Squid Transparent HTTP Proxy with CARP HA VIP
-
This is my current setup, these are not my production IPs, these are just to serve as my example:
Primary Firewall:
WAN VIP: 1.1.1.146/29
Physical WAN Interface IP: 1.1.1.147/29
LAN VIP: 192.168.1.1/24
Physical LAN Interface IP: 192.168.1.2/24Backup Firewall:
WAN VIP: 1.1.1.146/29
Physical WAN Interface IP: 1.1.1.148/29
LAN VIP: 192.168.1.1/24
Physical LAN Interface IP: 192.168.1.3/29Both Firewalls are setup with NAT and failover has been configured and works flawlessly
Recently I enabled Squid's Transparent HTTP Proxy, to take advantage of ClamAV. Now since enabling this feature, I am have a problem where all HTTP traffic for whatever reason wants to use the Physical WAN Interface IP of the firewall and not the VIP of 1.1.1.146. This is a huge problem as all of our resources that our office accesses are only permitted to accept incoming HTTP sessions from the VIP of 1.1.1.146.
I should mention that prior to enabling this feature, all traffic NAT'd out the 1.1.1.146 IP, so this issue to me doesn't appear to be related to NAT.
As a work around, I see some people have used the http_port <ip>3128 function to force HTTP to go out on their VIP, but this isn't working for me.
I might be unclear as to where to enable that function in the squid advanced options. I have tried http_port 1.1.1.146 3128 in both the Before Auth and After Auth fields, still no change.
Please Help.
Thank you.</ip>
-
well the command is as follows
tcp_outgoing_address