On 04/06/11 06:25, errno wrote:
On Thursday, June 02, 2011 01:03:06 AM Amos Jeffries wrote:
On 02/06/11 19:41, errno wrote:
Just to confirm:
If I have multiple ip aliases assigned to the same physical nic, will
there still be port conflicts on an ip (aliased) based multi-instanced
squid server?
There is rarely a need for the combo of IP aliasing + Squid.
You know, maybe this just now actually clicked in my brain...
So, let's say that we did have a few different aliased IPs (on different
subnets):
For example:
eth0 -> 192.196.0.2
eth0:1 -> 192.196.1.2
eth0:2 -> 192.196.2.2
eth0:3 -> 192.168.3.2
Rather than setting up, say, 4 separate instances of squid - one per subnet -
I'm thinking why not just set up 1 single instance (say, on 192.196.0.2), then
just use iptables to redirect any traffic hitting the other IPs (192.196.1.2
through 192.168.3.2) to the 192.196.0.2? Then the single squid.conf would
be configured (somehow) to use the appropriate tcp_outgoing_address(?),
or something?
Something like:
incoming request to 192.196.2.2:80 ->
iptables passes it to 192.196.0.2:80 ->
squid receives request on 192.196.0.2, but dispatches back out 192.196.2.2
???
Something along those lines?
Yes. Based on the "myip" ACL for the "incoming request to $myip" bit.
Note that "myip" fails if NAT is happening on the packets arrival. Squid
will get mangled IPs to test against $myip and usually fail to do a
reliable match.
In this case you do need multiple http_port in squid.conf for the one
squid instance and myportname ACL for the manipulations.
Or can I achieve the same effect w/o iptables - by just supplying multiple
ip:ports to http_port ? The primary concern is that if a request to squid
comes in on one particular address, that squid will ensure that this
request leaves squid with the same tcp_outgoing_address - which is
why we were (naively?) using multiple separate instances... each
instance had:
include /etc/squid/squid_common.conf
access_log /var/log/squid/access_192.168.0.2.log squid
auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/passwd
http_port 192.168.0.2:8002
tcp_outgoing_address 192.168.0.2
pid_filename /var/run/squid_192.168.0.2.pid
visible_hostname 192.168.0.2
*IF* (and that is a big IF) you really need the outgoing IP to be fixed.
You can run one instance with multiple copies of the above snippet.
Note the visible_hostname and pid_filename, and auth are unique
directives, only one copy is used per instance of Squid.
I setup this kind of thing like with Squid-3.1 like so:
squid.conf:
include /etc/squid/IPA/*
.. blah...
/etc/squid/IPA contains a number of files with the specific listening IP
handling.
eg /etc/squid/IPA/192.168.0.2_8002:
http_port 192.168.0.2:8002 name=ip-2-8002
acl ip-2-8002 myportname ip-2-8002
tcp_outgoing_address 192.168.0.2 ip-2-8002
access_log /var/log/squid/access_192.168.0.2_8002.log squid ip-2-8002
Thanks for helping to clear my confusion and possible derive a much
simpler and easier to maintain squid service; and huge thanks to
Amos for the incredible amount of time and assistance he offers on
this list!
Thank you :)
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.8 and 3.1.12.2
