Hello Pieter, The failover requirement that you describe looks remarkably like one of the configurations commonly used by Astaro firewall devices. If you were to conceptually remove the squid function from the failover, ie in the simplest case onto another device on the private LAN, then an active-standby pair of firewalls, with common public and private addresses would be transparent to squid - wouldn't it ? cheers Graham ======================================= On Mon, 2009-04-06 at 03:21 +0200, Pieter De Wit wrote: > > When you are confidant about this going, we can move on to the HTTPS and > > failover questions. > > > > Amos > > > Hi Guys, > > Sorry that I am "dropping" in on this thread, but it reminded me that I > need to find this out. > > I am working on a "active-active" firewall for a customer. It will be two > Linux boxes (Gentoo for now) running VRRP to publish a virtual IP. I have > done the firewall setup so that connections can failover between the boxes > (takes about 30 seconds - I am sure the heartbeat can be set to less) but > it works ok :) > > Now - the tricker part. Let say someone is currently busy with a download, > can squid do a failover of the connection ? If so, mind pointing me to the > setup docs ? > > If this is going to be a feature to add to squid, then I am happy to take > it to the dev mailing list and "propose" something there. > > Please accept my best attempt at ASCII art :) > > |eth2 |eth2 > ___|___ ___|___ > |NODE1| |NODE2| > | |--eth1---eth1--| | > ---|--- ---|--- > |eth0 |eth0 > > > eth0 - Private LAN > eth1 - heartbeat,failover and ICP LAN > eth2 - Internet > > Cheers, > > Pieter >