[plug] multiple web clients accessing a single site via proxy

Sol Hanna sol.hanna at three.com.au
Tue Jan 23 19:55:32 WST 2007


On Tuesday 23 January 2007 18:59, you wrote:
> On Tue, Jan 23, 2007, Sol Hanna wrote:
> > hi all,
> >
> > This isn't strictly a Linux question, but after googling for info on
> > network proxies, I've drawn a blank and am not sure where to turn. The
> > problem is next week I'm back at work (as a high school teacher) and I
> > want to take advantage of some web 2.0 kinda sites (eg: wordpress) to
> > make my classes my engaging and relevant. But I had a bad experience in a
> > yr8 media class last year when I was trying to get the class to sign up
> > for some free web space (on geocities if I remember right) to post some
> > static pages they'd designed.
> >
> > They all applied for registration, but when they tried to log on, all
> > hell broke loose. Some students found that they were logged in under the
> > user names of other students. Many students found themselves blocked by
> > the site. I deduced that this was because there were 22 students trying
> > to log onto the same site at the same time, and cookies were getting
> > routed to the wrong browsers.
> >
> > The school runs a network proxy through which all web traffic runs. I
> > know enough about proxies to know that all traffic emanating from behind
> > the proxy appears to the web servers as if coming from a single host. So
> > matching the cookie authenticated requests from each browser  is a very
> > difficult task for the web server if the browser requests are occurring
> > near-to simultaneously.
> >
> > Are my conclusions about the problem correct? And if so, is there
> > anything I can do if I want a class of students to register and use a
> > site during a session without these nasty consequences?
>
> Hiya,
>
> (I've got my Squid web proxy/cache hat on here.)
>
> This is one of those "annoying" problems with proxies in the past. Web
> sites are pretty notorious for being proxy/cache ignorant!
>
> Its not exactly as you suspect however. Some sites in the past have naively
> assumed IP == session but this has thankfully gone away now that
> lots-of-people- hiding-behind-one-IP-via-NAT has become all the vogue. So
> nowdays its down to bad caching information in their HTTP replies
> (sometimes happens!) and sometimes badly behaving persistent connections.
>
> The persistent connection thing is slightly annoying. Basically, a proxy
> would hold open a number of connections to a server, and a number of
> clients could try accessing that one server. THe proxy would just hand the
> client one of the idle (persistent) connections. What this means,
> annoyingly, is some sites which authenticated persistent connections would
> actually give data authenticated to user X to user Y.
>
> The latest Squid release (Squid-2.6) fixes this behaviour. :)
>
> The only way to identify the problem is to get a packet trace of the
> whole exchange so your proxy vendor can identify and repair the problem.
> Sometimes, in extreme cases, a "please don't cache at all kthx" rule
> is put into the proxy. But this happens less and less these days.
>
> <selfless plug>
> (And if your vendor is Squid, or you want to move to a proxy/cache vendor
> who'll participate in open source development, let me know. :)
> <selfless plug />

Thanks for that excellent and very prompt reply Adrian. That certainly goes a 
long way to explaining the problem and possible solution. Sadly, basically 
everything DETWA uses in schools is M$ (except where conscientious admins are 
working in a given school), so not much chance of Squid being in effect. 
Which is a pity cos I've used it before and was mightily impressed with its 
power and configurability. :)

I'll check things out over the next week or so and see how things go. If I do 
encounter problems whilst running a class I'll have a backup plan, and be 
ready to diagnose the problem so I can talk to the admin about changing the 
proxy rules if necessary.

much appreciated! 

-- 
---

Sol Hanna
sol.hanna at three.com.au



More information about the plug mailing list