Re: [squid-users] Squid, virtual IP and Layer 7 switching...any idea?
On Wed, 2005-02-23 at 00:05 +0100, Henrik Nordstrom wrote: > On Tue, 22 Feb 2005, Marco Crucianelli wrote: > > > Well, I'm sure not that ggod in squid configuration, but thinking about > > a layer 7 switching solution using virtual IP, to let squid answer to > > clients request directly I should use a TCP handoff. > > Yes... > > > In such a case, > > squid needs to use the virtual IP address to answer to clients (binding > > squid instance to the virtual IP in squid.conf) while, to speak with its > > cache_peer it needs to use its real IP address (using something like > > udp_incoming_address and udp_outgoing_address in squid.conf). > > You don't need to bind Squid to the virutal IP. You may if you only want > Squid to answer to the virtual IP and not the real IPs, but it is not > required. You are extremely right! That way, I mean binding squid on the virtual IP, I make it answer only to the virtual IP, otherwise squid answer to all possible active interface. > > > While, not using wirtual IP solution but natting only, I don't need > > neither to bind squid to wirtual IP nor to change udp_incoming and > > outgoing_address. > > You do not need to if you use a virtual IP either. > > All the gory details of the virtual IP is handled by the OS, and even > there it isn't that much special about it (just a secondary IP on the same > server). Only if the servers is on the same network segment as the L7 > switch publishes the virtual IP on is some small amount of care needed at > the OS level to make sure the servers do not respond to ARP on the virtual > IP. Only the L7 switch should respond to ARP for the virtual IP. If the > servers is on a separate network behind the L7 switch then the ARP problem > is not an issue and can be ignored. > > Regards > Henrik Sometimes I do feel like I'm abusing you!!! :) I do thank you Henrik, this was exactly what I was trying to say! Even if it was not that clear to me...now it is! ;) Thanks you! Marco
Re: [squid-users] Squid, virtual IP and Layer 7 switching...any idea?
On Tue, 22 Feb 2005, Marco Crucianelli wrote: Well, I'm sure not that ggod in squid configuration, but thinking about a layer 7 switching solution using virtual IP, to let squid answer to clients request directly I should use a TCP handoff. Yes... In such a case, squid needs to use the virtual IP address to answer to clients (binding squid instance to the virtual IP in squid.conf) while, to speak with its cache_peer it needs to use its real IP address (using something like udp_incoming_address and udp_outgoing_address in squid.conf). You don't need to bind Squid to the virutal IP. You may if you only want Squid to answer to the virtual IP and not the real IPs, but it is not required. While, not using wirtual IP solution but natting only, I don't need neither to bind squid to wirtual IP nor to change udp_incoming and outgoing_address. You do not need to if you use a virtual IP either. All the gory details of the virtual IP is handled by the OS, and even there it isn't that much special about it (just a secondary IP on the same server). Only if the servers is on the same network segment as the L7 switch publishes the virtual IP on is some small amount of care needed at the OS level to make sure the servers do not respond to ARP on the virtual IP. Only the L7 switch should respond to ARP for the virtual IP. If the servers is on a separate network behind the L7 switch then the ARP problem is not an issue and can be ignored. Regards Henrik
Re: [squid-users] Squid, virtual IP and Layer 7 switching...any idea?
On Mon, 2005-02-21 at 18:58 +0100, Henrik Nordstrom wrote: > On Mon, 21 Feb 2005, Marco Crucianelli wrote: > > > I mean: what I was thining of was a Layer 7 solution using virtual IP > > address, just to let the two squid asnwer to the clients without passing > > back through the Layer 7 machine! In such a case I do need virtual IP > > and there should surely be some things to modify in squid.conf > > No, there is no things to modify in squid.conf when you use a virtual ip. > Squid configuration is 100% the same as when using NAT. > > The difference is in your OS IP configuration only. Not Squid. Well, I'm sure not that ggod in squid configuration, but thinking about a layer 7 switching solution using virtual IP, to let squid answer to clients request directly I should use a TCP handoff. In such a case, squid needs to use the virtual IP address to answer to clients (binding squid instance to the virtual IP in squid.conf) while, to speak with its cache_peer it needs to use its real IP address (using something like udp_incoming_address and udp_outgoing_address in squid.conf). While, not using wirtual IP solution but natting only, I don't need neither to bind squid to wirtual IP nor to change udp_incoming and outgoing_address. Am I wrong?!? > > Regards > Henrik Thanks! Marco
Re: [squid-users] Squid, virtual IP and Layer 7 switching...any idea?
On Mon, 21 Feb 2005, Marco Crucianelli wrote: I mean: what I was thining of was a Layer 7 solution using virtual IP address, just to let the two squid asnwer to the clients without passing back through the Layer 7 machine! In such a case I do need virtual IP and there should surely be some things to modify in squid.conf No, there is no things to modify in squid.conf when you use a virtual ip. Squid configuration is 100% the same as when using NAT. The difference is in your OS IP configuration only. Not Squid. Regards Henrik
Re: [squid-users] Squid, virtual IP and Layer 7 switching...any idea?
First of all, thanks Henrik! The problem was mine. I mean: what I was thining of was a Layer 7 solution using virtual IP address, just to let the two squid asnwer to the clients without passing back through the Layer 7 machine! In such a case I do need virtual IP and there should surely be some things to modify in squid.conf Anyway, yes, using a simple Layer7 solution together with NAT I don't need any virtual IP as well as any particular change in squid.conf! Thanks! Marco
Re: [squid-users] Squid, virtual IP and Layer 7 switching...any idea?
On Thu, 17 Feb 2005, Marco Crucianelli wrote: Well, maybe I was not that clear in my explanation (my english fault! : I do think I understood your question proper. If you are using a layer 7 switch then there is NO specific changes needed to squid.conf to make things work proper. Just configure each Squid server as you would normally configure this Squid server. something like this! That's why I was asking if I should modify udp_incoming_address and udp_outgoing_address! You should not. But I have another doubt too: those two directives (udp_incoming_address and udp_outgoing_address) change the ip address that squid uses to make ICP queries, what happens after squid has queried using ICP, I mean, what address does it use to retrieve the content it needs from the parent_squid? Normally the IP address of the server where it runs, which in nearly all cases is what you want. Does it use the virtual IP address or the real one? This is up to your OS configuration, but in nearly all cases involving layer 7 switches the OS will never use the virtual IP for anything except accepting traffic via the layer 7 switch, and this is what you want. You can ask squid to hint to the OS what address to use by the tcp_outgoing_address directive, but you should only use this if your situation requires you to. Only the fact that you use a layer 7 switch practically never requires you to use this directive. Regards Henrik
Re: [squid-users] Squid, virtual IP and Layer 7 switching...any idea?
Thanks for your answer Henrik > > > Here comes the funny part...well...I do even need that these two squid > > could use two different squid_parent via ICP. Going this way, I do need > > that the squid having the layer 7 switch in front could even use their > > real IP address to communicate with their own squid_parent. Could I use > > something like this in squid.conf to make everything work? > > > > udp_incoming_address real_ip_address > > udp_outgoing_address 255.255.255.255 > > Not need to do this, just leave them at the defaults allowing Squid to use > the real IP of your server as provided by the OS. > > Same thing for tcp_outgoing_address. > > Regards > Henrik Well, maybe I was not that clear in my explanation (my english fault! : P) I was speaking about the same squid behind the layer 7 switch! I mean, those two squid behind the layer 7 switch must conect on one side with the layer 7 switch, using the Virtual IP address, and on the other side with other two parent squid with their real IP address...or something like this! That's why I was asking if I should modify udp_incoming_address and udp_outgoing_address! But I have another doubt too: those two directives (udp_incoming_address and udp_outgoing_address) change the ip address that squid uses to make ICP queries, what happens after squid has queried using ICP, I mean, what address does it use to retrieve the content it needs from the parent_squid? Does it use the virtual IP address or the real one? Thanks you very much for you patience Henrik! Marco
Re: [squid-users] Squid, virtual IP and Layer 7 switching...any idea?
On Wed, 16 Feb 2005, Marco Crucianelli wrote: (Linux Virtual Server) I know that these three machine I would use (one layer 7 switching and 2 squid) should share the same virtual IP address. Now, this shouldn't be bad, as I could write in the squid.conf http_port virtual_ip_address thus both squid could use the same virtual IP address. This is perfectly fine thing to do. However, shared IP addresses requires careful configuration of the hosts or your network layout to avoid network address conflicts. See LVS documentation for details. In general I recommend starting with LVS/NAT as this is by far the simplest to set up and get everything right. You need to reach a very high traffic volume before LVS/NAT becomes your bottleneck and I don't see this likely to happen with Squid unless you have a very big farm of machines.. Here comes the funny part...well...I do even need that these two squid could use two different squid_parent via ICP. Going this way, I do need that the squid having the layer 7 switch in front could even use their real IP address to communicate with their own squid_parent. Could I use something like this in squid.conf to make everything work? udp_incoming_address real_ip_address udp_outgoing_address 255.255.255.255 Not need to do this, just leave them at the defaults allowing Squid to use the real IP of your server as provided by the OS. Same thing for tcp_outgoing_address. Regards Henrik
Re: [squid-users] Squid, virtual IP and Layer 7 switching...any idea?
On Wed, 2005-02-16 at 21:25, Marco Crucianelli wrote: > As I wrote in another post, I was considering of using two squid on two > different machines, one for normal web stuff (small files) and another one > for very big files (huge video). I was thinking to use a layer 7 switch in > front of them, thus I could make clients use both of them in a transparent > way! Reading something about a software layer 7 switching (Linux Virtual > Server) I know that these three machine I would use (one layer 7 switching > and 2 squid) should share the same virtual IP address. Now, this shouldn't be > bad, as I could write in the squid.conf > > http_port virtual_ip_address > > thus both squid could use the same virtual IP address. This seems overly complex. Usually balancing boxes (including LVS) can do some form of DNAT. Simply use that, and make sure that in reaching the clients you go back through the balancer (so that the NAT can be properly closed) and you're done. > Here comes the funny part...well...I do even need that these two squid could > use two different squid_parent via ICP. Going this way, I do need that the > squid having the layer 7 switch in front could even use their real IP address > to communicate with their own squid_parent. Could I use something like this > in squid.conf to make everything work? > > udp_incoming_address real_ip_address > udp_outgoing_address 255.255.255.255 I don't think you need any of this. Just have each squid instance point to its parent. But really I don't see the advantage of this solution, performance-wise. > > I've made this small schema to make you understand better how I would like > to connect everything! > > TIA > > Marco > > _ _ > |parent_squid1| |parent_squid2| > _ _ >| | >| | >| ICP | ICP >| | > _ _ > | squid1| | squid2| > _ _ > | | > | | > | | >| | > | | > __ > | Layer 7 switch| > Kinkie
[squid-users] Squid, virtual IP and Layer 7 switching...any idea?
As I wrote in another post, I was considering of using two squid on two different machines, one for normal web stuff (small files) and another one for very big files (huge video). I was thinking to use a layer 7 switch in front of them, thus I could make clients use both of them in a transparent way! Reading something about a software layer 7 switching (Linux Virtual Server) I know that these three machine I would use (one layer 7 switching and 2 squid) should share the same virtual IP address. Now, this shouldn't be bad, as I could write in the squid.conf http_port virtual_ip_address thus both squid could use the same virtual IP address. Here comes the funny part...well...I do even need that these two squid could use two different squid_parent via ICP. Going this way, I do need that the squid having the layer 7 switch in front could even use their real IP address to communicate with their own squid_parent. Could I use something like this in squid.conf to make everything work? udp_incoming_address real_ip_address udp_outgoing_address 255.255.255.255 I've made this small schema to make you understand better how I would like to connect everything! TIA Marco _ _ |parent_squid1| |parent_squid2| _ _ | | | | | ICP | ICP | | _ _ | squid1| | squid2| _ _ | | | | | | | | | | __ | Layer 7 switch|
