[squid-users] squid "internal?" loop - with no firewall nat going on..?

Klavs Klavsen kl at vsen.dk
Tue Mar 10 14:09:14 UTC 2015 

Amos Jeffries wrote on 03/10/2015 02:48 PM:
[CUT]
>> ahh.. I was hoping to have a loadbalancer in front of squid (haproxy) -
>> to have failover, if squid server should fail..
>
> In which case you would NOT be intercepting by Squid. The LB device
> would be doing that. The haproxy would be configured to pass traffic to
> Squid port 3128.
>
> Though, what happens if the haproxy device fails? all you've done is
> shift the bottleneck from Squid to both Squid and haproxy.
>
haproxy is performing a much less intensive task than squid.. and having 
haproxy in front, allows me to add multiple squid setups if I want.. and 
f.ex. to test a new setup on one squid - and then quickly fall back if 
there's issues etc.

with haproxy I use keepalived to handle HA - and since haproxy is a HA 
setup we already use many places - it's something we have a fair 
understanding of - making it the simple solution for us :)

Also - we already have data collection setup for haproxy, so we get 
counters for traffic automaticly feed in to our graphite setup :)

> Squid has built in mechanisms for auto-restart if anything goes wrong.
> Its sometimes hard to see that anything has happened at all from a
> client perspective. The admin will just see some graph spikes in the
> service records and (if they look) a log message.
>
nice to know that squid handles this fairly well :)

>
>>
>> I'm trying to read and understand:
>> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Concepts_of_Interception_Caching
>>
>>
>> when nat'ing - doesn't squid just get the rewritten package (which would
>> have port 3129 in the tcp dest. port field?)
>
> Squid gets a NAT-mangled TCP/IP SYN packet. It then uses the kernel to
> undo that mangling in order to contact the original destination IP on
> the outgoing connection from Squid.
>
> If the incoming detail (after un-mangling) was Squid itself, things loop.
>
so intercept mode is only used, if you actually do the nat'ing on the 
same server as squid is running..

ie. I should use accel mode instead in my use case?

[CUT]

-- 
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
   --Henry Spencer

More information about the squid-users mailing list