[squid-users] help with tcp_outgoing_address trying to balace traffic based on username

Wed Apr 8 04:50:52 UTC 2015

On 7/04/2015 9:01 a.m., Alberto Perez wrote:
> Hi everyone
> I've been trying to make a traffic load balancing between two links
> based on username using tcp_outgoing_address
> 
> My squid setup only use authorization with an external_acl which
> returns the username based on the client ip.
> 
> In my first failure trying to setup this, I found (with the help of
> Amos) that tcp_outgoing_address only works with fast acls, so ext_user
> acl doesn't work there, Amos recommend me to use NOTE acl for matching
> annotations in transactions, at first it looks to work fine but now I
> am realizing that only a very small part of the traffic is been going
> through the correct link.
> 
> I can't find any good documentation related to note acl with some
> samples or cases of usage, so I hope some one can correct my config
> and/or point me the right direction to achieve this.
> 
> 
> Inside my external acl I mark some users like this.
> // if username is one of fast users
> fwrite(STDOUT, "OK user=$username clt_conn_tag=55\n");
> 
> So theoretically both user and clt_conn_tag values can be matched with
> NOTE ACL, as far as i know, I use also clt_conn_tag for testing but it
> should be enough with user mark.

Yes and no...

 The user= is a per-message note. Each message needs to be individually
checked by the helpers ACL to get the note attached.

 The clt_conn_tag= is a per-connection note. Once its assigned all
traffic received[**] on that same persistent client connection will be
tagged with it. Any future checks of the helper will only update the
notes value (if anything).

[**] its not quite as reliable as it seems. Multiple requests may be
parsed off the connection and processed in parallel before the first one
gets tagged. What happens for tagging (or not) on the parallel ones is
not easily determined. Usually they end up tagged by the same logics
that caused the initial mesage tag to be set on the connection, but not
guaranteed.

> 
> #this is fast users declaration tests ive tried with both commented
> and uncommented acl.
> acl nodo_users ext_user "/etc/squid3/users/nodo_users"
> #acl fast_users note clt_conn_tag 55
> acl fast_users note user "/etc/squid3/users/nodo_users"
> 
> nodo_users is a list of fast users,  the tcp_outgoing_address is used
> like this
> 
> #fast link for fast users
> tcp_outgoing_address xx.xx.xx.01 fast_users
> # default slow link
> tcp_outgoing_address xx.xx.xx.02
> 
> Traffic of fast users is intermitent between the two links and much
> more using the slow link than the fast link (opposite than expected).

The relationship between what network link is used and tcp_outgoing_* is
a lot more fuzzy than most people seems to think. The whole system NAT
infrastructure, routing and other TCP stack mechanisms are sitting in
between the Squid request for binding that IP and what actually leaves
the device. Those systems could be changing the packet in any way, or
even just routing it out the other NIC.

> External ACL TTL is 3 sec, so I asume that the correct balancing is
> made only when squid checks de acl and mark the request, but this mark
> isnt persistent.

Yes, Squid needs to check the external ACL and mark each request with
the notes. That should happen in the http_access rules though. The
"user=" note is set by both external ACL helper and authentication helpers.
 If you have a mix of those helpers then weird stuff can appear to be
happening depending on order they are checked.
 If you are bypassing the helper check for any traffic weird things can
happen for that traffic.

> 
> Please, any help with this will be appreciated.

What is your current squid.conf content?

Amos