Re: [squid-users] ip aliased multi-instanced squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 04 Jun 2011 19:33:51 +1200

On 04/06/11 06:25, errno wrote:
> On Thursday, June 02, 2011 01:03:06 AM Amos Jeffries wrote:
>> On 02/06/11 19:41, errno wrote:
>>> Just to confirm:
>>>
>>> If I have multiple ip aliases assigned to the same physical nic, will
>>> there still be port conflicts on an ip (aliased) based multi-instanced
>>> squid server?
>>
>> There is rarely a need for the combo of IP aliasing + Squid.
>>
>
> You know, maybe this just now actually clicked in my brain...
>
> So, let's say that we did have a few different aliased IPs (on different
> subnets):
>
> For example:
> eth0 -> 192.196.0.2
> eth0:1 -> 192.196.1.2
> eth0:2 -> 192.196.2.2
> eth0:3 -> 192.168.3.2
>
>
> Rather than setting up, say, 4 separate instances of squid - one per subnet -
> I'm thinking why not just set up 1 single instance (say, on 192.196.0.2), then
> just use iptables to redirect any traffic hitting the other IPs (192.196.1.2
> through 192.168.3.2) to the 192.196.0.2? Then the single squid.conf would
> be configured (somehow) to use the appropriate tcp_outgoing_address(?),
> or something?
>
> Something like:
>
> incoming request to 192.196.2.2:80 ->
> iptables passes it to 192.196.0.2:80 ->
> squid receives request on 192.196.0.2, but dispatches back out 192.196.2.2
>
> ???
>
> Something along those lines?

Yes. Based on the "myip" ACL for the "incoming request to $myip" bit.

Note that "myip" fails if NAT is happening on the packets arrival. Squid
will get mangled IPs to test against $myip and usually fail to do a
reliable match.
  In this case you do need multiple http_port in squid.conf for the one
squid instance and myportname ACL for the manipulations.

>
> Or can I achieve the same effect w/o iptables - by just supplying multiple
> ip:ports to http_port ? The primary concern is that if a request to squid
> comes in on one particular address, that squid will ensure that this
> request leaves squid with the same tcp_outgoing_address - which is
> why we were (naively?) using multiple separate instances... each
> instance had:
>
> include /etc/squid/squid_common.conf
>
> access_log /var/log/squid/access_192.168.0.2.log squid
> auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/passwd
> http_port 192.168.0.2:8002
> tcp_outgoing_address 192.168.0.2
> pid_filename /var/run/squid_192.168.0.2.pid
> visible_hostname 192.168.0.2

*IF* (and that is a big IF) you really need the outgoing IP to be fixed.
You can run one instance with multiple copies of the above snippet.

Note the visible_hostname and pid_filename, and auth are unique
directives, only one copy is used per instance of Squid.

I setup this kind of thing like with Squid-3.1 like so:

squid.conf:
  include /etc/squid/IPA/*
  .. blah...

/etc/squid/IPA contains a number of files with the specific listening IP
handling.

eg /etc/squid/IPA/192.168.0.2_8002:

   http_port 192.168.0.2:8002 name=ip-2-8002
   acl ip-2-8002 myportname ip-2-8002
   tcp_outgoing_address 192.168.0.2 ip-2-8002
   access_log /var/log/squid/access_192.168.0.2_8002.log squid ip-2-8002

>
>
> Thanks for helping to clear my confusion and possible derive a much
> simpler and easier to maintain squid service; and huge thanks to
> Amos for the incredible amount of time and assistance he offers on
> this list!
>

Thank you :)

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.8 and 3.1.12.2
Received on Sat Jun 04 2011 - 07:33:58 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 04 2011 - 12:00:01 MDT