You might consider configuring your load balancer to always use the
same proxy for the same internal_ machine_ (e.g. a simple hash based
on the IP of the internal machine? This, of course, depends on what
sort of load balancer it is.
The super proxy script won't solve the problem, because a single login
session will span several urls on the same site each of which will
have a different hash and might be redirected to a different server.
What you need is something whose choice of proxy depends on the
internal ip address of your machines.
On Wed, 27 Oct 2004 09:52:06 -0700, Gaylord Van Brocklin
<vanbrockling@saic.com> wrote:
> The Squid -> AV server will be bypassing the firewall, but I guess I
> could throw another NAT box outside the AV servers to also add a layer
> of security.
>
> Is this a common solution to this problem?
>
> Here is another idea for architecture.. what do you think:
>
> - I was thinking about using the Super Proxy Script
> (http://naragw.sharp.co.jp/sps/) to do the load balancing to the Squid
> Boxes, and then use Squid's cache_peer directive to do the load
> balancing across the Trend boxes and then put a NAT device between the
> Trend boxes and the Internet so that all requests out to the Internet
> come from a single IP to prevent any problems that I might have with
> session based web sites that see multiple IP addresses. I could also
> do a Layer 4 load balancing switch in front of the Squid boxes instead
> of using the WPAD script, but the WPAD script provides some level of
> consistency because it hashes the URL's and then sends you to the
> appropriate proxy server, so requests to the same URL end up at the
> same proxy server to create more cache hits.
>
> -gvb
>
>
>
> On Oct 26, 2004, at 3:08 PM, Henrik Nordstrom wrote:
>
> > On Tue, 26 Oct 2004, Gaylord Van Brocklin wrote:
> >
> >> One problem that I have had in the past with load balancing between
> >> the two AV servers is that the destination web servers see the
> >> traffic coming from two different IP addresses so some session based
> >> websites (things like Cox Webmail) don't work properly.
> >
> > One simple solution to this is to place a NAT gateway infront of the
> > proxy servers, natting all requests to the same source IP regardless
> > which proxy was used.
> >
> > It is quite likely your existing network already is NAT capable, just
> > waiting for you to start using the features of your network equipment.
> >
> > Regards
> > Henrik
> >
>
>
Received on Wed Oct 27 2004 - 15:11:34 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST