[OPLINTECH] CACHEBOX

Chad Neeper cneeper at level9networks.com
Mon Mar 25 14:31:29 EDT 2019 

I used to do a fair bit with HTTP caching...back when my libraries all had
T1 lines. The firewall I used was open source and so had squid (well-known
FOSS caching proxy...quite possibly the same proxy running ApplianSys'
CACHEBOX) as a plug-in. These days, however, I don't using a caching proxy
for several reasons:

   1. OPLIN has been excellent about providing internet access that keeps
   up/ahead of demand (Thanks, Karl, Vince, and gang!) Most of the libraries I
   work with are single-branch libraries, so OPLIN covers all our needs in
   most cases.
   2. For several years now, HTTP is actively being discouraged in favor of
   HTTPS, so there have been and will continue to be diminishing returns on an
   HTTP cache. (More on this later...)
   3. In order to cache HTTPS, the proxy cache has to essentially
perform a Man-In-The-Middle
   Attack <https://en.wikipedia.org/wiki/Man-in-the-middle_attack>. If a
   private *business* wants to cache HTTPS, that's fine. That's a
   company/employee situation. But I'm not going *anywhere* near that in a
   public library providing public access to patrons. I encourage you to do
   your homework on this area before deciding whether or not to do this.

HTTP vs HTTPS in a nutshell and WRT to caching:
HTTP == insecure, unencrypted network traffic between a client computer and
a web server. It's easily intercepted and cached via a HTTP proxy cache.
HTTPS == secure, encrypted network traffic between a client computer and a
web server. This is not cache-able content. To cache it, the HTTPS proxy
must decrypt the HTTPS packets in order to read the content. Since HTTPS
traffic is encrypted between the client computer and the web server, the
intent is that no device in between the client computer and the web server
should be able to read the encrypted communications. To do so, the HTTPS
proxy must *pretend* to be the client computer when talking to the web
server, and it must *pretend* to be the web server when talking to the
client computer (MITM attack). If I'm a patron at your library using your
computers and discover that your deliberately intercepting what I
understand to be a secure connection between my computer and my bank's
HTTPS server...I, uhh, wouldn't be very happy.

Bottom line, if you think you need a HTTP cache...figure out WHY and maybe
talk to OPLIN about it first before you implement an HTTP cache, and
especially before you *spend money* implementing a caching device.

My 2 cents,
Chad


______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full IT/Computer consulting services -- Specialized in libraries and
schools*


On Mon, Mar 25, 2019 at 1:01 PM Lisa Murray via OPLINTECH <
oplintech at lists.oplin.org> wrote:

> Is anyone using CACHEBOX from ApplianSys? Has it speed up web browsing in
> your library?
>
>
> Lisa
>
> Lisa Murray
>
> Director
>
> Cardington-Lincoln Public Library
>
> lmurray at cardlinc.org
>
> [image: 1453743275544_PastedImage]
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
>
> *** OPLIN now offers a Tier III-rated data center for libraries to use.
> Find out more:    https://www.oplin.ohio.gov/co-location-service ***
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20190325/4ea1d709/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-1453743275.jpg
Type: image/jpeg
Size: 9892 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20190325/4ea1d709/attachment-0001.jpg>

More information about the OPLINTECH mailing list