Search squid archive

Re: Marking squid<->webserver traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 15/01/2013 1:30 a.m., Steve Hill wrote:
I'm setting up some traffic routing to use Squid's TPROXY with a separate router. So the network design looks like: 


Clients ----- Squid
          |
          |
        Router
          |
          |
       Internet

There will be a GRE tunnel between Squid and the router.  So the idea is:
- The router intercepts web requests from the clients, uses iptables to mark them and routes them over the GRE tunnel to Squid. - The Squid proxy machine intercepts the traffic coming from the GRE interface and redirects it to TPROXY. 
- Squid does its thing, probably making a request to a web server.
- The traffic to the web server is routed over the GRE tunnel back to the router. - The router CONNMARKs the traffic from the GRE tunnel and directs it out to the internet. - Reply traffic from the webserver has its connmark restored by the router and is sent back over the GRE tunnel to Squid. - Squid's response to the client is sent over the GRE tunnel to the router. 
- The router sends the response on to the client.
I can do everything except identify Squid's requests to the web server and therefore route them back over GRE. I could use tcp_outgoing_tos and then route based on ToS, but I'd prefer to avoid abusing the ToS flags - is there a similar way of setting the fwmark? qos_flows only seems to control the replies to the client rather than requests to the web server... 

With tcp_outgoing_mark.
http://www.squid-cache.org/Doc/config/tcp_outgoing_mark/
I've read through the documentation for setting up wccp, but as far as I can see the example configurations only route client->squid traffic via GRE and the squid->client and squid<->webserver traffic all follows the usual routing instead (which would require Squid to have its own dedicated connection to the router).
Yes. Normal routing is followed. Squid may be plugged into the WCCP router or have alternative connectivity, or the standard routing configured to push Squid outgoing traffic through the GRE interface. On the whole the alternative connectivity setup is best since it halves the load on the router doing interception. 

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux