Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Squid on CARP Interface

    Cache/Proxy
    2
    3
    2611
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      clamasters last edited by

      I have 2 pfsense boxes setup as HA and the clients use a proxy setting in the browser (inside the network and out) in order to be filtered by squid/squidguard (elementry kids).  The issue is that one of the boxes failed last week and I had to put the primary IP's on the secondary box in order to get web traffic flowing again.

      Is there a way to get squid to listen on the HA (CARP) interfaces?

      1 Reply Last reply Reply Quote 0
      • C
        correajl last edited by

        I've the same question!

        I'm using two boxes, one master and one slave, with CARP HA. If master fails, the slave should keep the network working.

        However, to reach HA the name proxy.mydomain should resolve to one IP (this name is used on all browsers). And this IP should be the CARP VIP, so when master fails, slave will answer for this IP.

        But, how can I configure squid / proxy to use the CARP VIP? I just can set squid / proxy to listen on interfaces, not on VIP.

        Tks.

        2.2.4-RELEASE (amd64)
        squid3 0.2.8

        1 Reply Last reply Reply Quote 0
        • C
          correajl last edited by

          There are some locked topics about this case. They said that is not necessary to have squid listening on VIP because is not possible to sync master/slave to have full stateful proxy service.

          Consideration:

          Consideration:

          I was looking for the solution for this case, because I have two boxes in HA with CARP. Although for proxy service HA is not completely stateful, as posted in some topics, I've thinking that in some cases is necessary that squid listen on VIP. For example, my two boxes are firewall for more than 24 networks. These networks has as gateway other equipments, not the PFSense firewall. So traffic goes through the firewall when has to go to Internet. The proxy server runs on PFSense (that has a VIP to receive the traffic that goes to Internet). And, finally, I have a CNAME proxy.mydomain on internal DNS that points to one IP (configured on all browsers)! This IP should be the CARP VIP.

          If the master stop, even if some sessions are lost (because on this moment squid on slave becomes the operational proxy), the slave becomes the firewall and network continues to work. Losing a few sessions is better than losing navigation.

          One way to get this is configuring "custom options" on proxy service. I put on "Custom ACLs (before auth)" section something like:

          http_port <carp vip="">:3128

          Seems to work.</carp>

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense Plus
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy