LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   RHCS & squid failover (https://www.linuxquestions.org/questions/linux-newbie-8/rhcs-and-squid-failover-762326/)

advaitraut 10-16-2009 04:10 AM
RHCS & squid failover
 
Hi guys,
I have configured squid server on two nodes. my requirement is to have a squid failover using RHCS.

RHCS is also configured with a virtual ip monitoring both the servers. virtual ip :- 192.168.1.100

Now the issue is that my virtual ip is configured on all browsers with port 8080 for proxy purpose. ie:192.168.1.100:8080

now the request coming from browsers with virtual ip and port number 8080 are properly directed to a active server but the request going out from the active squid server doesn't takes virtual ip it takes its on eth0 ip ie:192.168.1.1 of Active server and hits firewall due to which firewall blocks the ip and hence no page is displayed.

so what i have did was i have configured iptables postrouting which nats all the outgoing request from eth0 to virtual ip.

#iptables -t nat -A POSTROUTING -s 192.168.1.1 -o eth0 -j SNAT --to- 192.168.1.100

After this rule am able to receive web pages.

but cluster doesn't works at all. what i mean is if i try to shutdown active server the virtual ip doesn't shifts to passive server.

note:- before applying iptables the cluster works fine but cat get webpages as mention earlies.

please help guys if any body have any solution or have configured RHCS for the same.

Regards,
Advait

acid_kewpie 10-17-2009 01:11 AM
squid does not need clustering, why over complicate things? for a resilient web proxy, just use a proxy.pac script on the client, and the browser itself will try multiple servers to find a functional connection. One step further is to hash the url being requested, get the modulus 2 value of the hash and use that to really simply load balance the two servers with zero additional config on the two servers. this will give you THE best performance and cache hit ratios you could ever logically recieve, as you can provide 100% predictable usage of specific proxies when all servers are functional, with automatic failover if it goes tits up.

I certainly can see no good reason why you want to nat outbound traffic to the clustered address, just permit both local machine addresses outbound access. And forcing a snat outside of the realms of the RHCS config will surely lead to a whole heap of problems. How can the other machine legitimately use that IP if other traffic leaving the first system is also being snatted to the IP? Arp tables and such will get in a right state I'd bet, especially as your SNAT covers ALL traffic leaving eth0. Does that traffic include cluster data? Even worse if so.

advaitraut 10-18-2009 01:10 AM
hi chris
thanks for your suggestions.but my problem is that i have vpn sites which can be only accessed with a outgoing connection hitting the firewall with the ip address is 192.168.1.100:8080 then only my vpn sites are accessible other wise those sites are not accessible.
Yes i can use two two different private ips n nate it on firewall for net surfing which will serve me webpages but my vpnsites will not work in this scenario. since the ip address hitting the firewall will not be the 192.168.1.100:8080 and hence no tunnel will be created.
Thats y am using 192.168.1.100 as my virtual ip which is nated on firewall with public ip which can serve my both the purpose of vpn sites as well as general net surfing. On the other hand i cant install the proxy.pca script maually on 3ooo desktops on different locations.

everything works fine with my above mention SNAT iptable rule.except the cluster.
please let me know if there is any solution for my problem.

Regards
Advait.


All times are GMT -5. The time now is 02:00 AM.