Thursday, August 09, 2018

routing traffic to transparent squid cluster

Dear list,

i'm playing around with a squid setup, where the http traffic from a client is
transparently routed from the gateway (openbsd 6.3) to two squid caches (squid
3.5.28). This means the caches are _not_ placed on the gateway.

With PF this is very easy to achieve:

pass in quick on $INT_IF inet proto tcp from $CLIENT to any port 80 \
route-to { ( $DMZ_IF $SQUID_1), (trunk2 SQUID_2) } least-states

So far, so good. My next goal is redundancy. In other words the gateway should
stop routing traffic to an unreachable cache. Imho I thought this is very easy
to achieve with the help of relayd.

To map the upper PF rule to a fully redundant setup, I tried something like this:

PF:
pass in quick on $INT_IF inet proto tcp from $CLIENT to any port http \
divert-to 127.0.0.1 port 3130

Relayd:
relay webproxy_3130 {
listen on 127.0.0.1 port 3130
transparent forward to <squid_3130> port 80 check tcp mode loadbalance
}

But of course this doesn't work because the relay translates the destination
address which it should not. I didn't found any options like a pf route-to for
relays and think it wouldn't make much sense in the context of relays.
Relayd supports a route-to option for redirects but I dind't found a working
configuration.

Perhaps this is all broken by design. If so could somebody point me out a better
solution (haproxy in front of the caches)?

Any help would be greatly appreciated.

Thanks

No comments:

Post a Comment