On 19/03/11 22:13, Jakob Curdes wrote:
Am 18.3.2011 18:23, schrieb Edouard Zorrilla:
My scenario is to use two Squids working as forwarding proxy : SquidA
and SquidB. If SquidA fails users should be switched to the SquidB.
If I decide to go with PAC files the workstation is the one that
decide where to go. My concern is, where should I store the PAC file
so that It can also be redundant let say saved in two places ?
Well if you failover the IP that squid is bound to (which is a standard
procedure in linux HA) the "switching" of the users is done transparently.
If you use NTLM-like authentication against an AD controller with
winbind, the users will be reauthenticated, but transparently. Otherwise
-with plain text auth- users might need to reauthenticate.
That depends on what you mean by "plain text auth". (And I fail to think
of one which cannot be de-centralized for HA).
The browser is expected to send repeat credentials with every new
request. So login *always* re-auths transparently in the second proxy.
It is a HA problem of the auth backend itself if it fails to accept
re-auth after a proxy change.
In fact NTLM is one of the most flakey auth system under HA. It's limit
of ~256 winbind requests in parallel makes it quite susceptible to
overload on the re-auth step.
If you store the PAC file on both servers (can be synced e.g. via rsync)
and move the HTTP server along with the squid, then the users will
always be presented with the same information via the same IP address.
Depending on the failover timing settings there might be an outage of a
minute or so, which is normally not a problem for web surfing.
But, a hint that is valid for all HA configurations: use test systems
for the setup before you go into production. HA is too complicated for
playing around and you can be left without internet access if you make
errors.
I'll second that.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.11
Beta testers wanted for 3.2.0.5
