Kevin wrote:
On 5/11/05, Hendrik Voigtländer <hendrik@xxxxxxxxxxxxxxxxx> wrote:Security: The backend squid is located within the LAN and is separated from the parent by a firewall.
I need some help for deploying a second uplink.
My setup is a simple:
A squid-backed to which users connect to use the net.
This squid forwards all traffic to a parent squid which is hooked up to
an ADSL-line. Works perfect.
Can you explain the reasoning behind having a "backend" Squid server, separate from the "parent" Squid? Do both layers have similar policies for cache object size limits and cache_replacement_policy?
Fallback: The backend squid can use another, very reliable line (not ADSL) if the parents are down.
The parent is non-caching squid passing all traffic to the ADSL line.
But now we will get a second a line as we need more bandwith. The question is: What is the easiest and proven way to realise load balancing?
I have done some experiments with round-robin parents (2 adsl line = 2
parent proxies) but apparently some web application such as some
webmail-services are confused if they accessed from two different
ip-addresses simultanously.
You might be able to get sufficient "stickiness" (so a given webmail session will tend to always make connections via the same parent rather than going round-robin) if you compile with --enable-icmp and configure the parent statements with closest-only. I have not tried this myself.
Sounds nice, but needs some testing.
Yes, I think I will seperate the client by subnets. On the other hand doubling the number of squid installations will double the amount of work/maintenance etc.My next idea would be to deploy some sort of routing at the parent squid, which would be hooked up to both lines. IMHO prone to errors.
I think I could setup two independent proxy chains (2 squid-backend, ech
connected to a parent squid connected to an adsl-line) and use the
proxy.pac for load-balancing. Sounds pretty easy, but I am not sure.
This approach seems popular. Also, if your PAC lists both parents in each return (e.g. return("PROXY 10.1.1.1:3128;PROXY 10.1.1.2:3128");) you also get failover behavior. You just need to add logic into the PAC (or in the server returning the PAC to the client) so different clients try their parents in different orders.
Failover is a nice feature but not requested by the clients.
Any other ideas?
Regards, Hendrik Voigtländer
