[Work in progress] Squid failover AND load balancing for pfSense
-
It would be enough a script that removes the "tcp_outgoing_address" directive from squid config file when the gateway goes down, even if it goes without saying that i would not recommend anybody a similar solution for production environments…
-
This is actually a great idea.
The script should be triggered by the dpinger results, a bit like /etc/rc.gateway_alarm.
As long as the acl lines and the interfaces have the same name, it would be possible to comment out acl lines from which the interface is down, and then reload squid service. -
Hi all,
i've added some lines directly to /etc/rc.gateway_alarm file. I state that i'm a network guy and not very able with programming/scripting, sometimes with bash i throw myself to problem solving and that's it, without looking at the apparences…
My /etc/rc.gateway_alarm:
GW1="WAN_GW"
GW2="UBNT_GW"
GW="$1"
if [ -z "$GW" ]; then
exit 1
fi
**if [ "$GW" == "$GW1" ]
then
perl -i -pe 's/tcp_outgoing_address 192.168.1.2 WAN/#tcp_outgoing_address 192.168.1.2 WAN/g' /usr/local/etc/squid/squid.conf
/usr/local/etc/rc.d/squid.sh restartelif [ "$GW" == "$GW2" ]
then
perl -i -pe 's/tcp_outgoing_address 192.168.0.2 UBNT/#tcp_outgoing_address 192.168.0.2 UBNT/g' /usr/local/etc/squid/squid.conf
/usr/local/etc/rc.d/squid.sh restart
else
exit
fi** /usr/local/sbin/pfSctl
-c "service reload dyndns ${GW}"
-c "service reload ipsecdns"
-c "service reload openvpn ${GW}"
-c "filter reload" >/dev/null 2>&1exit $?
In bold the lines added.
This having in my squid.conf the following ALCs:
acl UBNT src 172.16.1.0/24
tcp_outgoing_address 192.168.0.2 UBNT
acl WAN src 10.0.0.0/24
tcp_outgoing_address 192.168.1.2 WANand in the variables "GW1" and "GW2" the name of your gateways.
I've tested it and works perfecly; now i'd like to work on "fail back" (if the failed gateway returns online the line should be uncommented).
For this i think need to work on "if [ -z "$GW" ]", but before wanna wait for your eventual advices/correction that (certainly!) could improve the code.Have a nice day,
Edoardo
-
Hello,
I'm working on a script too, but external to /etc/rc.gateway_alarm for better updates.
I will post it once I have it all tested out.Btw, you should replace "restart" with "reload" on your squid.
-
Until I can test everyhting, here's my script.
It will comment / uncomment the corresponding tcp_outgoing_address lines in squid.confUsage:
/usr/local/bin/squid_acl_control.sh [action] [gateway]
Action = enable / disable
Gateway = gateway name as in routingexample:
/usr/local/bin/squid_acl_control.sh disable WAN2_GW /usr/local/bin/squid_acl_control.sh enable SOME_GATEWAYThe script itself to put in /usr/local/bin/squid_acl_control.sh
#!/usr/bin/env sh SQUID_SERVICE=squid.sh SQUID_CONF_FILE=/usr/local/etc/squid/squid.conf if [ -w /var/log ]; then LOG_FILE="/var/log/$(basename $0).log" elif [ w /tmp ]; then LOG_FILE="/tmp/$(basename $0).log" else LOG_FILE="./$(basename $0).log" fi log() { local value="${1}" echo -e "$(date) - $value" >> "$LOG_FILE" } squid_reload() { service $SQUID_SERVICE reload if [ $? != 0 ]; then log "Could not reload squid configuration." else log "Reloaded squid configurarion." fi } disable_gateway() { local gateway="${1}" sed -i.'bak' "/^tcp_outgoing_address.*$gateway/ s?^?#?" $SQUID_CONF_FILE log "Disabled gateway [$1]." } enable_gateway() { local gateway="${1}" sed -i.'bak' "/#tcp_outgoing_address.*$gateway/ s?^#??" $SQUID_CONF_FILE log "Enabled gateway [$1]." } if [ "$1" != "enable" ] && [ "$1" != "disable" ] || [ "$2" == "" ]; then log "Bogus values given [$1], [$2]." exit 1 fi if [ "$1" == "disable" ]; then disable_gateway "$2" squid_reload elif [ "$1" == "enable" ]; then enable_gateway "$2" squid_reload fiI still need to find the right trigger, or write a quick cron task that checks dpinger sockets, but pfSense team must already have such a mechanism to add / remove gateways from gateway groups.
-
Hi, any news? Neither from pfSense team?
Your script works, but as you said it must be automatically triggered without user intervention…
Edoardo
-
No reply from the pfsense team yet.
Still, there would be some other issues to address.I am investigating a hook in /etc/inc/gwlb.inc
--- gwlb.inc 2016-05-16 23:22:25.000000000 +0200 +++ alt_gwlb.inc 2016-06-01 18:53:48.173676000 +0200 @@ -951,12 +951,14 @@ log_error($msg); notify_via_growl($msg); notify_via_smtp($msg); + mwexec("/usr/local/bin/squid_acl_control.sh disable $gwname"); } else { /* Online add member */ if (!is_array($tiers[$tier])) { $tiers[$tier] = array(); } $tiers[$tier][] = $gwname; + mwexec("/usr/local/bin/squid_acl_control.sh enable $gwname"); } } else if (isset($gateways_arr[$gwname]['monitor_disable'])) { $tiers[$tier][] = $gwname;I am still waiting for the pfSense team to tell me if there is a better way to implement this.
Maybe even good enough to be merged in a next release. -
I think you've definitively found a good trigger…by doing this would remain only the "limit" of having the the acl lines and the interfaces with the same name, but at this point, italian proverb, "is better than nothing"...very better ;)
Congratulations, i will test your findings as soon as possible but i'm very hopeful about the success.Have a nice day,
Edoardo
-
dont want to necro post but any updates on this?
-
Feature request: https://redmine.pfsense.org/issues/10541
-
H heper referenced this topic on
