[squid-users] Squid with more than 128 ports?

Eliezer Croitor ngtech1ltd at gmail.com
Sat Dec 12 22:08:04 UTC 2020


You can use 2 squid servers with VRRP Infront of the other proxies.

I would advise you to learn a little about haproxy authentication methods.

There is a possibility that you will be able to do somethings you haven’t done until now.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com> 

 

From: roee klinger <roeeklinger60 at gmail.com> 
Sent: Friday, December 11, 2020 1:23 PM
To: Eliezer Croitor <ngtech1ltd at gmail.com>; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid with more than 128 ports?

 

Hey Eliezer,

 

Thanks, but actually what I want to achieve is not dynamic load balancing, I want each user to always go to a predefined proxy.

 

For a failover solution, I will have an outside program checking for failed proxies, and then I will remove them from the list and send the user to a different proxy while I handle the failed ones.

 

Is Haproxy good for that it is Squid in the way I proposed OK?

 

Thanks

 


On Dec 10, 2020, at 23:14, Eliezer Croitor <ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com> > wrote:



You should use Haproxy in a Fail-over setup.

Squid is great but it’s possible that Haproxy does this much better theses days then Squid.

You can leave the authentication on the Squid servers and use the Haproxy as TCP Load balancer.

If you need the clients Original IP address you can use the PROXY protocol to send these details between the haproxy and squid.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com> 

 

From: squid-users <squid-users-bounces at lists.squid-cache.org <mailto:squid-users-bounces at lists.squid-cache.org> > On Behalf Of roee klinger
Sent: Thursday, December 10, 2020 8:39 PM
To: squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org> 
Subject: Re: [squid-users] Squid with more than 128 ports?

 

Hey Anthony,

 

Giving this a second thought, I believe I didn't explain myself correctly.

 

I have 5 Squid servers, each listening on 80 ports, I would like to add another

Squid server in the middle of the client and these servers to authenticate users

before sending them to their ports. I already have ACL controls and auth control tools

which I wrote and are working fine.

 

My question is regarding how to configure this, I have found this configuration online 

but I am not sure how it will work performance-wise with 500+ proxies (could be 1000s in

the future):

 

http_port 3128 name=port_3128
http_port 3127 name=port_3127
nonhierarchical_direct off
acl port_3128_acl myportname port_3128
acl port_3127_acl myportname port_3127
always_direct deny port_3128_acl
always_direct deny port_3127_acl
never_direct allow port_3128_acl
never_direct allow port_3127_acl
# 3128
cache_peer proxy1 parent 3128 0 proxy-only default name=proxy3128
cache_peer_access proxy3128 allow port_3128_acl
cache_peer_access proxy3128 deny all
# 3127
cache_peer proxy2 parent 3128 0 proxy-only default name=proxy3127
cache_peer_access proxy3127 allow port_3127_acl
cache_peer_access proxy3127 deny all

 

Combine these 2000+ lines in squid.conf with 2 external ACLs and a custom authenticator,

can this cause a hit on performance or should it be no problem for squid to handle?

 
 
 

 

 

On Thu, Dec 10, 2020 at 2:29 PM Antony Stone <Antony.Stone at squid.open.source.it <mailto:Antony.Stone at squid.open.source.it> > wrote:

On Thursday 10 December 2020 at 13:02:19, roee klinger wrote:

> Hello,
> 
> We have a few Squid proxy servers with a total of around 400 ports

What do you mean by that?  What are you using 400 ports for?

> We have decided that we want to add a cloud instance in the middle of the
> connections, that will authenticate users and only then send them to the
> squid instance.

What authentication method / protocol do you want to use?

> Is it a smart idea to use Squid for this use case or just use a different
> proxy software that doesn't have this limitation?

I think the best starting point is to ask what sort of authentication you want 
to perform (ie: what is the authoritative system which holds the information 
about who can authenticate and who cannot), then you can decide on the best 
software to use to do that in front of Squid.


Antony.

-- 
Under UK law, no VAT is charged on biscuits and cakes - they are "zero rated".  
Chocolate covered biscuits, however, are classed as "luxury items" and are 
subject to VAT.  McVitie's classed its Jaffa Cakes as cakes, but in 1991 this 
was challenged by Her Majesty's Customs and Excise in court.

The question which had to be answered was what criteria should be used to 
class something as a cake or a biscuit.  McVitie's defended the classification 
of Jaffa Cakes as a cake by arguing that cakes go hard when stale, whereas 
biscuits go soft.  It was demonstrated that Jaffa Cakes become hard when stale 
and McVitie's won the case.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org> 
http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20201213/72f46130/attachment-0001.htm>


More information about the squid-users mailing list