[squid-users] load balancing and site failover
Brendan Kearney
bpk678 at gmail.com
Tue Mar 24 18:25:30 UTC 2015
On Tue, 2015-03-24 at 10:18 -0400, Brendan Kearney wrote:
> while load balancing is not a requirement in a proxy environment, it
> does afford a great deal of functionality, scaling and fault tolerance
> in one. several if not many on this list probably employ them for their
> proxies and likely other technologies, but they are not all created
> equal.
>
> i recently looked to see if a specific feature was in HAProxy. i was
> looking to see if HAProxy could reply to a new connection with a RST
> packet if no pool member was available.
>
> the idea behind this is, if all of the proxies are not passing the
> service check and are marked down by the load balancer, the reply of a
> RST in the TCP handshake (i.e. SYN -> RST, not SYN -> SYN/ACK -> ACK)
> tells the browser to failover to the next proxy assigned by the PAC
> file.
>
> where i work, we have this configuration working. the load balancers
> are configured with the option to send a reset when no proxy is
> available in the pool. the PAC file assigns all 4 of the proxy VIPs in
> a specific order based on which proxy VIP is assigned as the primary.
> In every case, if the primary VIP does not have an available pool
> member, the browser fails over to the next in the list. failover would
> happen again, if the secondary VIP replies with a RST during the
> connection establishing. the process repeats until a TCP connection
> establishes or all proxies assigned have been exhausted. the browser
> will use the proxy VIP that it successfully connects to, for the
> duration of the session. once the browser is closed and reopened, the
> evaluation of the PAC file occurs again, and the process starts anew.
> plug-ins such as Proxy Selector are the exception to this, and can be
> used to reevaluate a PAC file by selecting it for use.
>
> we have used this configuration several times, when we found an ISP link
> was flapping or some other issue more global in nature than just the
> proxies was affecting our egress and internet access. i can attest to
> the solution as working and elegantly handling site wide failures.
>
> being that the solutions where i work are proprietary commercial
> products, i wanted to find an open source product that does this. i
> have been a long time user of HAProxy, and have recommended it for
> others here, but sadly they cannot perform this function. per their
> mailing list, they use the network stack of the OS for connection
> establishment and cannot cause a RST to be sent to the client during a
> TCP handshake if no pool member is available.
>
> they suggested an external helper that manipulates IPTables rules based
> on a pool member being available. they do not feel that a feature like
> this belongs in a layer 4/7 reverse proxy application.
>
> my search for a load balancer solution went through ipvsadm, balance and
> haproxy before i selected haproxy. haproxy was more feature rich than
> balance, and easier to implement than ipvsadm. do any other list
> members have a need for such a feature from their load balancers? do
> any other list members have site failover solutions that have been
> tested or used and would consider sharing their design and/or pain
> points? i am not looking for secret sauce or confidential info, but
> more high level architecture decisions and such.
>
trying to send this again, as it was rejected previously.
More information about the squid-users
mailing list