On 24/09/2013 9:06 a.m., Martín Ferco wrote:
Hello,
I'm trying to use DansGuardian together with Squid and load-balancing
to use more than one ISP.
I've been able to achieve this by using cache_peer, and I should be
able to perform load balancing with the following two lines:
{{{
cache_peer squid-isp1 parent 13128 0 no-query round-robin sourcehash proxy-only
cache_peer squid-isp2 parent 23128 0 no-query round-robin sourcehash proxy-only
}}}
These two cache-peers run on the same box, as you can see.
Problem #1:
round-robin is one type of peer selection, sourcehash is a different
type. Only one method will be used to select between these peers.
I've also made sure that indirect options are set properly like this:
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on
follow_x_forwarded_for allow localhost
Problem #2:
notice how none of these options mention cache_peer or outbound
connections.
I'm sure that's working fine as the logs show the correct information
for different IP addresses (and not 127.0.0.1, where DansGuardian is
running as well).
Now, the problem with the original two lines is "sourcehash". It lookw
like it's *NOT* using the 'indirect' feature. I've set squid debug
options to "39,2", and the following is shown in the logs:
{{{
2013/09/23 15:10:20| peerSourceHashSelectParent: Calculating hash for 127.0.0.1
2013/09/23 15:10:20| peerSourceHashSelectParent: selected squid-isp1
2013/09/23 15:10:20| peerSourceHashSelectParent: Calculating hash for 127.0.0.1
2013/09/23 15:10:20| peerSourceHashSelectParent: selected squid-isp1
2013/09/23 15:10:20| peerSourceHashSelectParent: Calculating hash for 127.0.0.1
2013/09/23 15:10:20| peerSourceHashSelectParent: selected squid-isp1
2013/09/23 15:10:21| peerSourceHashSelectParent: Calculating hash for 127.0.0.1
2013/09/23 15:10:21| peerSourceHashSelectParent: selected squid-isp1
2013/09/23 15:10:21| peerSourceHashSelectParent: Calculating hash for 127.0.0.1
}}}
So, basically, the IP where DansGuardian is running is being hashed,
instead of the original one. When looking at the sourcecode for
version 2.7.STABLE9 (the one I'm using), it looks like client_addr is
used instead of the indirect one as the key in
"src/peer_sourcehash.c":
{{{
key = inet_ntoa(request->client_addr);
}}}
This also seems to happen in the latest 3.3 version of squid.
Could this be fixed by adding the following lines to that file, after
that line shown above:
{{{
#if FOLLOW_X_FORWARDED_FOR
key = inet_ntoa(request->indirect_client_addr;
#endif /* FOLLOW_X_FORWARDED_FOR */
}}}
Are you aware of this problem, or am I doing something wrong?
It is not a problem per-se.
* sourcehash is a hashing algorithm based in inbound TCP connection details.
* "indirect client" feature is about network state of a TCP connection
unrelated to Squid.
If round-robin is sufficient for your needs I suggest dropping the
sourcehash entirely.
Also, I recommend an upgrade to the 3.3 Squid if you can. 2.7 is getting
very outdated.
Amos
