.
Alarms can be acknowledged, if you are confident that they don't matter in your
environment. Acknowledged alarms are listed below the active alarms.
On CACHEBOX420, active alarms are also displayed on the LCD display screen.
Logging
CACHEBOX supports two types of logging:
System – Authentication, Operating System, Hardware and Networking
Cache – Web Cache Usage
System level messages are logged automatically by CACHEBOX in this section. These
logs are generated for the purpose of fault diagnosis; there is no need to regularly review
them. CACHEBOX will perform its own maintenance functions and remedies for
temporary problems.
This page also allows you to configure a remote syslog server, to which the most
important log messages from this appliance will be forwarded. This is the only way to
make the appliance's logs persistent. This is recommended as this appliance only stores
a small number of recent log lines. There are a number of syslog servers available. Some
of the more popular include:
Syslog-ng - this is available for Linux and Microsoft Windows (premium edition
only) http://www.balabit.com/network-security/syslog-ng/
Kiwi Syslog Daemon - a syslog server available for Microsoft Windows
http://www.kiwisyslog.com/
You can add multiple remote systog servers and configure them from this page. To add
a remote syslog server, click ADD SERVER and fill in the details as appropriate.
This appliance keeps a number of logs which may be useful in resolving problems. All
logs store only the most recent lines of output, usually a few thousand. If the appliance is
restarted then the logs are reset. It is recommended to make use of a remote syslog
server. You can view a log file by clicking one of the log file links listed. The page will
display the most recent 100 lines by default in that log.
The following buttons are available underneath the log contents:
There are various other service specific log files which can be accessed from the
CACHEBOX command line interface:
Log into CACHEBOX with the username admin and your chosen password
Change directory to /var/log
Use the 'rr-logview' command to view any or all of the log files
$ cd /var/log
$ rr-logview httpd/access_log
Calling rr-logview -f shows only new entries and keeps the log viewer running. See
rr-logview –help for available options.
The Events table lists all system events. By default the events are listed with the most
recent event first. The sort order can be changed by clicking on the column headings.
An event is generated by the system when something happens which may be of
interest. Examples of events include:
A user logging in
A user getting their password wrong when logging in
A service (such as sshd) has been started successfully
A system restart
Alerting
CACHEBOX can send alerts by email, SMS or SNMP when certain events happen which
an administrator would want to know about. There are different categories of alerts
generated by the CACHEBOX:
Hardware, e.g. a fan stops working
System, e.g. a disk is more than 90% full
Service, e.g. a system service such as ntpd is misconfigured
User, e.g. the admin user logs in to the administration interface
Cache, e.g. access log rotation has failed
When an alert is generated it will be sent to all alert subscribers that have registered an
interest in that type of alert. The table of Alert Subscriptions shows all of the subscriptions
to alerts. For each entry in the table, the following is shown:
To send an alert by email or SMTP, you must first ensure that the SMTP settings have been
configured correctly. If you want to send an alert by SMS, check to see whether your
preferred SMS gateway is supported and configured.
Thresholds
This page lets you define and set up specific parameters to set off custom alarms.
Such alarms can help you actively manage traffic. For example, you can add a rule to
alert you any time throughput exceeds 750 Mbps. This could indicate that there's more
than the expected traffic being generated by users, and therefore a risk of bandwidth
saturation. You could cancel large downloads to reduce the impact. Alarms persist
until such time they meet the 'Off' criteria set.
The following must be specified to define a threshold alarm:
Name A unique name to give this threshold alarm. When the alarm is
raised, this name will be reported
Metric The type of value to monitor against the specified thresholds
Mode Select either Above to raise an alarm when the threshold is
exceeded, or Below to raise an alarm when the metric value goes
below the threshold
On The threshold value at which to raise the alarm
Off The threshold value at which to clear the alarm. Allowing different
'On' and 'Off' thresholds provides for hysteresis
Severity This defines the severity of the raised alarm, which will determine
whether it generates alerts
Enabled This toggle allows the threshold alarm to be disabled temporarily
without needing to delete the entry
You can define alerts by adding subscriptions. To add an alert subscription, click ADD.
Each subscription defines a named subscriber, whether they are to receive the alerts by
email, SMS or SNMP and for each category, what severity level of alerts they should
receive.
The level of the alert raised will be one of:
Subscriptions can be enabled and disabled using the Active checkbox. This is useful for
temporarily disabling alerts to particular subscribers without changing other subscription
details.
As you can create multiple subscriptions, you can set up many subscriptions of different
types for the same person. So, for example, they could receive less sever error level
alerts via email and emergency level alerts by SMS.
Reports
This page shows you an overview of the hardware monitoring data held on the
CACHEBOX.
On the ‘Reports’ page you are usually able to see the following graphs:
Total CPU How hard the Central Processing Unit is working. The more
requests per second that the CACHEBOX is handling, the higher
the CPU usage will be.
cpu-n A breakdown of the CPU usage for each CPU core will be
presented (there could be data for up to 8 CPU cores depending
on the CACHEBOX model.)
Memory There are many processes running on the CACHEBOX performing
different functions. Each of these processes will use up some
memory. Any remaining memory is used to speed up access to
the data stored on the disks / compact flash cards.
Swap Usage This graph shows the usage of swap space – used as an overflow
(and much slower) memory when main memory is exhausted.
Excessive use of the swap area may lead to degraded
performance.
Load Average This is a metric commonly used on servers. The higher the load
the more the CACHEBOX is being used and a high load may
result in slower response times.
Voltage Levels Voltage levels in the CACHEBOX are monitored to determine
potential hardware or power supply issues. This graph will show
the main 12V supply to the motherboard.
Temperature Temperatures may be reported for both the system as a whole
and specifically for the CPU. If the graph starts showing
abnormally high temperatures this may indicate a fan failure or
an issue with the environment in which the CACHEBOX is running
(such as poor air conditioning)
Fan Speed Many of the components in the CACHEBOX are sensitive to
extremes of heat, and fans keep these components cool. They
typically run faster when they need to provide more cooling.
There are various fans installed in the CACHEBOX to cool its
internal components. These should rotate at a constant speed.
Large fluctuations in fan speed may indicate a failing fan, which
could cause the appliance to stop working.
Downloadable PDFs are available throughout all reporting pages, for all time ranges
except custom. It is still possible to select and view reports for a custom time period.
Users
This page shows users that have already been added and gives the option to add a
new local user or edit an existing one. CACHEBOX’s web administration system comes
with a default user (admin) who has access to all areas of the system. To edit a user's
settings, including changing their password, click on the edit icon in the actions column.
To remove a user, click on the delete icon in the actions column.
The admin user cannot be deleted. Also, you cannot delete your own user.
Each user on CACHEBOX requires a Username and Password. The remaining fields in the
’User Details’ section can be optionally used to store additional information about a user.
In the current version of the firmware only the admin user can log in by ssh on the
console.
Depending on the appliance, the ‘Roles’ section will allow a user to be given one or
more roles. Different roles are required to access different parts of the appliance's
functionality.
Administrator Has full access to all parts of the interface. A user with this role
may log on at the appliance console (this is not required for
normal operation of the appliance).
Reporting Only has access to the 'Reports' menu; is able to view reports and
schedule report emails (providing an Administrator has set up an
SMTP server), but not to view or configure other appliance
settings.
Content Has access to selected pages on the 'Cache' menu; specifically
the Overview page, CDNs, Filtering, Bypass, and Pre-Caching.
These allow a Content user to fine-tune parameters related to
cache behaviour.
If you wish to change a user's password you must enter the new password in the
Password and Confirm Password fields. If you need a user to be forced to change their
password the next time they log in then tick the Change Password on Login checkbox.
If the only role available on this appliance is the Administrator role then all created users
will be assigned this role.
You cannot modify your own roles - this is to prevent you locking yourself out of the
CACHEBOX.
The CACHEBOX can also authenticate users of its appliance web interface against a
Radius server. After you add a Radius server IP and Secret (see ‘Network’ -> ‘Settings’),
you will find an ADD RADIUS button on the users page. Click the button to add a new
Radius user. The username must match a user that you have already defined on your
Radius server.
After you add a Radius user, that user can log into the CACHEBOX using the password
stored on the Radius server. When you add a Radius user, you do not need to choose a
password. The password is stored remotely on the Radius server. In the current
CACHEBOX firmware, Radius users cannot log into the command line console or via SSH.
The remaining fields in this section can be optionally used to store additional information
about a user.
Authentication
Users can be authenticated by an external authentication server, meaning that no
credentials are stored on the CACHEBOX and can be managed from a central point.
The "admin" user will always be authenticated on the CACHEBOX and cannot be
remotely authenticated; additional Administrator users can be added and
authenticated remotely instead.
Only one remote authentication server can be setup and used, multiple remote
authentication servers are not supported.
By default, the CACHEBOX will only authenticate local users; if an external
authentication server is set up, the CACHEBOX will try to authenticate against local users
first, then try the remote authentication server.
There are three types of supported authentication server available. These are Microsoft
Active Directory Server (via LDAP), LDAP (Lightweight Directory Access Protocol) and
RADIUS (Remote Authentication Dial In User Service).
You must provide the following settings to configure Active Directory authentication:
Server Address The domain name or IP address of the Active Directory server.
Port Number Listening port on the authentication server (e.g. 389, 636).
AD Domain The Active Directory Domain name that the authenticated users are
Name listed in.
Base DN The base part of the Active Directory Domain Distinguished Name
(DN) for a user should be entered here.
Server Bind By default, Active Directory Server LDAP configurations do not allow
"Anonymous" binds to the server, required to search and
authenticate the user. A suitable user must be provided. The Bind
User must be a full Distinguished Name (DN), for example:
sAMAccountName=Administrator,CN=Users,dc=example,dc=lan
SSL Connection If required, an Active Directory Server can use LDAPS (LDAP over
SSL) for secure client to server communication.
If the Active Directory Server is using an SSL certificate signed by a
Certificate Authority (CA), for example thawte, Verisign, etc, use
"CA signed" for the SSL Connection
If the Active Directory Server is using an SSL certificate generated by
the Active Directory Server, or self-signed certificate, then this must
be uploaded to the CACHEBOX to allow SSL Connections.
For example, if a user's full DN is:
sAMAccountName=username,CN=Users,dc=example,dc=lan
the Base DN would be:
CN=Users,dc=example,dc=lan
After you have configured Active Directory authentication, you will find an ADD Active
Directory button on the ‘Users’ page (see ‘System’ > ‘Users’).
LDAP
CACHEBOX can authenticate users of its appliance web interface against an LDAP
server.
After you add a LDAP Server Address and LDAP Base DN, you will find an ADD LDAP
button on the ‘Users’ page (see ‘System’ > ‘Users’).
On the LDAP server, the minimum 'uidNumber' should be 20,000, and the gidNumber
should be '100'. Using other values will cause errors when authenticating with the
CACHEBOX.
RADIUS
CACHEBOX can also authenticate users of its appliance web interface against a RADIUS
server.
After you add a RADIUS Server IP Address and RADIUS Server Secret, you will find an ADD
RADIUS button on the users page (see ‘System’ > ‘Users’).
Time
In this section you can set your Timezone and Timeserver(s). CACHEBOX can also act as
NTP server, which is accessible to hosts in the given Permitted Subnets.
Timezone It is important that you choose the correct Timezone. This will be
used to show local times and dates in reports, and for scheduled
services such as shutdown.
Timeserver(s) A timeserver ensures that the date and time on your CACHEBOX
is accurate. It is recommended that you enter one or more
timeservers into the Timeserver(s) field. The more timeservers you
specify the more accurate the time on the appliance will be.
ntp.org recommends that you specify four timeservers. If for any
reason the time has not yet synchronised, the SYNC TIME NOW
button will appear on this page. Click the button to force time
synchronisation.
Permitted Subnets CACHEBOX can act as a time server for other devices on your
network. By default, the firewall on CACHEBOX will deny all
external NTP requests as a security precaution. But if you do want
to allow NTP requests from other servers and clients on your
network, click ADD NETWORK to set permitted subnets here. You
should use CIDR notation. The SIMPLE option helps you enter one
subnet at a time while the ADVANCED option presents you with a
single large field where you can enter a long list, which you
should be careful to type correctly. Then click SAVE.
You should never have to set the time manually. If you find that you do, you should
contact support for details: this may indicate a problem with your unit’s hardware.
CMC
This device may be configured to report to, and be managed by, a Central
Management Console (CMC).
This page shows a list of configured CMCs. For each, it displays whether the CMC is
enabled or disabled, a label given to the CMC, the CMC's host address, and the time of
last contact with the CMC which may be useful in determining whether a CMC pairing is
working correctly.
Only one CMC should be enabled at any one time, as concurrent enabled CMCs could
lead to configuration conflicts.
CMC settings can be changed by selecting the Edit icon ; the CMC configuration
can be deleted by selecting the Delete icon . If deleted, the node will no longer
communicate with the CMC and any settings will be lost. To temporarily halt
communication with a CMC, edit the settings and disable the CMC entry.
To add a new CMC Server click ADD. You will see the following page:
Support
The ‘Support’ page allows you to:
View details of any important issues that have been detected
Run system and network diagnostic tests
Download diagnostic information
View details of any program crashes
Have ApplianSys technical support securely access your CACHEBOX
The ’Important Issues’ section will only be displayed if important issues have been
detected. Examples of important issues are that your licence will shortly expire, or a
serious issue was detected during firmware upgrade.
If important issues have been detected then a red banner is also displayed at the top of
every page.
Important issues should be dealt with straight away. If you require assistance then
please contact your vendor.
The ’System and Network Diagnostics’ section displays results of various system and
diagnostic tests. Click RUN TESTS and the tests results should all appear in a few seconds.
Tests that have succeeded will display in green, whereas tests that have failed will
display in red. If any tests fail, please check the configuration of your CACHEBOX.
Depending on the model of your CACHEBOX there may be more product-specific
diagnostic tests included after the core tests. The core tests are:
Network Tests The ‘Ping default gateway’ test checks that the default gateway
(default route) is valid and can be reached using the “ping”
command. If the default gateway test fails then either the
default gateway configuration is incorrect or there is a serious
network problem. If this test fails then other tests are also likely to
fail as a result.
The ‘Ping Internet IP’ test checks that an internet address can be
reached using the “ping” command. On some networks this may
not be allowed, and the test will fail. If this test fails then you
should contact your network administrator.
DNS Tests The ‘Resolve an Internet host’ test checks that the configured DNS
server(s) can be reached and will answer a simple query. If this
test fails but the ‘Network Tests’ succeeded, then you should
check the configured DNS server(s).
NTP Tests The ‘Test time sync status’ test checks that the configured NTP
server(s) can be reached and successfully synchronised with. If
this test fails but the ‘Network Tests’ succeeded then you should
check the configured NTP server(s).
The tool rr-diagnostics can also be used to run these tests on the command-line.
Execute “rr-diagnostics –help” for more information.
The ’Support Details’ section lists the support contact information. If you are
experiencing problems with CACHEBOX, click DIAGNOSTIC BUNDLE.
This will download a file containing a set of internal diagnostic information. Please
forward this to your support contact to receive help. Administrative users can change
this information on the appliance ‘Information’ page.
The ’Crash Logs’ section will only be displayed if a program has crashed. Detailed
backtrace information is provided which can be used by your support contact to
analyse the crash.
Depending on the model of your CACHEBOX crash logs may be cleared on reboot. You
can manually clear the crash logs by clicking CLEAR CRASH LOGS.
By default, ApplianSys’ Phone Home Feature is enabled. This feature will provide
ApplianSys with helpful information about CACHEBOXes in the field and the traffic that
they are serving. Using this data, ApplianSys Engineers can react to changes in traffic
demands even faster, for example, it provides the ability to identify new Content
Delivery Networks (CDNs) which are most popular per geography.
You can choose to disable this feature by clicking DISABLE PHONE HOME.
The ‘Remote Support Tunnel’ feature can be used to allow ApplianSys technical support
to securely access your CACHEBOXCMC
Click ENABLE to start the remote support tunnel. This will generate an ID and Password
which you will need to provide to ApplianSys technical support so that they can access
your appliance securely.
The support tunnel will automatically be disabled if it is idle for an extended period of
time, but it should normally be explicitly disabled after use.
Licensing
This appliance will usually have been licensed, so there is no immediate need to use this
feature. The ‘Licensing’ page lets you manage licences that enable certain features.
Each CACHEBOX has a Unique Appliance Code that is generated from the
CompactFlash card hardware serial number to ensure that only licences suitable for this
appliance can be installed. If a card is removed and moved to another system, it will
retain the licence information as well as appliance configuration. If the appliance is not
yet licensed, you will need the Unique Appliance Code to obtain a licence. You will also
need to supply the Appliance Code to ApplianSys if a new licence is required.
To install a licence click CHOOSE FILE in the ’Upload Licence File’ section.
To save a backup copy of the licence for the CACHEBOX click DOWNLOAD in the
‘Backup Licence’ section.
The ’Appliance Licence Details’ section will show you the additional services which the
installed licence has enabled. If for any reason a service is shown not to be running, try
refreshing this page after 30 seconds. It may be that a normal service restart was
happening as this page was loaded.
Backup
This page allows you to output a backup file containing all configuration data.
It is recommended that you take regular backups, particularly before changing any
settings.
After applying a configuration file, CACHEBOX will not automatically restart. You may
have to restart it manually for the changes to take effect, depending on the
configuration applied.
The ‘Overnight Remote Backup’ is an upload facility that allows you to schedule an
upload of daily backup files to a remote server (an FTP server, Windows/Samba Share or
a server that supports SSH/SCP secure uploads).
This is useful for:
Copying configuration data between appliances
Reverting back to previous configurations that have been saved
Support – sending a backup of configuration to support staff for analysis
To create an Overnight Remote Backup, choose your preferred remote backup server
protocol from the Backup Method drop-down list. We recommend that when you set
the username you create an unprivileged account just for the purpose of the backup.
FTP Enter the Server Name you want to send the backup to (e.g.
computer name). Set File Transfer Mode to Passive or Active.
Passive mode is the default and is suitable for most situations.
Active mode can be used but may require further configuration of
intermediate firewalls. Set Path to be the folder on the server where
the backup should be saved. Finally, set the username and
password for the FTP session.
Windows share Enter the Server Name you want to send the backup to (e.g.
computer name). Set Windows Share to be the name of the
shared folder. The Path refers to the name of the folder you might
have created inside the shared folder, where the backup should
be saved. It may be left blank. Finally, set the username and
password of the Windows account.
SSH/SCP Enter the Server Name you want to send the backup to (e.g.
computer name). Set Path to be the folder on the server where the
backup should be saved and set the username. Click on the link to
download the public SSH key for the CACHEBOX and append it to
the authorized_keys file (e.g. ~/.ssh/authorized_keys) of your
remote server.
Firmware
The appliance firmware contains the operating system and services. Upgrades to your
appliance will be made available to provide new features and fix bugs. When you start
up the appliance, you are presented with a menu. The default option boots you into
the latest firmware. If you have not upgraded the firmware, this will be the firmware that
was shipped with the appliance.
In the case of major upgrades ApplianSys may choose to distribute replacement
compact flash cards to its customers or provide an image that can be downloaded and
written using a USB compact flash reader connected to a workstation.
In addition to full system upgrades, ApplianSys releases 'Subsystem Updates', which
modify the software for handling Content Delivery Networks in order to maintain efficient
caching of these sites. ApplianSys releases updates via its website when CDNs change
their behaviour. These will automatically be picked up and applied by CACHEBOXes in
most network configurations. Upgrades may include new features and/or security fixes.
Firmware Version The current version of the firmware – so either the shipped version
or the version of an upgrade which has been installed by the user.
If CACHEBOX is downloading firmware via a URL (see ‘Firmware
Upgrade’ section below), then you will see a “Downloading”
message next to Firmware Version.
You can select either Enable or Disable the Check
automatically for updates option.
Update Version The version of the latest subsystem update installed automatically
by CACHEBOX. The CACHEBOX regularly checks the ApplianSys
website for new updates to various subsystems. If one is available,
it will be downloaded and installed automatically. You can also
manually check for updates by clicking CHECK UPDATES. If an
update has been installed, then you will see an additional
number after the main firmware version, e.g. 2.4.0 (1.61.26518a) +
26612.
If you have upgraded the firmware, then you will be able to select which firmware is
booted on system start or reboot via the ‘System Boot’ section.
System Boot This is useful if you have installed an upgrade, but for some reason
want to switch back to the previous version of the firmware. The
old firmware will be kept and can be booted by selecting the
second menu option. CACHEBOX only keeps two versions of the
firmware, the one currently running and the previous version.
Patches fix security vulnerabilities and correct software errors; patches do not upgrade
between firmware versions. They are applied immediately if possible, and will restart
services as necessary. Some patches will require a reboot before being applied, and
these patches will display the critical issues banner. Explanatory notes are provided with
each patch, and can be viewed by clicking PATCH NOTES.
From URL If you have been provided with a URL by your vendor, paste it into
the Download Firmware From URL field and click APPLY.
CACHEBOX will download the firmware in the background. Click
CANCEL to cancel this download.
From File Updated firmware images may also be supplied to you directly by
your appliance vendor. When you have the new firmware image
on your computer, select the From File option to upgrade your
appliance. Click the CHOOSE FILE link and select the firmware file.
Click APPLY to upload the new firmware to the appliance. The
firmware image will be between 50MB and 400MB. The progress
of uploading the file to the appliance will be shown on the page
or by your browser. The time taken to upload a new firmware
image will depend on the speed of your connection to the
appliance.
Once a new firmware image has been uploaded/downloaded, click INSTALL to install
the firmware to your appliance, or click CANCEL to remove the new firmware. Do not
turn off the power or reset this appliance whilst the firmware is being installed.
Once a new firmware image has been installed, click REBOOT to reboot your appliance
and start using the new firmware.
If the upgrade file you have has an extension of .tgz or .zip do not attempt to extract the
files from it first – CACHEBOX will handle this for you.
Shutdown
This option allows you to instruct your CACHEBOX to restart or be powered off either
immediately or at some point in the future.
Network Menu
The ‘Network’ menu contains options relating to the configuration of network settings.
From here you can:
Configure settings for individual network interfaces and bridges by clicking on the
relevant icons
Check the status of each network interface, including the interface link speed if a
link is established,
View information about assigned IP addresses and edit or add IP addresses on
the ‘Settings’ page
Configure additional static routes to enable access to hosts on networks which
would otherwise be inaccessible.
View reports of network statistics
Configure the firewall
Communicate alerts via ‘SMS’, ‘Email’ and ‘SNMP’
Overview
This is the default page on the ‘Network’ menu. It gives an overview of the current
configuration options, which you can edit from the ‘Settings’ sub-menu on the left.
a simple network cable. In "normal" mode the two network interfaces act
independently, allowing the CACHEBOX to intercept traffic passing over the bridge.
The ’IP Addresses’ section shows all IP addresses which are currently assigned. If an IP
address is bound to a physical interface whose link is currently down, then the interface
name will be shown in red. Place the mouse pointer over an interface for more details,
such as link speed. IP addresses can be edited or added on the ‘Settings’ page.
Settings
The ‘Settings’ page allows you to configure your appliance’s network interfaces, as well
as set common parameters.
Network Settings
This appliance will have one or more network interfaces. An icon is displayed for each
network interface present. The status of each network interface is indicated, including
the interface link speed if a link is established. Bridged network interfaces will be
grouped together under the name of the corresponding bridge. Hover the mouse
pointer over a network interface for more details, such as link speed.
Settings for individual network interfaces are configured by clicking on the relevant icon:
The Ethernet Bonding feature does not alter the actual capacity of CACHEBOX and
should not be used with the intent to increase throughput or performance of your
CACHEBOX.
Please consult ApplianSys Support before using this feature.
This CACHEBOX must have at least one IP address. However it can have as many IP
addresses as you need. An interface, such as eth0, can support multiple IP addresses;
however an IP address can only be bound to one interface. You cannot, for example,
have the IP address 1.2.3.4 bound to eth0 and eth1.
To add a new IP address click ADD. Existing IP addresses can be edited by clicking the
pencil icon in the actions column.
Once you have added an IP address you can assign services to it.
It is also possible to delete an existing IP address by clicking the trash icon appearing in
the corresponding row of the IP address.
You cannot delete an IP address if it is “In Use”. An IP address is considered “In Use” if it is
required by a static route or if it is being used explicitly by one of the network services on
the CACHEBOX. If you hover your mouse pointer over the word you will see a popup
window listing the services and routes that depend on the IP address. Remove those
dependencies before you remove the IP address.
The ’Common Settings’ section allows you to configure the network interfaces for the
appliance, plus some system-wide settings.
The following settings can be changed:
Hostname This is the name by which the appliance will be referred to on the
network. The hostname provided here should be a fully qualified
domain name. e.g. myappliance.example.com
not myappliance
Default Route If no other route can be found for an IP address, then the router
pointed to be the default route is used. The default route is often
known as the gateway. You must supply an IP address and not a
hostname for the default route.
DNS Server #1 The DNS server must be set so that the appliance can resolve
hostnames.
DNS Server #2 If the first DNS server cannot be contacted then the second DNS
server will be used. It is recommended to provide at least two DNS
servers so that hostnames can continue to be resolved if for any
reason one of the DNS servers cannot be contacted.
DNS Server #3 If the first and second DNS servers cannot be contacted then the
third DNS server will be used.
The ’Advanced Settings’ section allows you to restrict where the appliance interface and
SSH interface can be accessed from.
Admin Network(s) A list of networks can be provided, either in CIDR notation, for
example 192.168.1.0/24, or using a netmask form, for example
192.168.1.0/255.255.255.0.
If the admin networks are being set or modified, they must contain
the IP address of the machine being used to perform the change.
The default behaviour (empty field) is to allow access from any
network to any of the IP Addresses configured on eth0.
If no admin networks are defined, a warning banner will be displayed. If the appliance is
protected by another firewall, or the appliance is not reachable from external networks,
an admin network of 0.0.0.0/0 can be used to disable the warning.
When you change the network settings you may see a message saying that the settings
were saved, but that the configuration has not yet been applied. This feature lets you
change interdependent settings (such as IP address and default route), yet delays the
application of such settings until the configuration is 'sane' (e.g. the default route can be
reached from the available IP addresses).
Aggregation
Two or more physical network interfaces can be aggregated together. There are several
aggregation options depending on your requirements.
By default, 'No Aggregation' is selected for Aggregation Mode. This means that all
NICs in the CACHEBOX will be independent.
If you have set up any kind of Ethernet Bonding, you must select the Bonding Mode.
Supported modes are:
Bonding
Bonding allows two or more interfaces to be aggregated onto a single virtual interface.
Bridge
Bridged network interfaces can allow very simple transparent / inline deployments with
minimal changes required to your existing network. Select Bridge from the dropdown
list for Aggregation Mode.
An Ethernet bridge behaves like a switch; it will maintain a list of the Ethernet hardware
addresses (MAC addresses) that are available on each network interface.
Ethernet traffic arriving at one bridge interface will only be sent out via another bridged
network interface which is known to be connected to the target hardware address.
Bridge of Bonds
You can also combine bonding and bridging to create a 'Bridge of Bonds'. This is a
Bridge where each side is made out of several network interfaces aggregated into an
Ethernet Bond.
For any kind of Bridge you can enable or disable STP (Spanning Tree Protocol). This
protocol will prevent creating loops when using the CACHEBOX in complex
deployments, as long as the switches in the network support it.
Static Routes
The ‘Static Routes’ page allows you to configure additional static routes. These routes
allow you to change the route traffic will take depending on the source and/or
destination address - in either IPv4 or IPv6.. If you need to use static routes on your
network, click ADD ROUTE to create a new route.
This will take you to the ‘Static Route’ page:
Take care when adding static routes. You may disrupt network access to or from the
appliance.
Services
The ‘Services’ page allows you to enable and set the port for SSH command line access
and to set the port for the web interface.
SSH
The SSH service provides secure network access to the CACHEBOX command line
interface. To use SSH you will need to have a suitable client installed. Most Linux
distributions and Mac OS X come with an SSH client pre-installed. A popular SSH client
for Microsoft Windows is Putty.
The following Network Service Configuration options are available:
SSH Port Change the TCP port that the SSH service listens on. (default: 22)
For detailed information on using SSH command line access, see Appendix A.
Web Interface
The CACHEBOX web interface is served using an SSL enabled web server (default: 443).
You can change the port on which the web server listens by changing the default value
(443) in the ’Web Interface Port’ field. If you do this, the web server will be restarted and
you will be automatically redirected to the new web interface URL.
HTTPS Only Controls HTTP access to the web interface on port 80. By default
(with this disabled), if you access the web interface on port 80 you
will be automatically redirected to the secure (SSL) web interface.
With 'HTTPS Only' set, the web interface does not listen on port 80
HTTPS Port Change the TCP port that the SSL web server listens on. (default:
443). You cannot disable HTTPS access.
Restricted Ports: modern web browsers do not allow you to access web sites on certain
network ports. See the following link for details:
https://developer.mozilla.org/en/Mozilla_Port_Blocking
Proxy Settings
CACHEBOX can use a proxy to reach the internet in order to get firmware updates.
Fill in the following fields to enter your proxy settings and then click SAVE.
Proxy Server The IPv4 address of the proxy server, or empty for no proxy.
Proxy Port The port where the proxy is accepting connections
Proxy User The username of the account required for accessing the proxy, or
empty if no account is required
Proxy Password The password of the account required for accessing the proxy
Reports
The ‘Reports’ page shows you networking statistics and allows you to change related
settings on your CACHEBOX. This page has two tabs: ‘Charts’ (the default page) and
‘Options’. The default page presents the following graphs:
The ‘Options’ tab allows you to change the networking statistics options on your
CACHEBOX.
Under ‘Ping Options’ you can enable/disable measuring the latency of your already
configured servers. The list of servers is:
Monitor Network Latency - tick this box to enable the monitoring of network
statistics of your CACHEBOX.
Default Route
Primary DNS Server
Secondary DNS Server
Tertiary DNS Server
Time Servers
‘Custom Destinations’ lets you may add more destinations to measure the latency
between the destination and CACHEBOX.
Tools
Network tools like Ping, Trace Route and DNS lookups can help you determine if the
network settings of your appliance have been configured correctly.
The ‘Tools’ page allows you to see the output of these commands from the interface
rather than the command line interface.
Firewall Settings
This page allows you to use this CACHEBOX as a gateway and specify additional firewall
rules.
This page can be ignored if you are not deploying in Gateway mode.
Forwarding If you wish to use this CACHEBOX as a gateway then you should
check the Forwarding checkbox.
Enable Custom Custom firewall rules can be specified by ticking the Enable
Rules Custom Rules box. These will be applied after any other rules
produced by the CACHEBOX configuration. You should not
normally need to use this feature, but in certain deployments it
may be helpful to cope with specific network scenarios.
IPv4 and IPv6 iptables commands must be entered separately, to ensure the firewall
applies the correct rules on the CACHEBOX. When Enable Custom Rules is checked, the
following fields will appear:
Examples:
Fully open input chain (not recommended!):
*filter
:INPUT ACCEPT
COMMIT
The current firewall settings of the CACHEBOX are available by clicking the Current Firewall
Settings link. The same format is used as for custom rules.
Custom firewall rules are an advanced feature and incorrect settings could cause
problems using the CACHEBOX, as well as prevent administrative access. In this case
there is a command-line script which can be run to disable custom firewall rules:
disable_custom_firewall
Open Ports
If you wish to use this appliance as a router you will need to explicitly open ports for
which you wish to route traffic. To define a new open port click ADD.
Port From / Port To You can open a range of ports, although the Port From and Port
To can be the same if you wish to open just one port. For
example settings Port From to 10000 and Port To to 10000 will open
only port 10000 for traffic.
Protocol The expected traffic protocol. In addition to the range of ports to
allow traffic through you must also set the protocol to allow TCP,
UDP or BOTH TCP and UDP.
Description A useful description of what the port forwarding is. Make use of
the field to remind you which ports have been opened.
Enabled This enables the forwarding rule. If you wish to temporarily close
ports then un-tick the checkbox.
NAT
CACHEBOX is capable of basic Source Network Address Translation (SNAT). This allows it
to be deployed as an internet gateway for a network of computers that use private IP
addresses.
IP packets routed via CACHEBOX will have their source IP address rewritten to one of the
CACHEBOX local IP addresses. CACHEBOX will track the outbound IP traffic whose
source address has been translated and automatically rewrite the inbound traffic with
the real IP address of the origin client.
Depending on the type of Layer 4 protocol, the source port may also be rewritten. If two
clients on different local IP addresses attempt to connect to a the same TCP destination
IP:port and from the same source port, the CACHEBOX will automatically use an
alternative source port for the second connection. For this reason, this type of NAT is
sometimes known as Port Address Translation (PAT).
Certain Layer 7 protocols (such as active FTP) require the server to make a connection
to the client. CACHEBOX does not currently support SNAT for these "active" protocols.
Use a passive FTP client to work around this limitation.
NAT IP Address Choose one of the local CACHEBOX IP addresses to which the
source traffic IP will be translated. Traffic will appear to originate
from this NAT IP Address rather than the original client IP address.
Source Networks Enter a new line separated list of source CIDR networks. IP traffic
which originates from these Source Networks and which is routed
via the CACHEBOX will have its source IP address translated to the
NAT IP address that you chose above.
SMS
This appliance can send alerts via SMS to a mobile phone.
Email
CACHEBOX can send alerts and copies of reports via email. SMTP (Simple Mail Transfer
Protocol) is the standard protocol used for sending mail. It may also be used to send
scheduled reports, if supported by your appliance.
Most SMTP servers only require an address and port (the default is 25), but authentication
may also be required by some servers.
Address This is the address of the SMTP server the appliance should use to
send emails.
Port The port that the SMTP server is running on.
Sender Email The email address that your messages will appear to come from
Username and The username and password used on the service. If Use
Password Authentication is set to No then the Username and Password will
not be used.
Use authentication If your SMTP server requires user authentication to send an email,
then this should be set to Yes.
Use TLS encryption Whether communication with the server will be encrypted or in
plain text.
Send a test email If you wish to test the SMTP server settings provided, enter an
to email address to which you have access. When the form is
submitted, the appliance will attempt to send you a test email.
Check that the test email has been received.
Once you have set up SMTP, you can enter an email address into the test field to check
that CACHEBOX can successfully send email. If you are using a hosted email service
such as Google Gmail, then it is recommended that you use the Initial Configuration
Assistant to configure SMTP (‘System’ > ‘Overview’).
SNMP
The Simple Network Management Protocol is used for managing devices on IP networks
and in network management systems to monitor network-attached devices for
conditions that warrant administrative attention.
This page allows you to configure the SNMP (Simple Network Management Protocol)
settings for the appliance.
SNMP Community defines the community that this appliance is a member of. By default
SNMP is enabled with the community name “public”.
For reference, a list of MIBs defined by this appliance can be downloaded in the
’Appliance MIBs’ section.
Cache Menu
All options and log analysis pertaining to the caching software can be found in the
‘Cache’ menu.
From here you can view:
Executive summary of current performance
Deployment configuration options
Detailed analysis of current configuration
Parent cache and sibling options
Range request caching options
Logging options
Users via Active Directory
Squid configuration tuning (advanced users only)
Overview
The Overview page gives you a summary of the main settings relating to web caching.
Proxy The IP address and port which can be entered into a browser’s
proxy configuration
Server Whether the web cache proxy is running, or starting. If the server
is shown as ‘Starting’, then any client requests will be ignored.
Deployment The current deployment mode.
Mode
Caching Storage The amount of total storage available for caching, and whether
Configured the default storage scheme or a custom storage scheme is being
used
Access Logging If on then all client requests are logged to a text file. Daily and
monthly summary reports are updated every five minutes from
the access log.
The information displayed in the ‘Statistics’ section, with the exception of Number of
Cached Objects, only applies since the appliance was last booted.
The following information is available here:
Number Of The number of objects (HTML files, CSS files, videos, software
Cached Objects update files, etc) which are currently in the cache (memory or
disk)
Byte Hit Ratio (60 The average byte hit ratio over the last 60 minutes. A high ratio
mins) shows that the cache is being used efficiently.
Internet In/Out This is the total amount of traffic received by the CACHEBOX
from the internet and the traffic, which has been sent out of the
CACHEBOX to the internet.
LAN Clients Out/In This is the total amount of traffic sent by the CACHEBOX to all
clients and received from all clients.
The ’Recent Requests’ section gives you a list of recent requests that have been served
by the CACHEBOX.
Most recent requests made by a client through the CACHEBOX are displayed at the top
and show information about the Time when the request was made, client's IP address,
the requested URL, Size of the response, as well as caching status of and HTTP Status of
each request.
The requests can be filtered to restrict the information displayed by clicking the Toggle
filters link. For example, you can filter the requests to only see the URLs which contain
bbc.co.uk. Multiple filters can be used at the same time to further restrict the
information displayed.
To change filters, click the 'Filters...' link and edit the values in the popup dialog. Filters
are applied to new requests and may take a moment to be applied to new data. Note
that these filters are applied on the CACHEBOX itself so apply to all users of the web
interface, but do not affect the logging of information to the other access logging
facilities.
Deployment Mode
This page allows you to specify the deployment mode to use on your CACHEBOX. Once
you've selected a mode, some settings on the 'Advanced' page that are not applicable
to your chosen deployment mode will be hidden.
The following deployment options are available from the dropdown list in front of Select
Mode:
Explicit Proxy: Clients will connect explicitly to CACHEBOX
Bridge Interception: CACHEBOX is deployed in-line as a bridge
Gateway Interception (e.g. PBR): CACHEBOX acts as a gateway router for clients.
Clients' traffic is transparently intercepted.
WCCP: CACHEBOX is configured to communicate with a Cisco device using
WCCP.
Advanced: All deployment settings are available.
You should refer to Section 1 – “Planning Deployment” and Section 2 – ”Getting Started”
of this user guide to make an informed decision about how to deploy CACHEBOX in your
network and what configuration your chosen deployment mode requires.
Select your chosen mode of deployment from the dropdown list and click SAVE.
Deployment
The 'Deployment Mode' page allows you to configure the options of your selected
deployment mode.
For each mode you can configure Source Address Spoofing.
Normally the HTTP proxy on CACHEBOX will connect to a web server using the local IP
address as the source address. This can cause problems because some websites restrict
the number of connections that originate from a single IP address. For example, YouTube
will limit the number of videos streamed to a single IP address and RapidShare will only
allow a single download from each client IP address.
`Source Address Spoofing allows CACHEBOX to connect to a web server using the
original source IP address of the client. It requires careful configuration of your network
routes. In particular, responses from web servers to the HTTP proxy on CACHEBOX must
be routed via the CACHEBOX IP address, so that the traffic can be properly intercepted
and the response sent back to the client. This section allows you to enable and disable
the feature.
In Explicit Mode, you can also upload a Proxy Config file to automate the configuration
of client proxy connection. This file will be served to any client requesting /wpad.dat
from the CACHEBOX. Configuration of DNS or DHCP devices will be required for a
complete auto-configuration set-up.
In Explicit mode, Source Address Spoofing requires careful configuration of your network
routes. In particular, the responses from webservers to the HTTP proxy on CACHEBOX
must be routed via the CACHEBOX IP address, so that the traffic can be properly
received and the response sent back to the client. This will probably require connection
tracking on routers as traffic from the same client address may come directly from the
client or from the CACHEBOX.
Bridge Mode
When a CACHEBOX has been configured in Bridge mode, two or more of its network
interfaces are used to create a special ‘bridge’ device. The CACHEBOX is then
connected in-line into the network and all network traffic passes over the bridge.
If under ‘Bridge Mode’, Bridge mode HTTP Interception is set to Enabled, all ‘port 80’
traffic passing over the bridge is intercepted and handled by the CACHEBOX’s
proxy/cache mechanism. ‘Port 80’ is the standard HTTP port used by web servers.
'Intercept Requests From' can be set to Anywhere or Permitted Subnets Only.
Choosing Permitted Subnets Only will make the CACHEBOX only intercept traffic
originating in the permitted subnets configured on the ‘Cache’ > ‘Basic Settings’ page.
When VLAN (Virtual LAN) tagged traffic passes over the bridge then it will only be
intercepted if you have configured an IP address for each different VLAN ID on the
bridge device.
By default the CACHEBOX will intercept all "port 80" traffic, as it is the standard HTTP port
used by web servers. You can use the 'Custom HTTP Ports to Intercept' field to specify
extra ports to intercept. Enter port numbers separated by spaces, e.g. 10080 8080 12345.
If you have not already enabled bridge mode HTTP interception, this page will direct you
to the ‘Network’ > ‘Settings’ page where you can do so.
Source Address Enable or disable Source Address Spoofing. You need to enable
Spoofing this if you want to maintain outbound (client > web server)
transparency.
The responses from webservers to the HTTP proxy on CACHEBOX
must be routed via the CACHEBOX IP address, so that the traffic
can be properly intercepted and the response sent back to the
client.
Custom HTTP By default the CACHEBOX will intercept all "port 80"* traffic. You
Ports to Intercept can use this field to specify extra ports to intercept. Enter port
numbers separated by spaces, e.g. "10080 8080 12345"
* "port 80" is the standard HTTP port used by web servers.
WCCP Mode
WCCP (Web Cache Co-ordination Protocol) is a feature of some Cisco routers and
switches which allows you to re-route HTTP traffic to a caching device.
You will find a full description of WCCP deployment; including example Cisco IOS
configuration settings in Section 1 – “Planning Deployment” and Section 2 – “Getting
Started” of this user guide.
Source Address Enable or disable Source Address Spoofing. You need to enable
Spoofing this if you want to maintain outbound (client > web server)
transparency.
The responses from webservers to the HTTP proxy on CACHEBOX
must be routed via the CACHEBOX IP address, so that the traffic
can be properly intercepted and the response sent back to the
client.
Custom HTTP By default the CACHEBOX will intercept all "port 80"* traffic. You
Ports to Intercept can use this field to specify extra ports to intercept. Enter port
numbers separated by spaces, e.g. "10080 8080 12345"
* "port 80" is the standard HTTP port used by web servers.
WCCP Mode Switch WCCP on or off. When WCCP is disabled, the CACHEBOX
will not attempt to connect to a WCCP router and it will not
respond to WCCP redirected traffic sent from the router. This
option allows you to quickly disable WCCP whilst retaining your
WCCP configuration options.
Router/Switch IPs Enter one or more IP addresses of your WCCP routers/switches
or hostnames
Forwarding GRE Tunnel: Cisco routers generally forward HTTP traffic via
Method a GRE tunnel. If you choose this forwarding method, you
must also configure the GRE Remote Endpoint IP (below).
Layer 2 Redirect: Cisco switches generally forward HTTP
traffic by layer 2 redirection This works by rewriting the
destination MAC address of HTTP traffic to that of the
CACHEBOX. When using the Layer 2 Redirect method, the
CACHEBOX must be directly connected (or deployed on
the same network segment as the Cisco device).
Note that some high-end Cisco routers and switches are capable
of both GRE and Layer 2 forwarding.
GRE Remote Only required if you are using GRE redirection. Enter the master IP
Endpoint IP address of your Cisco device. The master IP is likely to be either the
WAN IP or the loopback IP of the device.
Assignment When multiple CACHEBOXes are participating in a WCCP v2
Method service group, the Cisco router/switch will attempt to balance the
redirected traffic between them. There are two alternative
methods that can be used to calculate to which CACHEBOX
traffic should be redirected: Hash Assignment and Mask
Assignment. You can find further information on these two
assignment methods at the following URL address:
http://www.wrec.org/Drafts/draft-wilson-wrec-wccp-v2-00.txt
Rebuild Wait This option allows you to control whether WCCP negotiation takes
place after the Squid proxy server has fully rebuilt/checked its
cache storage. You should normally leave this option enabled
unless you are testing new WCCP options and want to quickly see
the result of your configuration changes.
Weight When multiple CACHEBOXes are connected to the same WCCP
cluster, the router will use the value in the Weight field to calculate
what proportion of traffic will be redirected to each CACHEBOX.
Standard Web In the absence of any dynamic service groups the CACHEBOX will
Cache Password attempt to configure your router with the standard web cache
service. This service supports an optional shared password with
which the router can authenticate participating cache devices. If
you configured a password on your router, enter it here.
The ‘WCCP Dynamic Service Groups’ section provides advanced redirection options.
For example, you might want to redirect HTTP traffic on a non-standard port.
If you want to use the Source Address Spoofing feature with WCCP, you will need to set
up a pair of dynamic service groups.
The Squid cache.log contains useful information about the state of the WCCP service
group. If the WCCP negotiation has been successful, you will see Incoming
WCCP2_I_SEE_YOU in the cache.log. Navigate to ‘System’ > ‘Logging’ > ‘Read Logs’ >
cache.log.
Service
The ‘Service’ settings page lets you specify the IP addresses on which web requests
should be served.
The proxy port allows you to control the IP addresses and ports on which the web
caching proxy listen for explicit connections.
Bridge mode and Gateway mode do not need an explicit listening address.
To add a new address, click ADD ADDRESS. The default port on CACHEBOX is 800. A
common value for this is 8080.
The ‘Permitted Subnets’ section allows you to control which source networks can access
the web caching service on the CACHEBOX.
If you do not add any permitted subnets then you leave this appliance open to
unauthorised users who may abuse this system.
For example, through an open server, unauthorised users may browse anonymously, and
therefore circumvent existing internet browsing restrictions, as well as cause excessive
bandwidth usage.
To configure a new subnet click ADD NETWORK and add an IP address and a Label
(name) for each subnet.
If you already have a list of permitted subnets, click on the Advanced tab to switch to a
text view. You can then paste the permitted subnets you wish to define. For example:
192.168.1.0/24 Office network
172.16.0.0/16 Clients 1
172.31.0.0/16 Clients 2
10.129.0.0/16 Clients 3
Cache Settings
If you have a high proportion of ‘range request’ traffic or traffic served over HTTP/S 206,
CACHEBOX’s range request caching feature improves caching performance.
From version 4.12 of the firmware, this feature is enabled by default for specific domains.
For a list of these, please contact support@appliansys.com.
When enabled, if a user requests only a subset of a large document – such as a video
file or software update image - that subset will be available from cache to other clients
requesting the same range or overlapping ranges of data.
Navigate to Reports > Periodic and scroll down to the Top HTTP Status Codes report. The
graph below is an example of a network with a high proportion of HTTP/S 206 traffic – we
recommend leaving range request caching enabled such instances.
If you wish to change the settings of the range request cache feature, navigate to the
‘Cache Settings’ page
Enable Range By default, this is set to Yes. To disable range request caching,
Request Cache select No.
Engine
Range Request Two modes are available for partial caching: ‘Pre-configured
Cache Mode domains only’ uses the Range Request engine only for requests
to specific domains which have been identified as suitable by
ApplianSys.
Alternatively you may choose to use this for All Domains
requested.
You can add domains to bypass the range request cache engine regardless of the
range request mode. This might be used if some web sites are not available when using
this engine.
All subdomains of any entries here will also bypass the range request cache engine. For
example, bypassing microsoft.com will also bypass download.microsoft.com and so forth.
When range request caching is enabled, you will also be able to see custom reporting
for range requests served from cache.
Logging
By default CACHEBOX logs all the HTTP traffic it proxies. It records the IP address of the
client that requested the data, the time, the full URL and whether or not the request was
served from cache. This information is stored in a text file. Every five minutes the
information is compressed to enable the CACHEBOX to log many millions of requests.
The ‘Logging’ page allows you to edit the logging options.
The Access Log option enables or disables logging of user requests through the
CACHEBOX.
The following features of your CACHEBOX will only work with access logging enabled:
Report graphs (excluding Reports > Statistics)
Scheduled Reports
Remote Log Uploads
Recent Request display
CACHEBOXCMC generated aggregate reports
Access logging is enabled by default.
Access logging uses CACHEBOX resources. In the event of resource overload, switch it
off as a temporary solution whilst resolving the cause.
The ’Remote Log Upload’ section allows you to schedule an upload of access logging
data to an FTP server, a Windows Share or a SSH enabled server via SCP. Only the
data since the last upload will be sent. This will happen at midnight every night.
The time taken to generate and upload the access logging data is dependent on how
busy the cache was. For example, if for 8 hours during the day an average of 50
requests per second were being made then the data would take 10 minutes to prepare,
and a file of 32MB would be uploaded to the specified server. A maximum of 30 minutes
is allowed for the data generation and upload.
This feature is not suitable for a cache which is in continuous use 24 hours a day.
The uploaded file is a gzipped text file. If you are using Microsoft Windows, see the
Microsoft file association page at http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=GZ for
details on utilities suitable for uncompressing the file. These raw log files can be imported
into Microsoft Excel or other log parsing programs. Mac OS X and Linux based operating
systems can handle these files without the need for additional software. CACHEBOX will
automatically remove old log information from its database to free up space for storage
of new requests.
If using SSH/SCP to upload the log files, the public SSH key of the CACHEBOX will need to
be installed on to the upload server. To do this, either edit the .ssh/authorized_keys
file for the username on the server being used by the upload and add the CACHEBOX
SSH key to the end of the file, or append a file containing the key using cat
CACHEBOX_public_key >> .ssh/authorized_keys.
Cache Peers
The ‘Parent Cache’ settings allow you to set the CACHEBOX to make use of a parent
cache or proxy. A common use is to set the CACHEBOX to use a firewall proxy as its
parent. If a Parent Cache is defined, then any cache misses will be forwarded on to it.
To enable the ‘Parent Cache’ feature, select Enabled. The following settings are
required:
One or more other CACHEBOXes may be included as cache peers ('siblings') of this
CACHEBOX. If a request is made to this CACHEBOX and a sibling cache contains the
requested object, then it will be retrieved from there, rather than downloading it from
the origin server.
Normally all sibling caches within a group should include each other in the ‘Sibling
Caches’ list.
Click ADD SIBLING CACHE and enter the following settings:
If you want to use this CACHEBOX as a parent cache for another CACHEBOX or other
web cache, then you must configure the IP addresses of the children.
Click ADD CHILD to add the IP address of a child cache. This will allow that cache to
make ICP requests to the caching engine running on this CACHEBOX.
Custom Configuration
You should have a good understanding of CACHEBOX configuration before using this
feature.
‘Custom Configuration’ is for advanced use only and it should be ignored by most users.
If you have a specific need or require assistance using this feature, please contact
support@appliansys.com.
Whilst the CACHEBOX has options in its web interface for commonly used features of
Squid, it is also possible to specify custom Squid commands to be loaded into Squid’s
configuration file.
Most deployments do not require this feature, but it is provided for flexibility – particularly
for administrators who are familiar with Squid and require finer control over it than the
standard interface allows.
Squid uses an ACL (Access Control List) language to control use of the proxy and
supports many features, such as timed access, restricting access from different subnets,
forcing various sites to never be cached.
Syntax
The ACL syntax can be learnt with relative ease. Due to the wealth of information freely
available online this guide will only discuss commonly used ACLs. The most useful online
guide can be found at:
http://www.wiki.squid-cache.org/SquidFaq/SquidAcl
Several books have been published that also cover ACLs, including O’Reilly’s: “Squid:
The Definitive Guide”; much of which can be viewed for free on http://www.books.google.com
The ACL syntax and options available vary slightly between versions of Squid.
CACHEBOX currently uses version 2.7.
Specifying custom ACLs cannot ‘break’ CACHEBOX, but it is possible to modify its
behaviour in such a way that legitimate traffic is not accepted.
CACHEBOX will check any changes made for correct syntax and disallow them (with an
error message) if accepting would cause Squid not to start.
ApplianSys recommends that any changes are actioned during a pre-defined
maintenance period to ensure you are able to test the behaviour of CACHEBOX without
affecting users.
Examples
Prevent access to the cache outside work hours (Monday to Friday from 9:00 to
18:00):
Prevent access from the cache on Tuesday, Wednesday and Thursday between
13:00-14:00:
via off
forwarded_for off
Some sites such as MSN may behave incorrectly if these options are turned off.
To ensure compatibility further lines need to be added:
# IP not to be blocked
acl myip src 192.168.1.25/32
#
# Block different types of video/audio content (including Youtube)
#
acl x-type_req req_mime_type -i ^video/flv$
acl x-type_req req_mime_type -i ^video/x-flv$
acl x-type_req req_mime_type -i ^application/x-shockwave-flash$
acl x-type_req req_mime_type -i ^application/x-amf$
acl x-type_req req_mime_type -i ^audio/x-pn-realaudio$
acl x-type_req req_mime_type -i ^application/octet-stream$
acl x-type_req req_mime_type -i application/octet-stream
acl x-type_req req_mime_type -i ^application/x-mplayer2$
acl x-type_req req_mime_type -i application/x-mplayer2
acl x-type_req req_mime_type -i ^application/x-oleobject$
acl x-type_req req_mime_type -i application/x-oleobject
acl x-type_req req_mime_type -i application/x-pncmd
acl x-type_req req_mime_type -i ^video/x-ms-asf$
#
#
acl x-type_rep rep_mime_type -i ^video/flv$
acl x-type_rep rep_mime_type -i ^video/x-flv$
acl x-type_rep rep_mime_type -i ^application/x-shockwave-flash$
acl x-type_rep rep_mime_type -i ^application/x-amf$
acl x-type_rep rep_mime_type -i ^audio/x-pn-realaudio$
acl x-type_rep rep_mime_type -i ^application/octet-stream$
acl x-type_rep rep_mime_type -i application/octet-stream
acl x-type_rep rep_mime_type -i ^application/x-mplayer2$
acl x-type_rep rep_mime_type -i application/x-mplayer2
acl x-type_rep rep_mime_type -i ^application/x-oleobject$
acl x-type_rep rep_mime_type -i application/x-oleobject
acl x-type_rep rep_mime_type -i application/x-pncmd
acl x-type_rep rep_mime_type -i ^video/x-ms-asf$
#
#
http_access deny x-type_req all !myip
http_reply_access deny x-type_req all !myip
http_access deny x-type_rep all !myip
http_reply_access deny x-type_rep all !myip
#
# Blocking Audio, Video and other file types content based on file
extension
#
acl bad_files url_regex -i \.flv$ \.swf$ \.mp3$ \.asx$ \.wma$
\.wmv$ \.avi$ \.mpeg$ \.mpg$ \.qt$ \.ram$ \.rm$ \.iso$ \.wav$
\.exe$
http_access deny bad_files !myip
Error Pages
On occasion, the CACHEBOX may need to display an error page to a client. For
example, if the client goes to a website which is in a filter group and therefore does not
have access to it. Here you can choose the error page language and content that will
be served by this CACHEBOX.
When a suitable translation is not available, you can select a Default Error Page
Language using the dropdown menu and choose the language that will be used for
error pages.
You are able to use your own template to serve the error pages for CACHEBOX. The
template you provide will be verified for valid HTML and could be altered to be valid.
Some providers may wish to customise these pages by modifying the text and adding a
company logo.
To create a custom error page:
Set Error Page Template to Custom
Modify the HTML page content
Click the Preview icon to check the error page
Click SAVE to save the error page
By default the CACHEBOX will show English error pages. A number of other languages
are provided with the CACHEBOX, including French and Spanish. To change the
language of the error pages:
Set Template to Default
Choose the desired language from the Content Language drop-down
Click SAVE to commit the changed language
If the language you need is not included, then you can create a custom error page.
Other
CACHEBOX stores cached objects differently depending on their size. Cached objects
are split into two categories:
Small objects
Large objects
Small objects are stored in a different way to large objects to optimise caching
performance.
CACHEBOX comes with a default storage recipe for each CACHEBOX model. A storage
recipe defines how much storage is available for different types of cached objects.
Choose Default to let the CACHEBOX decide on the best storage scheme.
It is strongly recommended that you leave the Cache Object Profile set to Default. This
setting allows CACHEBOX to choose the best storage settings for your hardware.
If you need to use a Custom Cache Object Profile (for example because your support
vendor has suggested it), then the following fields are available:
Max Object Size The maximum size of objects that will be cached by CACHEBOX
(in KB). For example, if the Max Object Size is set to 10MB, then an
object of 15MB will not be cached. If you wish to cache larger
files such as Windows Updates or long YouTube videos, this will
need to be increased. By default this is set to 1GB
Large Object CACHEBOX stores cached objects differently depending on their
Threshold size. It is recommended that you only store a relatively small
number of small objects (i.e. objects whose size is less than the
Large Object Threshold). Objects which are smaller than this are
stored in the Small Object Allocation. Objects larger than this are
stored in the Large Object Allocation. Depending on your
hardware configuration you may find that the Large Object
Allocation is much bigger than the Small Object Allocation.
Medium Object If your CACHEBOX model uses separate storage for small and
Threshold medium objects, then the Medium Object Threshold is used to
determine which store is used for a given object. Objects smaller
than the Medium Object Threshold will be stored in the small
object store. Objects larger than the Medium Object Threshold
(and smaller than the Large Object Threshold) will use the medium
object store. NOTE: setting this value low will increase Squid's RAM
usage. This is automatically limited and the actual threshold
applied may be higher than the value configured here.
Minimum Object The minimum size of objects that will be stored on disk by
Size CACHEBOX. If for example the Minimum Object Size is set to 100B
then an object of, for example, 70B will not be cached on disk
(but could still be returned from memory).
Accepted units are KB, MB, GB and TB. All values are rounded to the nearest default unit
before saving, e.g. 1.1 MB would be rounded to 1 MB.
If you change from the Default to a Custom storage scheme, or change the amount
of storage allocated to cache objects, then the web cache server will need to be
restarted. After the restart, the web cache server may need to build new cache
storage. This process can take some time during which the web cache may not be able
to process client requests during this time.
Offline Mode When you enable Offline Mode, CACHEBOX will not attempt to
check the freshness of the objects which are requested by clients.
This is useful if your internet connection is broken and you want
your clients to be able to browse those files which have been
cached. Note: The effectiveness of Offline Mode depends very
much on the cacheability of the requested content, i.e.
interactive websites, such as Facebook or Google may not
display properly in Offline Mode.
X-Forwarded- When this option is enabled, then the IP address of the client will
For/Via Headers be included in the HTTP request forwarded to the origin web
server. If disabled, then the client's real IP address will be hidden.
Aggressive If enabled and a client aborts the download of a file, the web
Update Caching cache will continue to download and cache it. This can be useful
for caching of software updates which make use of byte range
requests. For example if a client makes a range request for only
part of a file then the file will only be cached if the whole of the
file is downloaded. If this option is turned off such a file would
never be cached.
Disk Caching When this option is Disabled, CACHEBOX will stop storing any
objects into its disk stores, serving these requests from the origin.
Behaviour on Disk The option sets the running mode of CACHEBOX if any of the
Failure cache store hard disks have failed.
The default is to Degrade, which means that failed hard disks will
be removed from the available cache disks, but the server will
continue using the remaining disks.
The Proxy Only option will remove all the hard disks from the
available cache disks, bypassing disk caching for all requests.
Multiprocessing Enable multiprocessing options that enhance the maximum
Optimisations throughput of your CACHEBOX. This option is incompatible with
other settings such as cache peers. It is only available on some
CACHEBOX models.
Peak Times Set 'Peak Time' to define the busiest hours for your network traffic.
This configuration is used when you
Create an additional custom report to see how CACHEBOX
performs during peak times traffic (‘Reports’ > ‘Settings’)
Define certain domains to block during peak times
(‘Content’ > ‘Filtering’)
Times should be specified in 24-hour format, and are applied to
the local time zone configured for your appliance.
The Aggressive Update Caching option can negatively affect your cache hit ratio, as
more content may be downloaded than is delivered to clients. This option is off by
default.
Specific objects stored in the cache can be removed if their full URL is known.
To remove an object, enter its URL in the URLs to delete field and click DELETE OBJECTS.
For example, to remove the image 'flower.png' from http://example.com, the URL would be:
http://example.com/flower.png.
To delete all objects all cached objects click DELETE ALL OBJECTS. The request will
schedule the removal at next boot time.
This action should not be required in normal operation, and it should only be used where
the cache has become corrupted or unrecoverable.
Content Menu
All options and log analysis pertaining to the caching software can be found in the
‘Content’ menu.
From here you can:
View a summary of the state of content on your CACHEBOX
Specify websites that you don't want to be cached
Specify websites you don't want your users to access
Configure pre-caching jobs
Remove objects from your cache
Create a backup your cache store
Overview
This page provides an overview of the content in your cache.
CDN
Many organisations use Content Distribution Networks (CDNs) to serve large files to users
all over the world. For example, when a user watches a video from a CDN they will likely
download the video from a server geographically close to their own location. Some
CDNs have one hostname and use DNS to provide the user with the IP of a server close
to them. Other CDNs use multiple hostnames - for example cache-21.cdn.example.com.
CACHEBOX is optimised to cache files served from a number of CDNs. Since the details
of these CDNs change over time, regular updates are provided by ApplianSys and are
downloaded automatically by the CACHEBOX.
Navigate to ‘Content’ > ‘CDN’:
You can disable support for individual CDNs by clicking the suspend icon in the
Actions column. The CDN should now be greyed out. To enable it again, click the
unsuspend icon in the Actions column.
If support for a CDN is disabled then files downloaded from it will be handled as any
other web object. For example, if a file from the CDN includes a header saying that the
content cannot be cached then the CACHEBOX will not cache the file.
Filtering
CACHEBOX can work with almost any off–box content filtering solution, irrespective of
whether that solution is an appliance or software running on a server. Typically we
suggest deploying the content filter closer to the users on the network than the
CACHEBOX(es). This ensures cached copies of data cannot be served to users without
being filtered.
The filtering feature of your CACHEBOX allows you to specify websites which you do not
want your users to access. You should note that this is not an alternative to a full filtering
solution. It can block websites only by domain name, and does not do any content
filtering.
Blocked websites are organised into groups. The Filter Groups section lets you define
these. For example, you might define the groups Games, Adult and Social. Groups can
be enabled and disabled. If a group is disabled then the websites will not be blocked.
To add a new filter group click ADD.
You should give each filter group a descriptive name. It should be a good indicator of
the websites being blocked by the group.
If you wish to temporarily unblock access to this group, uncheck the Enabled checkbox.
You can also block certain website groups from being accessed during peak times. To
do this:
1 Navigate to ‘Cache’ > ‘Other’ and define your peak time hours
2 Then navigate to ‘Content’ > ‘Filtering’, select your desired filter group (or create
one first) and tick the ‘Block During Peak Times Only' option.
Bypass
The ‘Bypass’ page allows you to control which traffic should not be cached.
In the ‘Cache Bypass’ section you can list websites which you do not want cached by
your CACHEBOX. The websites will still be proxied by the CACHEBOX. Add as many
websites as you want by clicking ADD WEBSITE. Click SAVE to apply the configuration.
Click on the Advanced tab to switch to a text view.
The Proxy Bypass feature allows you to list a range of IP addresses and/or domain
names, which you do not want to pass through the web caching engine. Individual IP
addresses or CIDR networks (of the form x.x.x.x/N) may be specified. This feature only
works for clients using the CACHEBOX transparently, i.e. having the CACHEBOX
configured as their gateway/default route.
You can bypass a request to an IP address or domain name based on Sources or
Destinations. To bypass requests from some particular originating IPs, add those IPs to
the Sources list. Similarly, if you want to bypass a request for a destination IP, add it to
the Destinations list.
Where domain names are specified, the CACHEBOX performs a DNS lookup for any
specified domains at the time the domain is added. The result may not be correct if a
specified domain uses dynamically assigned IP addresses.
Purge Objects
The ’Delete Cached Objects’ section allows you to make a request for the removal of
one or more cached objects from the cache store.
‘Delete All Objects’ makes it quick and easy to clear your cache stores. The following
options are available:
All Allows you to make a request for the removal of all cached
objects, and a previous request for the removal of cache can
be cancelled. The request will schedule the removal at next
boot time. This action should not be required in normal
operation, and it should only be used where the cache has
become corrupted or unrecoverable.
Cached Objects Only Allows you to delete all cached objects (excluding static
content). This action is executed immediately, and usually
takes a while before completing, especially if you have a lot
of objects in your cache.
Partially Cached Allows a user to delete all range-request objects only
Objects Only
Static Objects Only Deletes all objects stored in the static store. It also resets the
size of your static store to 0MB.
Selecting All will schedule a removal of all cached objects from your CACHEBOX. This
should NOT be used unless absolutely necessary.
Cache Backup
This feature allows the stored objects from cache to be backed up to an external USB
disk drive, and then either restored at a later point or migrated to other CACHEBOXes.
This page can be used to perform cache backup and restore operations for your
cached data. You can:
Backup your cache content to an attached USB device
Restore cache content from the USB device to this CACHEBOX
Show the progress of a running backup or restore job
Attached USB Disk The last attached USB disk is displayed here as well as any
partition or usage information
Found a Cache If an attached USB disk has a previous backup, this backup's
Backup details will be displayed in this section including (Source Model,
Source Firmware, Source Unique Appliance Code, Source Serial,
Backup Date, Backup Notes)
If you don’t see information in this section having attached the
disk, refresh the page.
If the source model and the running cache engine are
compatible with your CACHEBOX then a restore is possible, and
a RESTORE button will be displayed.
Pressing this button will restore content from the attached USB
disk to your CACHEBOX.
Create a Backup Use this section to create a new backup:
Prepare Disk: Select Yes to prepare the disk first, before
performing a backup. This will erase all the content on the
USB disk. You must do this for a disk that has never been
used for cache backup before.
Backup Notes: Use this text field to add information
relevant to your backup.
Disable disk caching: In this mode, the CACHEBOX will not write any data to its stores.
This will prevent corruption of the data while performing a backup or restore job. You
need to enable disk caching once job is complete to store data to the disk stores
normally
Do not remove the USB disk: Unplugging the USB disk during a backup/restore job will
result in data corruption.
Specify an appropriate USB disk size: The USB disk size should be at least the size of the
data you intend to backup.
Pre-Caching
This feature lets you automatically download and cache the content of websites at
predefined times (such as during the night). It works in the same way as a search engine
spider: starting with a single URL and following the links it finds.
Please take careful consideration when using this feature on connections where
bandwidth usage is charged and limited because it could download content that is not
used.
It is most suited for networks where bandwidth is unlimited and using it when there are no
users on the network can give a performance increase at no extra cost.
The ‘Pre-Cache Jobs’ section displays any pre-caching jobs configured on your
CACHEBOX.
For each job, the Description and URL associated with the job are displayed. If the pre-
cache job is currently running, this will be displayed under the Status column, and an
option to cancel the job will be given. The Actions column allows editing and deletion
of existing pre-cache jobs.
Additional jobs may be added using the ADD button, which takes you to:
Follow Off-Site If this is selected, then hyperlinks, which point to different domains,
Links will be followed. By default, they will not be, and this option should
only be enabled if really required for a site.
Ignore robots.txt Select this to ignore robot exclusions.
Verify SSL Select this to enforce strict certificate checks
Certificates
Max Wait Wait up to this duration between each file download. Only use a
Between Files low value if you are in charge of the remote server.
Max Run This allows limiting the amount of time the job will run for. Some
Duration sites with very high numbers of links could otherwise take significant
amount of bandwidth and time even with fairly low link depths.
Some servers need specific headers in order to serve objects. The ‘Custom Request
Headers’ allows you to add custom request headers to a pre-cache job.
Click ADD HEADER and enter the Name and Value of a custom request header:
For example, you can add a Cookie name value pair here if the server authorises
requests using cookies.
There are two modes available for pre-cache jobs under ‘Scheduling’:
To run an on-demand pre-cache job, tick the box in front of ‘Start Pre-caching
Immediately’.
Reports Menu
When logging is enabled, CACHEBOX will automatically generate reports, which are
useful for monitoring caching performance and user activity.
The ‘Reports’ menu allows you to view the reports. Reports are divided into the following
categories:
Overview - an overview of the cache’s performance in the last hour
Periodic –traffic reports showing user activity by second-level domains
Performance -a number of graphs indicating the CACHEBOX performance.
Statistics – detailed statistics on the use of CACHEBOX
Additionally, you can configure reports from the following pages:
‘Settings’ page allows you to configure all report settings from a single page.
‘Schedule’ – a table showing you all reports which are scheduled to be sent via
email
Reports run automatically in the background and graphs are produced every 5 minutes.
Data on the ‘Statistics’ page is available in real time.
Overview
This page provides you with an overview of the most recent daily web caching
performance figures. Information displayed here includes Bandwidth Total, Bandwidth
Saved, Average Speed Increase and pie charts showing the Top Domains and Top MIME
Types.
Load Average This is a metric commonly used on servers. The higher the load the
more the CACHEBOX is being used and a high load may result in
slower response times.
Interface The volume of data being transmitted and received by each of
Throughput the network interfaces on your CACHEBOX.
If it takes too long to collate the data, you may see a message telling you that another
attempt is being made.
Periodic
The ‘Periodic’ page provides insight into the total traffic served to clients as well as values
saved by CACHEBOX.
Type of Report
To select which report is shown use the drop down options at the top of the page to
view traffic reports.
Time Period This allows selection of the time period to view. Daily, weekly
and monthly reports are available. Daily reports are updated
approximately every 5 minutes; weekly and monthly reports
are updated approximately hourly.
Report Traffic Different report types are available allowing reporting to be
restricted to a subset of all traffic. The available options here
depend on your CACHEBOX configuration and the settings
configured on the ‘Reports’ > ‘Settings’ page.
Sort Order Sort reports by total volume of traffic and requests, as well as
what percentage of these values is handled by CACHEBOX.
Clicking the PDF icon will generate a downloadable PDF report of the selected type
for the chosen day/month.
Clicking the CSV icon (next to the PDF icon) will allow you to download reports such
that you can reuse data for analysis or other uses.
For a list of Status codes used in some of the reports, see Appendix B.
Traffic Summary
Depending on the time period set, the ‘Traffic Summary’ shows the performance
overview in terms of bandwidth, requests and average speed increase. It also provides
the number of unique domains and devices which the CACHEBOX deals with.
The summary provides an overview of the total traffic served to clients as well as the
values saved by CACHEBOX - which did not need to be requested from the Internet.
Some very slow or very small objects are ignored in speed calculations: Small objects
(less than a few KB) typically have significant per-request overhead which masks any
speed measurement. Similarly very slow requests are often caused by connections held
open for a long time while data is streamed in response to specific events, rather than
transferring specific documents.
Reports
The reports displayed on this page are a subset of the graphs from the PDF report.
Each section of the generated report shows a graph followed by tabular information.
The following statistics are available:
Request destinations The most popular web sites requested through the cache.
by domain Higher hit rates for the most popular sites indicate better
savings from caching.
Request destinations The most popular applications requested through the cache.
by Application
Requested Content The types of object requested through the proxy. The object
Types type is determined by the MIME headers.
Top HTTP Status Codes The distribution of response codes returned from web servers.
This should reflect your web traffic and not be affected by the
proxy.
Top Sources The average speed of top sources – that is, the devices most
heavily using the cache.
Size Distribution The total size of different objects by size range.
Speed Distribution The distribution of speeds for different sized objects. Typically
(Cache Hit & Cache larger objects will be downloaded at a faster speed (in bytes
Miss) per second) than small objects, and cache hits will be served
much faster than misses.
Performance
The ’Performance’ page shows a number of graphs representing the CACHEBOX
performance. The information contained on this page will depend on the configuration
of this CACHEBOX.
For detail on how to select graph data using the options at the top of the page, see
“Introduction to the Web Interface” in Section 2.
The ‘Performance Overview for today’ shows a daily performance overview in terms of
Bandwidth Total/Saved and Requests Saved.
Data Transferred This chart shows how much bandwidth has been used in the
given time interval. It is split into data retrieved from the Internet
and data served directly from CACHEBOX.
Requests This is the number of request being made by clients to the web
caching proxy. The total requests per second is split into two
sections: Miss and Hit. 'Hit' Requests are those served directly from
the CACHEBOX without needing to access the Internet. This
graph will be useful to help you spot peaks in traffic.
Hit Ratio There are two different hit ratios displayed on this graph. The ‘Byte
Hit Ratio’ shows the percentage of bytes being served to clients
which come from the cache (instead of being fetched from the
Internet).
The ‘Document Hit Ratio’ shows the percentage of objects which
have come from the cache - e.g. HTML files, Flash videos,
stylesheet.
Speed Increase This displays the weighted average of increase in request speed
provided by the CACHEBOX. Large requests which get sent
quickly to clients will have a large positive effect here; the values
will also depend on the difference between upstream request
speed (of misses) and the speed cache hits can be delivered to
clients.
Number of Active This displays the number of unique sources (either IP or username
Clients if authentication is available) which completed requests during
the given minute. This gives a user-based indication of how busy
your CACHEBOX is at any point in time.
Service Times This displays the time taken for requests of different types of
requests as well as DNS service times.
Cache Engine This chart shows the amount of network traffic flowing into
Traffic and out of the cache engine(s) within the CACHEBOX.
The deployment mode affects the data shown here:
In Explicit mode, the traffic being sent back to clients out of
the cache engine is all returned to the client from the
explicit listening port, and the type of traffic (HTTP vs HTTPS)
cannot be distinguished at the network level. The
upstream requests are determined based on port number,
showing as Cache In (HTTP) and Cache In (HTTPS).
In interception / transparent modes, the outgoing traffic
returning to clients can be distinguished by port number,
and is shown as Cache Out (HTTP) and Cache Out (HTTPS)
(if HTTPS interception is available). Any network traffic
which uses 'Proxy Bypass' - or which is not intercepted in
bridge mode - will not be shown in this chart, which only
shows network data entering and leaving the cache
engine.
In Advanced mode, a combination of explicit and
interception modes may be used - in which case all the
data series may show information as detailed above.
If the server takes too long in preparing the data you may see a message telling you that
another attempt is being made.
Statistics
The ‘Statistics’ page provides a quick overview of several statistics related to the web
caching service. The information contained on this page will depend on the
configuration of this CACHEBOX.
The information on this page comes from a database containing a series of counters
measuring important information about the web caching service. These counters are
updated multiple times a minute.
Recent data is stored at a high resolution. As data gets older the resolution decreases.
This allows years of statistics to be stored on this appliance.
For detail on how to select graph data using the options at the top of the page, see
“Introduction to the Web Interface” in Section 2.
Cache Usage Shows the amount of storage space used by each of the cache
stores.
File Descriptors Each connection that the web cache service opens has one or
more file descriptors. There is only a limited number of file
descriptors which can be held open at once.
Memory Use This graph shows how much memory the web caching service is
using. There may be issues if too much memory is being used as
this will reduce the memory available to other processes on the
system. You can monitor the overall memory usage statistics on
the ‘System Reports’ page.
Uptime This graph displays the uptime of the caching service in minutes.
If there are breaks in the graph, it is likely that the reporting
service has stopped rather than the caching service and maybe
indicative of a loaded box.
If the server takes too long in preparing the data you may see a message telling you that
another attempt is being made.
Settings
Here, you configure settings for your CACHEBOX reporting.
CACHEBOX accumulates various reporting statistics and how they are presented. By
default all reports show all client traffic, however, additional detail on particular subsets
of the traffic can also be added.
The Reporting Settings section lets you enable or disable different types of reports.
Additional reports may be viewed and downloaded as PDFs or CSV files on the ‘Reports’
> ‘Periodic’ page. Each additional enabled report will use more resources, so disable
any which are not needed.
The following settings are available:
Enable reporting If enabled, new periodic and scheduled reports will not be
created. However, this will free up some resources. Disabling all
reporting is possible, but not recommended as CACHEBOX
performance and status will be more difficult to measure.
Create Peak- This report covers only the peak time specified in ‘Cache’ > ‘Other’
Time report
Create Pre- This report shows requests made as part of pre-cache operations.
Cache report
Create Static This report shows requests served from the Static Content store.
Content report
Create HTTP-only This creates an additional report for only HTTP traffic. It will exclude
report CONNECT requests.
Create Range This report displays client range requests.
Request report
Create Errored This report shows client requests with errors HTTP status (4xx or 5xx).
Request report
Create Custom This report shows custom domains that can be specified in the
Domains report Custom Domain Report section on the same page.
Schedule
The ‘Scheduled Reports’ section shows you all reports which are scheduled to be sent via
email. A report contains an overview of performance and traffic statistics. It will be sent
as a PDF attachment to one or more email addresses.
When you schedule a report you need to provide the following information:
Send Report At What time the report should be generated. It is not guaranteed
that the report will be generated and sent on exactly the time
chosen. If the appliance is very busy, then report may be
delayed by a few minutes.
Recipient Email Provide one or more email addresses (one per line).
Addresses
If you fail to receive a scheduled report, verify that an SMTP server has been configured
correctly.
SECTION 4:
FREQUENTLY ASKED QUESTIONS
Deployment
How do we deploy CACHEBOX? What are the options?
For service providers, typically CACHEBOX is deployed transparently via either:
HTTP Redirection (Policy-Based Routing or WCCP modes) or
HTTP Interception (Bridge Mode)
See the deployment section of this guide for more information.
How can I configure my web browsers to work with CACHEBOX?
If CACHEBOX is not deployed transparently, then users will need to have their browsers
configured to forward web traffic via your CACHEBOX. Options to do this are provided
in all modern browsers (please contact your support for details). In the case of Microsoft
Internet Explorer running on workstations that are part of an Active Directory domain the
configuration can be done centrally using group policy.
How can I deploy CACHEBOX transparently?
Depending on the firewalling rules you have configured, CACHEBOX will forward traffic
sent via it, redirecting any HTTP traffic to its caching engine. It can act as a gateway for
a network segment or have TCP port 80 traffic sent to it by another router.
What is the default proxy port and can it be configured?
TCP port 800. It can be changed on the Basic Settings page. Navigate to ‘Cache’ >
‘Basic’.
What is the default web interface port and can it be configured?
TCP port 443. It can be changed on the Services page. Navigate to ‘Network’ >
‘Services’.
Can you cache dynamic data/SSL traffic?
Dynamic data can be cached if required and notification from sites not to cache pages
can be overridden using ACLs. However some caution should be used, assuming that
user specification session data may be stored in the pages. CACHEBOX supports SSL
traffic but will not cache the contents. This is to prevent the appearance of a ‘man in
the middle’ attack.
Does CACHEBOX support transparent FTP?
It neither supports explicit nor transparent FTP.
Can we log user activity?
Yes. By default the IP addresses of all workstations accessing web pages is logged.
Appliance Management
How do I access CACHEBOX to manage it?
Initial network configuration can be done via a console (accessible by plugging a
monitor and keyboard into the device), after which all administration is performed via a
secure web interface. This can be accessed by any browser on any operating system
and does not rely on technologies such as Java, Flash etc. If required, access to the
interface can be limited to certain IP addresses for extra security.
Security
How do we apply the latest security patches?
Patches are supplied by ApplianSys. They are easily applied via the secure web
interface - shell access is not required. The Operating System was designed with security
as a priority so all non-essential tools were left out from the start. Often when a problem
is found in software such as Squid, a patch is not required because the vulnerable code
is not on the appliance.
Hardware
What input voltages will CACHEBOX work with?
110-240 volts.
Is it possible to rewrite the operating system Compact Flash card?
Yes; however in all except the rarest cases, it is not required. The update mechanism is
used for standard upgrades.
The following procedure requires an operating system image to be made available to
you by ApplianSys support. You will need a computer running Microsoft Windows and a
USB Compact Flash card reader. Mac OS X (Disk Utility) and Linux (dd) can also be used
but these are not covered below.
1 Power down the CACHEBOX and remove the operating system card. Do not
remove the card whilst power is on or you could potentially damage your data
2 Download and install WinImage: http://www.winimage.com/
3 Plug in a compact flash card reader with CACHEBOX OS card inserted
4 Open WinImage and click ‘Disk’ > ‘Restore Virtual Harddisk Image on virtual drive’
5 When prompted with a list of removable drives, choose the right one and click OK
6 When prompted for an image to restore, select the CACHEBOX dd image file from
your hard disk (ensure you choose All Files from the Files of Type drop down list)
7 When asked "Do you want to erase disk content", answer YES
8 The image will now be written to the CF card
9 Once complete, reinsert the card into CACHEBOX and power on
10 You will need to log in via the console and configure new network settings
11 Once you are able to access the web interface you will need to send the Server
Code displayed on the Licensing page (‘System’ > ‘Licensing’) to
support@appliansys.com for an activation code to be generated for you
APPENDICES
This mode should only be used by advanced users. Those unfamiliar with Linux are
strongly advised against enabling SSH access. If you are not an advanced user, you
should use the ‘Tools’ page in the ‘Network’ menu to do basic connectivity tests.
When configuring CACHEBOX via the command line, it is possible to make mistakes
which cannot be undone and permanently damage your data. If damage does occur,
the compact flash card(s) and disk(s) may need to be rewritten before normal operation
can be resumed, resulting in loss of data.
You can gain SSH access to the CACHEBOX as the admin user. You can now run
console_ui to change network settings.
The console should not be used to configure services – doing so could affect your ability
to make future changes via the web interface. Additionally, many of the files in
directories such as /etc are automatically generated at boot time, meaning that
changes will be overwritten.
Useful commands that are present to aid diagnostics and deployment include:
tracepath – perform a traceroute
ping – check availability of remote systems
telnet – create TCP connections
nslookup – perform DNS lookups
nano – a simple text editor
vi – an advanced text editor
wget – download web objects over HTTP and HTTPS
squidclient – perform diagnostics on squid
who – check which users are logged in
top – view CPU and Memory usage
netstat – view network connections
ifconfig – review network settings and make run time modifications (may be
overwritten – use console_ui instead)
ssh – connect to a remote system
dmesg – review system messages
rr-diagnostics – run a series of diagnostics to check for network connectivity
and that web content can be cached
To gain root access run “sudo su –“, after which the following additional commands
are available:
tcpdump – sniff traffic on network interfaces
route – review the routing table (modifications will be automatically overwritten
almost immediately – to make changes please use the web ui)
reboot – immediately reboot
reset_appliance – remove all configuration (but not cached objects, logs &
reports) and reboots the appliance
shutdown – shutdown either now (-h now) or at a scheduled time
You should only use the reboot and shutdown commands if you have no access to the
web interface, as this method does not record a reason for the reboot/shutdown in the
system log.
Code Description
TCP_HIT Objects that were in the cache
TCP_MEM_HIT Objects in the cache,and in memory
TCP_NEGATIVE_HIT Hits for errors, e.g. 404 Not Found
TCP_MISS Objects not in the cache,i.e. had to be retrieved from the Internet
TCP_REFRESH_HIT Stale objects that were in the cache. A stale object is one whose
age is greater than its expiry time
TCP_REFRESH_MISS A stale object that has been modified and had to be retrieved from
the Internet
TCP_CLIENT_REFRESH Browser refresh with instructions to retrieve again from the Internet
TCP_IMS_HIT A request to see whether the cached object is fresh, and was found
not be stale
TCP_IMS_MISS A request to see whether the cached object is fresh, and was found
to be stale
TCP_DENIED Access denied
Log in details
Login (for all models except CACHEBOX420): admin / admin
Login for CACHEBOX420): ADMIN / ADMIN
Default IP address: 10.10.10.1
The default IP address can be changed to another static address or configured to use
DHCP once logged in to the KVM management interface
Deployment instructions
To connect your unit to the network, you should insert a network cable into the
dedicated console port DM_LAN1 port above the USB ports:
Logging in
Type the IP address and the details provided above to log in:
Using Google Chrome may cause issues. It is recommended you use Mozilla Firefox or
Internet Explorer.
System Information
Once you log in you will see a section with general information about the system:
Server Health
The Server Health section shows you data related to the server's health, such as sensor
readings and the event log.
Configuration
The Configuration menu allows you to edit any network settings. You can use the pages
on this menu to configure various settings, such as alerts, users, or network.
Network Settings
If using DM_LAN1 is not your preferred option, KVM access can be shared onto LAN1
using its own IP. The IP can be configured statically or via DHCP.
Clicking the Power Control button shows you the server power status. To perform a
power control operation, select one of the options below and press Perform Action.
Clicking the Console Redirection button allows you to launch the redirection console
and manage the server remotely.
This does not work on Google Chrome. Please make sure you use an alternative
browser.
The Power Button allows you to perform a power button disabled or enabled operation,
select one of the options below and press Perform Action.
Notes
Notes I 201