[squid-users] Squid / Heartbeat / IPtables from Paul Fiero on 2007-05-01 (squid-users)

From: Paul Fiero <paul.fiero@dont-contact.us>
Date: Tue, 1 May 2007 08:38:16 -0500

Greetings all, again,
I am back with yet more questions, though hopefully, this time, I
have better information for you.

We have moved past issues with trying to decide how to do our
failover with squid on our new router infrastructure. We will be
using policy-based routing (PBR) pointing at a cluster of squid nodes.
At this point it's going to be configured for high-availability and
not for load-balancing, yet.

In any case here is my situation now. :o)
I have my two Squid servers configured with heartbeat so that we
have one active node and one passive node waiting for failover should
the heartbeat be lost. Given this configuration we have squid
configured as a transparent proxy with the following pertinent
settings as I found them in a couple of different documents on
transparent proxy:
http_port 192.168.1.6:3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

At this point I also ensured that ipv4 ip_forward is set to 1, then I
set up an iptables rule to redirect traffic to the correct port:
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT
--to-port 3128

When I had Squid configured this way and did not have it being run via
the clustering services all worked fine with policy-based routes and
all. It was a site to behold. Then as soon as we reconfigured
everything for use in the cluster traffic has stopped flowing. It
appears to be getting to at least the port on the switch where the
squid servers are plugged in so I know that the PBR is working.

Somewhere/somehow I'm pretty sure the issue has to do with the way
heartbeat runs the NICs on the Squid server.

So the question: Given the above information regarding squid
configuration, ip_forwarding, and iptables can anyone point me to a
source of information for fixing the problem or can you give me the
data I need?

Thanks all, in advance, for at least patient with me. I don't post
much because our Squid system has been running pretty much flawlessly
since I built it out several years ago. It's just that times are
changing and I've got to accommodate those changes.

If you need to reply please do so either here privately at
paul<dot>fiero<at>gmail<dot>com or on the list.....either one.

-- 
May have been the losing side.......not convinced it was the wrong one.
Keep Flyin'
PFiero

Received on Tue May 01 2007 - 07:38:24 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:04 MDT