Re: [squid-users] Squid in HA.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 21 Mar 2011 21:55:09 +1300

On 19/03/11 22:13, Jakob Curdes wrote:
>
>
> Am 18.3.2011 18:23, schrieb Edouard Zorrilla:
>> My scenario is to use two Squids working as forwarding proxy : SquidA
>> and SquidB. If SquidA fails users should be switched to the SquidB.
>>
>> If I decide to go with PAC files the workstation is the one that
>> decide where to go. My concern is, where should I store the PAC file
>> so that It can also be redundant let say saved in two places ?
> Well if you failover the IP that squid is bound to (which is a standard
> procedure in linux HA) the "switching" of the users is done transparently.
> If you use NTLM-like authentication against an AD controller with
> winbind, the users will be reauthenticated, but transparently. Otherwise
> -with plain text auth- users might need to reauthenticate.

That depends on what you mean by "plain text auth". (And I fail to think
of one which cannot be de-centralized for HA).

The browser is expected to send repeat credentials with every new
request. So login *always* re-auths transparently in the second proxy.
  It is a HA problem of the auth backend itself if it fails to accept
re-auth after a proxy change.

In fact NTLM is one of the most flakey auth system under HA. It's limit
of ~256 winbind requests in parallel makes it quite susceptible to
overload on the re-auth step.

> If you store the PAC file on both servers (can be synced e.g. via rsync)
> and move the HTTP server along with the squid, then the users will
> always be presented with the same information via the same IP address.
> Depending on the failover timing settings there might be an outage of a
> minute or so, which is normally not a problem for web surfing.
>
> But, a hint that is valid for all HA configurations: use test systems
> for the setup before you go into production. HA is too complicated for
> playing around and you can be left without internet access if you make
> errors.

I'll second that.

Amos 

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5
Received on Mon Mar 21 2011 - 08:55:16 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 21 2011 - 12:00:01 MDT