You can use 2 squid servers with VRRP Infront of the other proxies. I would advise you to learn a little about haproxy authentication methods. There is a possibility that you will be able to do somethings you haven’t done until now. Eliezer From: roee klinger <roeeklinger60@xxxxxxxxx> Sent: Friday, December 11, 2020 1:23 PM To: Eliezer Croitor <ngtech1ltd@xxxxxxxxx>; squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Squid with more than 128 ports? Hey Eliezer, Thanks, but actually what I want to achieve is not dynamic load balancing, I want each user to always go to a predefined proxy. For a failover solution, I will have an outside program checking for failed proxies, and then I will remove them from the list and send the user to a different proxy while I handle the failed ones. Is Haproxy good for that it is Squid in the way I proposed OK? You should use Haproxy in a Fail-over setup. Squid is great but it’s possible that Haproxy does this much better theses days then Squid. You can leave the authentication on the Squid servers and use the Haproxy as TCP Load balancer. If you need the clients Original IP address you can use the PROXY protocol to send these details between the haproxy and squid. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx Hey Anthony, Giving this a second thought, I believe I didn't explain myself correctly. I have 5 Squid servers, each listening on 80 ports, I would like to add another Squid server in the middle of the client and these servers to authenticate users before sending them to their ports. I already have ACL controls and auth control tools which I wrote and are working fine. My question is regarding how to configure this, I have found this configuration online but I am not sure how it will work performance-wise with 500+ proxies (could be 1000s in http_port 3128 name=port_3128
http_port 3127 name=port_3127
nonhierarchical_direct off
acl port_3128_acl myportname port_3128
acl port_3127_acl myportname port_3127
always_direct deny port_3128_acl
always_direct deny port_3127_acl
never_direct allow port_3128_acl
never_direct allow port_3127_acl
# 3128
cache_peer proxy1 parent 3128 0 proxy-only default name=proxy3128
cache_peer_access proxy3128 allow port_3128_acl
cache_peer_access proxy3128 deny all
# 3127
cache_peer proxy2 parent 3128 0 proxy-only default name=proxy3127
cache_peer_access proxy3127 allow port_3127_acl
cache_peer_access proxy3127 deny all
Combine these 2000+ lines in squid.conf with 2 external ACLs and a custom authenticator, can this cause a hit on performance or should it be no problem for squid to handle? On Thursday 10 December 2020 at 13:02:19, roee klinger wrote:
> Hello, > > We have a few Squid proxy servers with a total of around 400 ports
What do you mean by that? What are you using 400 ports for?
> We have decided that we want to add a cloud instance in the middle of the > connections, that will authenticate users and only then send them to the > squid instance.
What authentication method / protocol do you want to use?
> Is it a smart idea to use Squid for this use case or just use a different > proxy software that doesn't have this limitation?
I think the best starting point is to ask what sort of authentication you want to perform (ie: what is the authoritative system which holds the information about who can authenticate and who cannot), then you can decide on the best software to use to do that in front of Squid.
Antony.
-- Under UK law, no VAT is charged on biscuits and cakes - they are "zero rated". Chocolate covered biscuits, however, are classed as "luxury items" and are subject to VAT. McVitie's classed its Jaffa Cakes as cakes, but in 1991 this was challenged by Her Majesty's Customs and Excise in court.
The question which had to be answered was what criteria should be used to class something as a cake or a biscuit. McVitie's defended the classification of Jaffa Cakes as a cake by arguing that cakes go hard when stale, whereas biscuits go soft. It was demonstrated that Jaffa Cakes become hard when stale and McVitie's won the case.
Please reply to the list; please *don't* CC me. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
|