[squid-users] High-availability and load-balancing between N squid servers

Amos Jeffries squid3 at treenet.co.nz
Tue Jun 9 12:51:51 UTC 2015


On 9/06/2015 7:15 p.m., Rafael Akchurin wrote:
> Hi Amos,
> 
> <snip>
> 
>> There seems to be a bit of a myth going around about how HAProxy does
>> load balancing. HAProxy is an HTTP layer proxy. Just like Squid.
>>
>> They both do the same things to received TCP connections. But HAProxy
>> supports less HTTP features, so its somewhat simpler processing is also
>> a bit faster when you want it to be a semi-dumb load balancer.
> 
>> We are somewhat recently added basic support for the PROXY protocol to Squid. 
>> So HAProxy can relay port 80 connections to Squid-3.5+ without
>> processing them fully. However Squid does not yet support that on
>> https_port, which means the TLS connections still wont have client IP
>> details passed through.
> 
> So what would be your proposition for the case of SSL Bump? 
> How to get the connecting client IP and authenticated user name passed to the ICAP server when a cluster of squids somehow getting the CONNECT tunnel established? 
> 
> Assume we left away the haproxy and rely solely on squid - how would you approach this and how many instances of squid would you deploy?
> 
> From my limited knowledge the FQDN proxy name being resolved to a number of IP addresses running one squid per IP address is the simplest approach. 
> 

Yes, it would seem to be the only form which meets all your criteria
too. Everything else runs up against the HTTPS brick wall.

Amos


More information about the squid-users mailing list