[squid-users] Centralized Squid - design and implementation

Mon Nov 17 21:17:12 UTC 2014

On Monday 17 November 2014 at 22:01:29 (EU time), Alexander Samad wrote:

> Why haproxy instead of a pacemaker. I have 2 dmz boxes I setup in a
> cluster. so I have 2 vips for the squid proxies. and dns setup to
> round robin to the vip's.
> 
> I see sort of even distribution but I don't have a single point of
> failure. if 1 node failes the vip moves over to the other node..

Pacemaker is a fairly "dumb" (no offence meant, see below) network-level 
failover system, and if you do master-master failover, it can end up doing 
load balancing for you.

However, it only knows about node availability, whereas HAproxy can monitor 
many more things about your nodes, and also very easily expand to more than 
two nodes, doing true load balancing based on node availability, node load, 
node response times, number of connections to each node... it's a lot more 
"intelligient" (maybe "aware" is a better term) than pacemaker.

The downside of HAproxy is that you need an HAproxy machine in addition to the 
(Squid, in this case) nodes, and for real High Availability you should have 
two HAproxy nodes running Pacemaker between them, to avoid the HAproxy itself 
being a Single Point of Failure.  It doesn't need to be a big machine, though.

However the benefits of being able to send new connections to the machine with 
the lowest load, the fastest response, the fewest current connections, or 
several other things, means it's a lot more flexible, not to mention expandable 
if you decide to grow your Squid farm to 3, 4 or however many more servers.

> On 17 November 2014 22:39, Carlos Defoe <carlosdefoe at gmail.com> wrote:
> > Use a load balancer. HAproxy will do the trick, if you don't want to
> > spend some money on a professional load balancer like F5 big-ip.
> > 
> > Don't drop the use of wpad. You can send the balancer name (eg.
> > proxy.your.domain) as a default for every client, and send the names
> > of the proxy nodes as a failover.
> > 
> > On Mon, Nov 17, 2014 at 6:08 AM, alberto <alberto.furia at gmail.com> wrote:
> >> On Mon, Nov 17, 2014 at 3:04 AM, Marcus Kool
> >> <marcus.kool at urlfilterdb.com>
> >> 
> >> wrote:
> >>> Let me start to say that I am biased since I am the author of
> >>> ufdbGuard. If you have worked with squidGuard than you will find that
> >>> ufdbGuard is an excellent replacement since ufdbGuard was forked in
> >>> 2005 from squidGuard and has since gained many features.
> >> 
> >> Hi Marcus,
> >> thank you for your reply.
> >> I know you (i'm an old lurker of the squid list :-)) and the urlfilterdb
> >> project.
> >> I am very interested in the project and I will give it a chance without
> >> any doubt, starting from the trial license.
> >> FYI, there are about 1000 users in total.
> >> Thank you to everyone, i'll come back soon!:-)

Regards,

Antony.

-- 
You can tell that the day just isn't going right when you find yourself using 
the telephone before the toilet.

                                                   Please reply to the list;
                                                         please *don't* CC me.