RE: [squid-users] loadbalancing multiple uplinks

> -----Original Message-----
> From: hendrik [mailto:hendrik@voigtlaenders.net]
> Sent: Wednesday, May 11, 2005 2:03 AM
> To: Kevin
> Cc: Squid Users
> Subject: Re: [squid-users] loadbalancing multiple uplinks
>
>
> Kevin wrote:
>
>>On 5/11/05, Hendrik Voigtländer <hendrik@voigtlaenders.net> wrote:
>>
>>
>>>I need some help for deploying a second uplink.
>>>
>>>My setup is a simple:
>>>A squid-backed to which users connect to use the net.
>>>This squid forwards all traffic to a parent squid which is hooked up to
>>>an ADSL-line. Works perfect.
>>>
>>>
>>
>>Can you explain the reasoning behind having a "backend" Squid server,
>>separate from the "parent" Squid? Do both layers have similar policies
>>for cache object size limits and cache_replacement_policy?
>>
>>
>>
> Security: The backend squid is located within the LAN and is separated
> from the parent by a firewall.
> Fallback: The backend squid can use another, very reliable line (not
> ADSL) if the parents are down.
> The parent is non-caching squid passing all traffic to the ADSL line.
>
>>>But now we will get a second a line as we need more bandwith. The
>>>question is: What is the easiest and proven way to realise load
balancing?
>>>
>>>I have done some experiments with round-robin parents (2 adsl line = 2
>>>parent proxies) but apparently some web application such as some
>>>webmail-services are confused if they accessed from two different
>>>ip-addresses simultanously.
>>>
>>>
>>
>>You might be able to get sufficient "stickiness" (so a given webmail
session
>>will tend to always make connections via the same parent rather than going
>>round-robin) if you compile with --enable-icmp and configure the parent
>>statements with closest-only. I have not tried this myself.
>>
>>
>>
> Sounds nice, but needs some testing.
>
>>>My next idea would be to deploy some sort of routing at the parent
>>>squid, which would be hooked up to both lines. IMHO prone to errors.
>>>
>>>I think I could setup two independent proxy chains (2 squid-backend, ech
>>>connected to a parent squid connected to an adsl-line) and use the
>>>proxy.pac for load-balancing. Sounds pretty easy, but I am not sure.
>>>
>>>
>>
>>This approach seems popular. Also, if your PAC lists both parents in
>>each return (e.g. return("PROXY 10.1.1.1:3128;PROXY 10.1.1.2:3128");)
>>you also get failover behavior. You just need to add logic into the PAC
>>(or in the server returning the PAC to the client) so different
>>clients try their
>>parents in different orders.
>>
>>
>>
> Yes, I think I will seperate the client by subnets. On the other hand
> doubling the number of squid installations will double the amount of
> work/maintenance etc.
> Failover is a nice feature but not requested by the clients.
>
> Any other ideas?
>
> Regards, Hendrik Voigtländer

If you figure out how to differentiate traffic on the outer squid (I imagine
that it sees traffic as all sourced from the firewall IP) then the
tcp_outgoing_address would do what you want...

# TAG: tcp_outgoing_address
# Allows you to map requests to different outgoing IP addresses
# based on the username or sourceaddress of the user making
# the request.

An external acl that checks the X_FORWARDED_FOR headers might be one method
of differentiating traffic. Authentication would be another.

Chris
Received on Wed May 11 2005 - 11:51:06 MDT