Re: [squid-users] Active - Active

From: Pieter De Wit <pieter_at_insync.za.net>
Date: Mon, 6 Apr 2009 23:33:26 +0200 (SAST)

Hi Graham,

That is correct - but since I would like to run a transparent proxy (yes -
I *could* redirect "off the box") I would prefer to keep it on the boxes.

They are going to be beefy boxes to say the least, so might as well use
them while we can :)

I spoke to the guys and they are happy to have the "active tcp session"
fail if one of the boxes dies. They don't do loads of big downloads so the
chance that a client will see the failure is very little.

Come to think of it, the only people that will do big downloads are the IT
Staff (drivers, SP etc) and if those boxes fail, they will have more to
worry about ;)

Re-reading your email - yes - squid on a private LAN wouldn't even see the
failure, except for the slight delay with TCP ACK's etc "restarting" the
connection (any active connections ) - I havn't found a way around that,
but I think that might be drifting off-topic

Cheers,

Pieter

On Tue, 7 Apr 2009, graham wrote:

> Hello Pieter,
> The failover requirement that you describe looks remarkably like one of
> the configurations commonly used by Astaro firewall devices.
> If you were to conceptually remove the squid function from the failover,
> ie in the simplest case onto another device on the private LAN, then an
> active-standby pair of firewalls, with common public and private
> addresses would be transparent to squid - wouldn't it ?
> cheers
> Graham
> =======================================
> On Mon, 2009-04-06 at 03:21 +0200, Pieter De Wit wrote:
>>> When you are confidant about this going, we can move on to the HTTPS and
>>> failover questions.
>>>
>>> Amos
>>
>>
>> Hi Guys,
>>
>> Sorry that I am "dropping" in on this thread, but it reminded me that I
>> need to find this out.
>>
>> I am working on a "active-active" firewall for a customer. It will be two
>> Linux boxes (Gentoo for now) running VRRP to publish a virtual IP. I have
>> done the firewall setup so that connections can failover between the boxes
>> (takes about 30 seconds - I am sure the heartbeat can be set to less) but
>> it works ok :)
>>
>> Now - the tricker part. Let say someone is currently busy with a download,
>> can squid do a failover of the connection ? If so, mind pointing me to the
>> setup docs ?
>>
>> If this is going to be a feature to add to squid, then I am happy to take
>> it to the dev mailing list and "propose" something there.
>>
>> Please accept my best attempt at ASCII art :)
>>
>> |eth2 |eth2
>> ___|___ ___|___
>> |NODE1| |NODE2|
>> | |--eth1---eth1--| |
>> ---|--- ---|---
>> |eth0 |eth0
>>
>>
>> eth0 - Private LAN
>> eth1 - heartbeat,failover and ICP LAN
>> eth2 - Internet
>>
>> Cheers,
>>
>> Pieter
>>
>
>
Received on Mon Apr 06 2009 - 21:36:35 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 07 2009 - 12:00:02 MDT