Re: [squid-users] WCCP load balancing and TPROXY fully transparent interception from Richard Wall on 2008-12-18 (squid-users)

From: Richard Wall <richard.wall_at_appliansys.com>
Date: Fri, 19 Dec 2008 00:36:03 +0000

2008/11/5 Bin Liu <binliu.lqbn_at_gmail.com>:
<snip>
> I have 2 squid servers, squid A and squid B, both implented TPROXY and
> connected to the same Cisco router:
>
> Internet
> |
> |
> squid A----Router----squid B
> |
> |
> Customers
>
> Here squid A wants to send a HTTP request to original destination
> server, the routers just forwards this packet, it's OK; but when the
> response packet from the original server returns in, how does the
> router redirect that packet? Redirect it to squid A or squid B? As
> there's no connection table in router memory or any mark in the
> packet, how can the router determine that this response packet should
> be forwarded to squid A?
>
> squid A -- (request to original server) --> router --> original server
> -- (response) --> router --> squid A or B?

Hi Bin,

You may already have got the answer to this, but I have recently been
setting this up and had the same question. Seems the key is in the
"Redirection with Hash Assignment":

* http://bazaar.launchpad.net/~squid3/squid/3.1/annotate/9363?file_id=draftwilsonwccpv212o-20070417152110-s6qkuxj8uabe-1
(LINE 549)

In the config example that Henrik linked to (above) the outbound
requests are redirected to a particular Squid, based on a hash of
their destination IP and the returning responses are redirected based
on their source ip. This way the response is redirected to the Squid
that made the spoofed request.

Clever in theory; and in my minimal test setup it does seem to work.

I'm interested to know if you have managed to get this working
reliably for your ISP environment? Has it caused an particular
problems for your customers?
How far have you gone to make Squid truly transparent eg
* suppressing the Squid headers, error messages etc.
* Is there any way to configure Squid / Cisco to give SYN_ACK,
"connection refused" and ICMP "host unreachable" responses rather than
Squid error messages?
* Can you force Squid to make its request from the same source port
as the client.
* If someone uses port 80 for a protocol other than http, can Squid
reject the redirected traffic in such a way that it is passed through
directly instead?

Look forward to any information you can provide.

-RichardW.

-- 
Richard Wall
ApplianSys Ltd
http://www.appliansys.com

Received on Fri Dec 19 2008 - 00:36:12 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 19 2008 - 12:00:02 MST