[squid-dev] PROXY protocol and TPROXY, can they go together?
Amos Jeffries
squid3 at treenet.co.nz
Tue May 15 19:36:53 UTC 2018
On 16/05/18 02:09, Eliezer Croitoru wrote:
> Hey Squid-Dev,
>
> I am in the middle of writing a load balancer \ router (almost done) for
> squid with TPROXY in it.
>
> The load balancer sits on the Squid machine and intercepts the connections.
>
> I want to send Squid instances a new connection on a PROXY protocol
> enabled http_port but that squid will use TPROXY on the outgoing
> connection based on the PROXY protocol details.
>
>
>
> Would it be possible? I think it should but not sure.
>
Maybe. Since both software are on the same machine it should get past
the kernel protections against arbitrary spoofing.
You will have to check that BOTH dst-IP:port and src-IP:port pairs are
correctly relayed by the PROXY protocol. If not the TPROXY will end up
with mangled socket state and undefined behaviour (probably breakage).
>
>
> My plan is to try and load balance connections between multiple squid
> instances\workers for filtering purposes and PIN each of the instances
> to a CPU (20+ cores Physical host).
>
> How reasonable is this idea?
You don't need a custom LB. iptables is sufficient, or other firewalls
if you have a non-Linux machine.
<https://wiki.squid-cache.org/ConfigExamples/ExtremeCarpFrontend#Frontend_Balancer_Alternative_1:_iptables>
You should be able to fit those LB lines into a normal TPROXY config.
Just replace the "-j REDIRECT" with the "-j TPROXY --tproxy-mark ...".
Amos
More information about the squid-dev
mailing list