Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid on CARP Interface

    Scheduled Pinned Locked Moved Cache/Proxy
    3 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      clamasters
      last edited by

      I have 2 pfsense boxes setup as HA and the clients use a proxy setting in the browser (inside the network and out) in order to be filtered by squid/squidguard (elementry kids).  The issue is that one of the boxes failed last week and I had to put the primary IP's on the secondary box in order to get web traffic flowing again.

      Is there a way to get squid to listen on the HA (CARP) interfaces?

      http://www.curtis-lamasters.com
      http://www.builtnetworks.com

      1 Reply Last reply Reply Quote 0
      • C Offline
        correajl
        last edited by

        I've the same question!

        I'm using two boxes, one master and one slave, with CARP HA. If master fails, the slave should keep the network working.

        However, to reach HA the name proxy.mydomain should resolve to one IP (this name is used on all browsers). And this IP should be the CARP VIP, so when master fails, slave will answer for this IP.

        But, how can I configure squid / proxy to use the CARP VIP? I just can set squid / proxy to listen on interfaces, not on VIP.

        Tks.

        2.2.4-RELEASE (amd64)
        squid3 0.2.8

        1 Reply Last reply Reply Quote 0
        • C Offline
          correajl
          last edited by

          There are some locked topics about this case. They said that is not necessary to have squid listening on VIP because is not possible to sync master/slave to have full stateful proxy service.

          Consideration:

          Consideration:

          I was looking for the solution for this case, because I have two boxes in HA with CARP. Although for proxy service HA is not completely stateful, as posted in some topics, I've thinking that in some cases is necessary that squid listen on VIP. For example, my two boxes are firewall for more than 24 networks. These networks has as gateway other equipments, not the PFSense firewall. So traffic goes through the firewall when has to go to Internet. The proxy server runs on PFSense (that has a VIP to receive the traffic that goes to Internet). And, finally, I have a CNAME proxy.mydomain on internal DNS that points to one IP (configured on all browsers)! This IP should be the CARP VIP.

          If the master stop, even if some sessions are lost (because on this moment squid on slave becomes the operational proxy), the slave becomes the firewall and network continues to work. Losing a few sessions is better than losing navigation.

          One way to get this is configuring "custom options" on proxy service. I put on "Custom ACLs (before auth)" section something like:

          http_port <carp vip="">:3128

          Seems to work.</carp>

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.