<div dir="ltr">Hi Eliezer,<div><br></div><div>We are running a couple of Squid proxies (the real servers) in front of a pair of LVS servers with keepalived and it works flawlessly.</div><div>The 2 x Squid proxies are active / active and the LVS servers are active / passive.</div><div>If a Squid proxy dies the remaining proxy takes all the traffic.</div><div>If the active LVS server dies, keepalived running on the backup LVS (via VRRP) moves the VIP to itself and it takes all the traffic, so the only difference between the two is one has a higher priority so it gets the VIP first.</div><div>I have included some sanitised snippets from a keepalived.conf file that should help you.</div><div>You could easily scale this out if you need more than 2 Squid proxies.</div><div><br></div><div>The config I provided is for LVS/DR (Direct Route) mode.</div><div>This method rewrites the MAC address of forwarded packets to that of one of the real servers and is the most scalable way to run LVS.</div><div>It does require the LVS and real servers be on the same L2 network.</div><div>If that is not possible then consider LVS/TUN mode or LVS/NAT mode.</div><div><br></div><div>As LVS/DR rewrites the MAC address, it requires each real server to have the VIP address plumbed on an interface and also requires the real servers to ignore ARP requests for the VIP address as the only device that should respond to ARP requests for the VIP is the active LVS server.</div><div>We do this by configuring the VIP on the loopback interface on each real but there are other methods as well such as dropping the ARP responses using arptables, iptables or firewalld.</div><div>I think back in the kernel 2.4 and 2.6 days people used the noarp kernel module which could be configured to ignore ARP requests for a particular IP address but you don't really need this anymore.</div><div><br></div><div>More info on the loopback arp blocking method - <a href="https://www.loadbalancer.org/blog/layer-4-direct-routing-lvs-dr-and-layer-4-tun-lvs-tun-in-aws/" target="_blank">https://www.loadbalancer.org/blog/layer-4-direct-routing-lvs-dr-and-layer-4-tun-lvs-tun-in-aws/</a></div><div></div><div></div><div>More info on firewall type arp blocking methods - <a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/load_balancer_administration/s1-lvs-direct-vsa" target="_blank">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/load_balancer_administration/s1-lvs-direct-vsa</a></div><div>More info about LVS/DR - <a href="http://kb.linuxvirtualserver.org/wiki/LVS/DR" target="_blank">http://kb.linuxvirtualserver.org/wiki/LVS/DR</a><br></div><div><br></div><div>If you are using a RPM based distro then to set up the LVS servers you only need the <span style="color:rgb(45,45,45);font-size:14px">ipvsadm and keepalived packages.</span></div><div><span style="color:rgb(45,45,45);font-size:14px">Install squid on the reals and configure the VIP on each and disable ARP.</span></div><div><span style="color:rgb(45,45,45);font-size:14px">Then build the keepalived.conf on both LVS servers and restart keepalived.</span></div><div><font color="#2d2d2d"><span style="font-size:14px"><br></span></font></div><div><font color="#2d2d2d"><span style="font-size:14px">The priority configuration stanza in the vrrp_instance section determines the primary VRRP node (LVS server) for that virtual router instance.</span></font></div><div><font color="#2d2d2d"><span style="font-size:14px">The secondary LVS server needs a lower priority compared to the primary.</span></font></div><div><font color="#2d2d2d"><span style="font-size:14px">You can configure one as the MASTER and the other as the BACKUP but our guys make them both BACKUP and let the priority sort the election of the primary out.</span></font></div><div><font color="#2d2d2d"><span style="font-size:14px">I think this might be to solve a problem of bringing up a BACKUP without a MASTER but I can't confirm that</span></font><span style="font-size:14px;color:rgb(45,45,45)">.</span></div><div><br></div><div><br></div><div>Good luck.</div><div><br></div><div><br></div><div>$ cat /etc/keepalived/keepalived.conf<br><br>global_defs {<br><br> notification_email {<br> # <a href="mailto:rootmail@example.com">rootmail@example.com</a><br> }<br> notification_email_from <a href="mailto:keepalive-daemon@lvs01.example.com">keepalive-daemon@lvs01.example.com</a><br> smtp_server 10.1.2.3 # <a href="http://mail.example.com">mail.example.com</a><br> smtp_connect_timeout 30<br> lvs_id <a href="http://lvs01.example.com">lvs01.example.com</a> # Name to mention in email.<br>}<br><br>vrrp_instance LVS_example {<br><br> state BACKUP<br> priority 150<br> interface eth0<br> lvs_sync_daemon_interface eth0<br> virtual_router_id 5<br> preempt_delay 20<br><br> virtual_ipaddress_excluded {<br> <br> 10.10.10.10 # Squid proxy<br> }<br><br> notify_master "some command to log or send an alert"<br> notify_backup "some command to log or send an alert"<br> notify_fault "some command to log or send an alert"<br>}<br><br><br># SQUID Proxy<br>virtual_server 10.10.10.10 3128 { <br><br> delay_loop 5<br> lb_algo wrr<br> lb_kind DR<br> protocol TCP<br><br> real_server 10.10.10.11 3128 { # <a href="http://proxy01.example.com">proxy01.example.com</a><br> weight 1<br> inhibit_on_failure 1<br> TCP_CHECK {<br> connect_port 3128<br> connect_timeout 5<br> }<br> }<br><br> real_server 10.10.10.12 3128 { # <a href="http://proxy02.example.com">proxy02.example.com</a><br> weight 1<br> inhibit_on_failure 1<br> TCP_CHECK {<br> connect_port 3128<br> connect_timeout 5<br> }<br> }<br>}<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 27, 2020 at 8:24 AM Eliezer Croitor <<a href="mailto:ngtech1ltd@gmail.com" target="_blank">ngtech1ltd@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div><p class="MsoNormal">Hey All,<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I am reading about LB and tried to find an up-to-date example or tutorial specific to squid with no luck.<u></u><u></u></p><p class="MsoNormal">I have seen: <a href="http://kb.linuxvirtualserver.org/wiki/Building_Web_Cache_Cluster_using_LVS" target="_blank">http://kb.linuxvirtualserver.org/wiki/Building_Web_Cache_Cluster_using_LVS</a><u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Which makes sense and also is similar or kind of identical to WCCP with gre.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Anyone knows about a working Squid setup with IPVS/LVS?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thanks,<u></u><u></u></p><p class="MsoNormal">Eliezer<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">----<u></u><u></u></p><p class="MsoNormal">Eliezer Croitoru<u></u><u></u></p><p class="MsoNormal">Tech Support<u></u><u></u></p><p class="MsoNormal">Mobile: +972-5-28704261<u></u><u></u></p><p class="MsoNormal">Email: <a href="mailto:ngtech1ltd@gmail.com" target="_blank"><span style="color:blue">ngtech1ltd@gmail.com</span></a><u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p></div></div>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>