[squid-users] High-availability and load-balancing between N squid servers
Amos Jeffries
squid3 at treenet.co.nz
Tue Jun 9 12:51:51 UTC 2015
On 9/06/2015 7:15 p.m., Rafael Akchurin wrote:
> Hi Amos,
>
> <snip>
>
>> There seems to be a bit of a myth going around about how HAProxy does
>> load balancing. HAProxy is an HTTP layer proxy. Just like Squid.
>>
>> They both do the same things to received TCP connections. But HAProxy
>> supports less HTTP features, so its somewhat simpler processing is also
>> a bit faster when you want it to be a semi-dumb load balancer.
>
>> We are somewhat recently added basic support for the PROXY protocol to Squid.
>> So HAProxy can relay port 80 connections to Squid-3.5+ without
>> processing them fully. However Squid does not yet support that on
>> https_port, which means the TLS connections still wont have client IP
>> details passed through.
>
> So what would be your proposition for the case of SSL Bump?
> How to get the connecting client IP and authenticated user name passed to the ICAP server when a cluster of squids somehow getting the CONNECT tunnel established?
>
> Assume we left away the haproxy and rely solely on squid - how would you approach this and how many instances of squid would you deploy?
>
> From my limited knowledge the FQDN proxy name being resolved to a number of IP addresses running one squid per IP address is the simplest approach.
>
Yes, it would seem to be the only form which meets all your criteria
too. Everything else runs up against the HTTPS brick wall.
Amos
More information about the squid-users
mailing list