book

Web Caching

by Duane Wessels

June 2001

Intermediate to advanced

320 pages

9h 18m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Audience
Web SitesMailing Lists
Web ArchitectureClients and ServersProxiesWeb ObjectsResource Identifiers
HTTPFTPSSL/TLSGopher
LatencyBandwidthServer Load

Browser CachesCaching ProxiesSurrogates
HTTP RequestsOrigin Server RequestsProxy RequestsNon-HTTP Proxy Requests
Status CodesRequest MethodsExpiration and ValidationCache-controlAuthenticationCookiesDynamic Content
Last-modified TimestampsEntity TagsWeak and Strong Validators
The no-cache DirectiveThe max-age DirectiveThe min-fresh Directive
Least Recently Used (LRU)First In, First Out (FIFO)Least Frequently Used (LFU)SizeGreedyDual-Size (GDS)Other Algorithms
PrivacyAccess LogsMaking Requests Anonymous
Does Caching Infringe?Cases and PrecedentsThe DMCAHTTP’s Role
Java Applets
Proxy Addresses
Configuring Microsoft Internet ExplorerConfiguring Netscape NavigatorNCSA Mosaic, Lynx, and Wget
Writing a Proxy Auto-Configuration FunctionSample PAC ScriptsSetting the Proxy Auto-Configuration Script
Overview
Inline CachesLayer Four SwitchesWCCPCisco Policy Routing
LinuxipchainsiptablesFreeBSDOther Operating Systems
It’s Difficult for Users to BypassPacket Transport ServiceRouting ChangesIt Affects More Than Browsers and UsersNo-Intercept ListsAre Port 80 Packets Always HTTP?HTTP Interoperation ProblemsIP Interoperation Problems
Important HTTP HeadersDateLast-modifiedExpiresCache-controlContent-length
Why?LatencyHiding network failuresServer load reductionTen Ways to be Cache-FriendlyApacheThe Expires headerGeneral header manipulationSetting headers from CGI scriptsHow to Choose Expiration Times
What About Dynamic Responses?What About Advertisements?Getting Accurate Access Counts
How Hierarchies Work
PerformanceNondefault Routing
TrustLow Hit RatiosEffects on RoutingFreshnessLarge FamiliesAbuses, Real and ImaginedError MessagesFalse HitsForwarding LoopsFailures and Service Denial
ICPHistoryFeaturesHit predictionProbing the networkObject data with hitsSource RTT measurementsIssuesDelaysBandwidthFalse hitsUDPNo request methodQueries for uncachable responsesInteroperationUnwanted queriesMulticast ICP
Issues
Bloom FiltersComparing Digests and ICP
The Hot Spare
Appliance or Software SolutionAppliancesSoftware
What to Monitor?
UCD-SNMPRRDToolOther Tools
MetricsThroughputResponse TimeHit RatioConnection CapacityCost
Disk ThroughputCPU PowerNIC BandwidthMemoryNetwork State
Web PolygraphBlastWisconsin Proxy BenchmarkWebJammaOther Benchmarks
TCP Delayed ACKsPort Number ExhaustionNIC Duplex ModeBad Ethernet CablesFull CachesTest DurationLong-Lived ConnectionsSmall Working SetsClock SyncMSL (TIME_WAIT) Values
Configure SystemsTest the NetworkNo-Proxy TestFill the CacheRun the Benchmark
ThroughputResponse TimeHit RatioOther Results
Reply and Object Sizes
Client Request HeadersClient Reply Headers
Size and Popularity
ICPv2 Message FormatOpcodeVersionMessage LengthReqnumOptionsOption DataSender Host AddressPayload
PointersObject AdvertisementRequest NotificationObject Removal and InvalidationMD5 Object KeysEliminating URLs from RepliesWiretappingPrefetching
Membership Table
Message Format and Magic ConstantsHEADERDATAAUTH
COUNTSTRSPECIFIERDETAILIDENTITY
NOPTSTTST requestTST responseMONMON requestMON responseSETSET requestSET responseCLRCLR requestCLR response
The Cache Digest ImplementationKeysHash FunctionsSizing the FilterSelecting Objects for the DigestFalse Hits and Digest FreshnessExchanging Digests
1xx Intermediate Status
Books and Articles

Content preview from Web Caching

Content Integrity

Can you trust the information you receive from a cache? How do you know it has not been modified? How do you know it is what the origin server intends for you to see?

This is an extremely difficult problem, with no known solutions at this time. TCP does not currently provide any form of end-to-end security, which means this problem is not specific to HTTP or the Web. The Transport Layer Security protocol (TLS, formerly Secure Sockets Layer) does provide end-to-end security on top of the network transport protocols. TLS protocols [Dierks And Allen, 1999] are designed to prevent eavesdropping, tampering, and message forgery. However, the security provided by TLS is in effect only for the duration of the data transfer. It does not guarantee—especially for cache hits—that the object you receive has not been modified since the origin server generated it. Unfortunately, we do not have a general purpose digital signature scheme for web objects. Even if such a thing did exist, to be of any real value it would require out-of-band communication for the key exchange. In other words, it would be pointless to retrieve signing keys from the cache.

Recent security features being added to DNS [Eastlake, 1999] might be able to support a scheme for authenticating web objects. For example, lets say you request the URL http://www.monkeybrains.net/index.html. The response is an HTML page that includes, in comments, a digital signature. To validate the signature, you need the public ...