On 04/06/11 06:25, errno wrote:
> On Thursday, June 02, 2011 01:03:06 AM Amos Jeffries wrote:
>> On 02/06/11 19:41, errno wrote:
>>> Just to confirm:
>>>
>>> If I have multiple ip aliases assigned to the same physical nic, will
>>> there still be port conflicts on an ip (aliased) based multi-instanced
>>> squid server?
>>
>> There is rarely a need for the combo of IP aliasing + Squid.
>>
>
> You know, maybe this just now actually clicked in my brain...
>
> So, let's say that we did have a few different aliased IPs (on different
> subnets):
>
> For example:
> eth0 -> 192.196.0.2
> eth0:1 -> 192.196.1.2
> eth0:2 -> 192.196.2.2
> eth0:3 -> 192.168.3.2
>
>
> Rather than setting up, say, 4 separate instances of squid - one per subnet -
> I'm thinking why not just set up 1 single instance (say, on 192.196.0.2), then
> just use iptables to redirect any traffic hitting the other IPs (192.196.1.2
> through 192.168.3.2) to the 192.196.0.2? Then the single squid.conf would
> be configured (somehow) to use the appropriate tcp_outgoing_address(?),
> or something?
>
> Something like:
>
> incoming request to 192.196.2.2:80 ->
> iptables passes it to 192.196.0.2:80 ->
> squid receives request on 192.196.0.2, but dispatches back out 192.196.2.2
>
> ???
>
> Something along those lines?
Yes. Based on the "myip" ACL for the "incoming request to $myip" bit.
Note that "myip" fails if NAT is happening on the packets arrival. Squid
will get mangled IPs to test against $myip and usually fail to do a
reliable match.
In this case you do need multiple http_port in squid.conf for the one
squid instance and myportname ACL for the manipulations.
>
> Or can I achieve the same effect w/o iptables - by just supplying multiple
> ip:ports to http_port ? The primary concern is that if a request to squid
> comes in on one particular address, that squid will ensure that this
> request leaves squid with the same tcp_outgoing_address - which is
> why we were (naively?) using multiple separate instances... each
> instance had:
>
> include /etc/squid/squid_common.conf
>
> access_log /var/log/squid/access_192.168.0.2.log squid
> auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/passwd
> http_port 192.168.0.2:8002
> tcp_outgoing_address 192.168.0.2
> pid_filename /var/run/squid_192.168.0.2.pid
> visible_hostname 192.168.0.2
*IF* (and that is a big IF) you really need the outgoing IP to be fixed.
You can run one instance with multiple copies of the above snippet.
Note the visible_hostname and pid_filename, and auth are unique
directives, only one copy is used per instance of Squid.
I setup this kind of thing like with Squid-3.1 like so:
squid.conf:
include /etc/squid/IPA/*
.. blah...
/etc/squid/IPA contains a number of files with the specific listening IP
handling.
eg /etc/squid/IPA/192.168.0.2_8002:
http_port 192.168.0.2:8002 name=ip-2-8002
acl ip-2-8002 myportname ip-2-8002
tcp_outgoing_address 192.168.0.2 ip-2-8002
access_log /var/log/squid/access_192.168.0.2_8002.log squid ip-2-8002
>
>
> Thanks for helping to clear my confusion and possible derive a much
> simpler and easier to maintain squid service; and huge thanks to
> Amos for the incredible amount of time and assistance he offers on
> this list!
>
Thank you :)
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.8 and 3.1.12.2Received on Sat Jun 04 2011 - 07:33:58 MDT
This archive was generated by hypermail 2.2.0 : Sat Jun 04 2011 - 12:00:01 MDT