Re: [squid-users] room for improvement in my proxy architecture

From: Gaylord Van Brocklin <[email protected]>
Date: Wed, 27 Oct 2004 09:52:06 -0700

The Squid -> AV server will be bypassing the firewall, but I guess I
could throw another NAT box outside the AV servers to also add a layer
of security.

Is this a common solution to this problem?

Here is another idea for architecture.. what do you think:

- I was thinking about using the Super Proxy Script
(http://naragw.sharp.co.jp/sps/) to do the load balancing to the Squid
Boxes, and then use Squid's cache_peer directive to do the load
balancing across the Trend boxes and then put a NAT device between the
Trend boxes and the Internet so that all requests out to the Internet
come from a single IP to prevent any problems that I might have with
session based web sites that see multiple IP addresses. I could also
do a Layer 4 load balancing switch in front of the Squid boxes instead
of using the WPAD script, but the WPAD script provides some level of
consistency because it hashes the URL's and then sends you to the
appropriate proxy server, so requests to the same URL end up at the
same proxy server to create more cache hits.

-gvb

On Oct 26, 2004, at 3:08 PM, Henrik Nordstrom wrote:

> On Tue, 26 Oct 2004, Gaylord Van Brocklin wrote:
>
>> One problem that I have had in the past with load balancing between
>> the two AV servers is that the destination web servers see the
>> traffic coming from two different IP addresses so some session based
>> websites (things like Cox Webmail) don't work properly.
>
> One simple solution to this is to place a NAT gateway infront of the
> proxy servers, natting all requests to the same source IP regardless
> which proxy was used.
>
> It is quite likely your existing network already is NAT capable, just
> waiting for you to start using the features of your network equipment.
>
> Regards
> Henrik
>
Received on Wed Oct 27 2004 - 10:52:50 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST