Re: [squid-users] How to get 2 instances of squid running from 2 different IP's from Amos Jeffries on 2009-02-19 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 20 Feb 2009 17:16:47 +1300

Chris Robertson wrote:
> Chris Robertson wrote:
>> Urkow, Jason wrote:
>>> Hello,
>>>
>>> I am from a school division and we have squid boxes running in each
>>> of our schools. We also use the proxies for logging. We have a
>>> firewall that does our content filtering, and it filters based on the
>>> IP address from the requested IP address (the proxy server). Is it
>>> possible to setup a single squid server that has two IP address and
>>> have two instances of squid running (one for students and one for
>>> teachers). What we want is the filtering for students and teachers to
>>> be different based on the IP address of the squid server. what my
>>> problem is that if I have students pointing to proxy A (with IP
>>> 10.1.1.31) and teachers to proxy B (with IP 10.1.1.32) and proxy B
>>> isn't being filtered on our firewall, the students can still get the
>>> unfiltered content from proxy B even though they are pointing to
>>> proxy A.
>>>
>>> I have tried setting the http_port setting to
>>> Proxy A config file (with eth0 being 10.1.1.31):
>>> http_port 10.1.1.31:8080
>>>
>>> Proxy B config file (with eth1 being 10.1.1.32):
>>> http_port 10.1.1.32:8081
>>>
>>> I have tried some acl configs with the http_access without any success.
>>>
>>> There might be a way with iptables, but I do not know how to use it.
>>>
>>> Basically how can I get the "Proxy B process" to access the firewall,
>>> and still be filtered, without using the Proxy A (10.1.1.31)
>>> address? Any suggestions?
>>>
>>> Thanks in advance!
>>> Jason
>>>
>>
>> If you want to run two separate instances of Squid on one box...
>>
>> http://wiki.squid-cache.org/MultipleInstances
>>
>> ...will get you started.
>>
>> If you want to run one instance of Squid (with a joint cache), then...
>>
>> http_port 10.1.1.31:8080
>> http_port 10.1.1.32:8081
>> acl TeacherIP 10.1.1.32
>
> Mea culpa. This line should read...
>
> acl TeacherIP myip 10.1.1.32/32
>
>> tcp_outgoing_address 10.1.1.32 TeacherIP
>> server_persistent_connections off
>>
>> ...will put all traffic that comes in on 10.1.1.32 out using the same
>> IP. Persistent server connections can interfere with
>> tcp_outgoing_address (Squid will not open a second connection using a
>> different IP to a server where a persistent connection already
>> exists), so it's best to disable it.

Will also need something that stops 10.1.1.31 inbound traffic going out
that IP.

tcp_outgoing_address 10.1.1.31 !TeacherIP

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.5

Received on Fri Feb 20 2009 - 04:16:33 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 20 2009 - 12:00:01 MST