[squid-users] squid "internal?" loop - with no firewall nat going on..?

Amos Jeffries squid3 at treenet.co.nz
Tue Mar 10 14:28:10 UTC 2015


On 11/03/2015 3:09 a.m., Klavs Klavsen wrote:
> Amos Jeffries wrote on 03/10/2015 02:48 PM:
> [CUT]
>>> ahh.. I was hoping to have a loadbalancer in front of squid (haproxy) -
>>> to have failover, if squid server should fail..
>>
>> In which case you would NOT be intercepting by Squid. The LB device
>> would be doing that. The haproxy would be configured to pass traffic to
>> Squid port 3128.
>>
>> Though, what happens if the haproxy device fails? all you've done is
>> shift the bottleneck from Squid to both Squid and haproxy.
>>
> haproxy is performing a much less intensive task than squid.. and having
> haproxy in front, allows me to add multiple squid setups if I want.. and
> f.ex. to test a new setup on one squid - and then quickly fall back if
> there's issues etc.
> 
> with haproxy I use keepalived to handle HA - and since haproxy is a HA
> setup we already use many places - it's something we have a fair
> understanding of - making it the simple solution for us :)
> 
> Also - we already have data collection setup for haproxy, so we get
> counters for traffic automaticly feed in to our graphite setup :)
> 
>> Squid has built in mechanisms for auto-restart if anything goes wrong.
>> Its sometimes hard to see that anything has happened at all from a
>> client perspective. The admin will just see some graph spikes in the
>> service records and (if they look) a log message.
>>
> nice to know that squid handles this fairly well :)
> 
>>
>>>
>>> I'm trying to read and understand:
>>> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Concepts_of_Interception_Caching
>>>
>>>
>>>
>>> when nat'ing - doesn't squid just get the rewritten package (which would
>>> have port 3129 in the tcp dest. port field?)
>>
>> Squid gets a NAT-mangled TCP/IP SYN packet. It then uses the kernel to
>> undo that mangling in order to contact the original destination IP on
>> the outgoing connection from Squid.
>>
>> If the incoming detail (after un-mangling) was Squid itself, things loop.
>>
> so intercept mode is only used, if you actually do the nat'ing on the
> same server as squid is running..
> 
> ie. I should use accel mode instead in my use case?

No, in your setup the Squid is a regular forward-proxy servicing traffic
sent to it explicitly by haproxy.

If the overall system happens to be a CDN then also use cache_peer to
configure Squid where to fetch the responses, or use split-DNS to make
Squid resolve the internal server IPs differently from the clients.

Amos


More information about the squid-users mailing list