[squid-users] Squid + F5 balancing doesnt work!!!

Hi guys,

I have 2 squid boxes working good alone. My customer ask me to balance them
using his BIGIP F5. The fact is that when I balance them without percistance
I got this at log (on both servers):

1214974554.906 0 99.90.40.253 TCP_DENIED/407 3249 GET
http://www.presidencia.gob.mx/imgs/edomayor_over.gif a2 NONE/- text/html

if we use percistance, it works, but we can stop using of sharing usernames.
Balancig schema is like this:

user -> balancer f5 -> squid1
                             \->squid2

Squid is configured with LDAP-digest auth.

My config:

auth_param digest program /usr/lib/squid/digest_ldap_auth -b "o=SAT" -u "cn" -
A "l" -D "cn=Manager,o=SAAX" -w %XXXr(o -v 3 -h 127.0.0.1 -e
auth_param digest children 5
auth_param digest realm SAAX
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50
authenticate_ip_ttl 600 seconds
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl ip_users max_user_ip -s 1
acl proxy_users proxy_auth REQUIRED
http_access deny ip_users
http_access allow proxy_users
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 10.10.60.239:3128
cache_peer 127.0.0.1 parent 8080 0 default
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
shutdown_lifetime 5 seconds
cache_effective_user squid
cache_effective_group squid
visible_hostname squid.sat.gob.mx
unique_hostname squid.sat.gob.mx
client_persistent_connections off
server_persistent_connections off
icp_port 3130
error_directory /etc/squid/errors
 icap_enable on
icap_send_client_username on
icap_service satreq reqmod_precache 0 http://10.10.60.40:1344/reqmod
icap_class icapsat satreq
icap_class icapsat2 satreq2
forwarded_for on
coredump_dir /var/spool/squid

any comments?

Regards
Received on Wed Jul 02 2008 - 01:23:15 MDT