Hey Amos,
The custom LB is to only try and filter before the connections reach's
squid http and non-http traffic.
Currently I have a prototype which intercepts using TPROXY by itself and
identifies couple protocols.
The reason for this LB is that I get a more flexible way around the
connection.
My code can enforce specific ACL's based on specific characteristics of
the client and\or the server.
Iptables does it's work fine but lacks the ability to dynamically handle
and identify specific traffic.
For example the nDPI iptables module:
- https://github.com/vel21ripn/nDPI
which is being used in couple products and a similar module also exists
on many commercial products but still lacks some degree of flexibility.
The kernel land is indeed fast and maybe efficient but is binding the
programmers to C and it's libraries and compilers let alone licenses.
Currently on a 40+ cores machine with 128GB ram I can run a full blown
layer 7 proxy for a big network(/16+) and the CPU is almost always
loaded below 10%.
I do not intent to develop my proxy too much since others have done this
already but it's nice to see that more products can enter the market
easily.
Thanks,
Eliezer
On 2018-05-15 22:36, Amos Jeffries wrote:
On 16/05/18 02:09, Eliezer Croitoru wrote:
Hey Squid-Dev,
I am in the middle of writing a load balancer \ router (almost done)
for
squid with TPROXY in it.
The load balancer sits on the Squid machine and intercepts the
connections.
I want to send Squid instances a new connection on a PROXY protocol
enabled http_port but that squid will use TPROXY on the outgoing
connection based on the PROXY protocol details.
Would it be possible? I think it should but not sure.
Maybe. Since both software are on the same machine it should get past
the kernel protections against arbitrary spoofing.
You will have to check that BOTH dst-IP:port and src-IP:port pairs are
correctly relayed by the PROXY protocol. If not the TPROXY will end up
with mangled socket state and undefined behaviour (probably breakage).
My plan is to try and load balance connections between multiple squid
instances\workers for filtering purposes and PIN each of the instances
to a CPU (20+ cores Physical host).
How reasonable is this idea?
You don't need a custom LB. iptables is sufficient, or other firewalls
if you have a non-Linux machine.
<https://wiki.squid-cache.org/ConfigExamples/ExtremeCarpFrontend#Frontend_Balancer_Alternative_1:_iptables>
You should be able to fit those LB lines into a normal TPROXY config.
Just replace the "-j REDIRECT" with the "-j TPROXY --tproxy-mark ...".
Amos
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
--
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
