Meraki MX 84 - Web Cache HTTPS

Neil_mack
Conversationalist

Meraki MX 84 - Web Cache HTTPS

Hi

 

Can anyone confirm if the MX84 can cache HTTPS as well as HTTP traffic considering most sites are HTTPS nowadays?

8 Replies 8
NolanHerring
Kind of a big deal

Not sure, but I would say even if it could, I wouldn't do it.

Pretty sure the whole web cache option is one of those, "well...we CAN do it but its not really recommended cause it sucks and wasn't really built for doing that".
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Ben
A model citizen

Not sure why you would need/want web caching nowadays?
But to answer your question HTTP = Port 80 so this would not include HTTPS.

jdsilva
Kind of a big deal

I'm with @NolanHerring and @Ben . I don't get why you would use this feature. Even the documentation for it is weird...

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/SD-WAN_and_Traffic_Shaping#Web_cach...

 

First it says "This option is not available on the MX60, MX60W, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, Z1, Z3, or Z3C devices."

 

Then is says "This feature is recommended only for sites with limited bandwidth. Locations with over 20 Mbps bandwidth will likely not benefit from content caching."

 

In what universe would I have not the smallest MX connected to a <20Mbps service?

Neil_mack
Conversationalist

I need it because it to be placed on marine vessels working on a 2mb VSAT connection not an office with a adsl or fibre connection.

>I need it because it to be placed on marine vessels working on a 2mb VSAT connection not an office with a adsl or fibre connection.

 

Hi @Neil_mack.  I do agree with the others, however I have worked with shipping vessels before, and I appreciate there are unique challenges in these environments you just don't face on land.

 

While the MX84 caching feature would help, it's not going to give you the performance improvement you would like.  This is because (as you have correctly noted) most sites use https these days.

 

 

If it was me personally, I would deploy a Squid proxy server running on Ubuntu.  The entire solution is free and rock solid.  You can probably also run Squid on a Windows machine.  This is on the assumption that you have a virtual server infrastructure on your vessel (you could potentially run this on a Raspberry Pi ...).  I would also run a caching DNS server on this box as well.

http://www.squid-cache.org/

The biggest hassel with proxy servers is that you need to manually configure all your clients to use it.  You can use a more advanced WPAD configuration to automate this process - and this is what I usually do.

https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol

 

My thoughts are if you did deploy Squid you wont need a stop watch to see the difference, it will be very noticable after it has been used for a little bit (it needs to "warm" up and get a cache of frequently used content).

 

 

Another option I can give you to think about is if you already have Cisco ISR routers on board (such as ISR 4000's).  You can then buy a feature called Akamai Connect.  Akamai is a super larger content delivery network.  What "Akamai Connect" does is make your router a local cache node.  You can get an overview of this feature here:

https://www.cisco.com/c/en/us/solutions/enterprise-networks/intelligent-wan-akamai/index.html

Example customers of Akamai include Microsoft and Apple.

Hi

 

Thanks for confirming it does not do https I will look at untangle device instead as that does do https as well as the other features defined by the cyber security manager that we need to look at .

 

Used squid before and although very good, but it is another device to manage in a small team when we are trying to simplify administration and network design for our vessels and rigs.

 

Thanks

Neil_mack
Conversationalist

On marine vessels with 2mb vsat connections as that costs $16000 per month

jdsilva
Kind of a big deal

@Neil_mack To answer your question, no it does not cache https. It can't as the MX doesn't do SSL decryption. 

Get notified when there are additional replies to this discussion.