Hi Graham,
That is correct - but since I would like to run a transparent proxy (yes -
I *could* redirect "off the box") I would prefer to keep it on the boxes.
They are going to be beefy boxes to say the least, so might as well use
them while we can :)
I spoke to the guys and they are happy to have the "active tcp session"
fail if one of the boxes dies. They don't do loads of big downloads so the
chance that a client will see the failure is very little.
Come to think of it, the only people that will do big downloads are the IT
Staff (drivers, SP etc) and if those boxes fail, they will have more to
worry about ;)
Re-reading your email - yes - squid on a private LAN wouldn't even see the
failure, except for the slight delay with TCP ACK's etc "restarting" the
connection (any active connections ) - I havn't found a way around that,
but I think that might be drifting off-topic
Cheers,
Pieter
On Tue, 7 Apr 2009, graham wrote:
Hello Pieter,
The failover requirement that you describe looks remarkably like one of
the configurations commonly used by Astaro firewall devices.
If you were to conceptually remove the squid function from the failover,
ie in the simplest case onto another device on the private LAN, then an
active-standby pair of firewalls, with common public and private
addresses would be transparent to squid - wouldn't it ?
cheers
Graham
=======================================
On Mon, 2009-04-06 at 03:21 +0200, Pieter De Wit wrote:
When you are confidant about this going, we can move on to the HTTPS and
failover questions.
Amos
Hi Guys,
Sorry that I am "dropping" in on this thread, but it reminded me that I
need to find this out.
I am working on a "active-active" firewall for a customer. It will be two
Linux boxes (Gentoo for now) running VRRP to publish a virtual IP. I have
done the firewall setup so that connections can failover between the boxes
(takes about 30 seconds - I am sure the heartbeat can be set to less) but
it works ok :)
Now - the tricker part. Let say someone is currently busy with a download,
can squid do a failover of the connection ? If so, mind pointing me to the
setup docs ?
If this is going to be a feature to add to squid, then I am happy to take
it to the dev mailing list and "propose" something there.
Please accept my best attempt at ASCII art :)
|eth2 |eth2
___|___ ___|___
|NODE1| |NODE2|
| |--eth1---eth1--| |
---|--- ---|---
|eth0 |eth0
eth0 - Private LAN
eth1 - heartbeat,failover and ICP LAN
eth2 - Internet
Cheers,
Pieter