Re: Multiple outgoing addresses for squid?

On 10/05/2012 16:55, Chris Ross wrote:
> On 03/29/2012 08:45 PM, Robert Collins wrote:
>> 2012/3/30 Henrik Nordström<henrik_at_henriknordstrom.net>:
>>>> Can tcp_outgoing_address take multiple addresses now? Does it just
>>>> round-robin through them?
>>>
>>> It can only select one per request at the moment.
>>
>> Thats probably something we should fix. For now though an external ACL
>> could deliver round robin answers, one per request - and it could look
>> a tthe log file to learn about size of objects/ estimate bandwidth
>> etc.
>
> Reviving this old question again. So, I understand that I can
> make external ACLs, and from looking at the config documentation,
> I suspect I can have a single external_acl_type definition, and
> invoke the same class for N "acl external" lines.
>
> To be more clear about my needs, I'm not really looking to have
> two or three external IP addresses. I want to have *lots*. If I
> have a host with 20, or 100, external addresses, and write an
> external ACL helper to figure out (based on client IP, username,
> server, or whatever) which IP to assign; I'd have to write 100
> ACL definitions, then 100 tcp_outgoing_address lines, each one
> passing the right parameters to determine whether the suggested
> IP address was the "right" one. While I suppose this could work,
> it would require the external ACL helper be queried 100 times,
> which just *can't* be fast.
>
> So, I think I'll have to implement something internal to squid.
> And, I think it shouldn't be ACL based, because the boolean nature
> of ACLs just doesn't fit the arbitrary size of this problem space.
>
> Thanks. And if anyone has any suggestions or sees something I
> didn't think of, please let me know.
>
> - Chris
>
>
well as i recommended before you should use some either iptables or
route method.
i think that in this specific case you will need to use some helper to
match a client user name to source ip via some auth helper on squid or
iptables captive portal or a ldap database\radius that will be
updated\scanned once per minute\more\by change and.

this is a very very "specific" requirements case that will require a
unique config generator.
you can use some iteration code to build these specific ACLs in squid
but still it will require a lot of preparations and testings to make it
work flawlessly but i'm recommending a routed based rules that has some
series experience doing these kind of stuff.

it seems like not to be related to squid directly but squid can help in
auth with auth helper or external helper.

can you be more specific about the real needs for this environment you
are talking about?

just got into my mind that you can you can use the external_acl helper
to make sure that the routing is applied right to match specific
user\server and to always use a "OK" or "ERR" answer just to make the
helper run every time.

Regards,
Eliezer

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il