RE: [squid-users] Regarding wccp

> -----Original Message-----
> From: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
> Sent: Friday, 5 March 2010 7:08 AM
> To: Michael Bowe
> Cc: squid-users_at_squid-cache.org
> Subject: RE: [squid-users] Regarding wccp
>
> tor 2010-03-04 klockan 12:25 +1100 skrev Michael Bowe:
>
> > I think you have the hash stuff wrong, isn't service 80 meant to be
> > src_ip_hash and service 90 meant to be dst_ip_hash?
>
> no, 80 is usually the normal www service interception, which is a
> dst_ip_hash.
>
> but it doesn't matter very much as long as you have the combination of
> both src_ip_hash and dst_ip_hash.

As hinted at on the wiki, with TPROXY I reckon there is a gotcha you have to watch out for when you have more than one squid.

80 dst_ip_hash
90 src_ip_hash
Ties a particular web server to a particular cache

80 src_ip_hash
90 dst_ip_hash
Ties a particular client to a particular cache

The problem with the 1st way is this :

Say a client wants to access http://some-large-site, their PC resolves the address and gets x.x.x.1

GET request goes off to the network, Cisco sees it and hashs the dst_ip.

Hash for this IP points to cache-A

Router sends the request to cache-A. This cache takes the GET and does another DNS lookup of that host. This time it resolves to x.x.x.2

Cache sends request off to the internet

Reply comes back from x.x.x.2, and arrives at the Cisco. Cisco does hash on src_ip and this happens to map to cache-B

Reply arrives at cache-B and it doesn’t know anything about it. Trouble!

If you only have 1 TPROXY cache, either way works OK. If you have more than one cache I reckon you need to use the 2nd way?

Michael.
Received on Thu Mar 04 2010 - 22:54:12 MST