Squid on CARP Interface

  • I have 2 pfsense boxes setup as HA and the clients use a proxy setting in the browser (inside the network and out) in order to be filtered by squid/squidguard (elementry kids).  The issue is that one of the boxes failed last week and I had to put the primary IP's on the secondary box in order to get web traffic flowing again.

    Is there a way to get squid to listen on the HA (CARP) interfaces?

  • I've the same question!

    I'm using two boxes, one master and one slave, with CARP HA. If master fails, the slave should keep the network working.

    However, to reach HA the name proxy.mydomain should resolve to one IP (this name is used on all browsers). And this IP should be the CARP VIP, so when master fails, slave will answer for this IP.

    But, how can I configure squid / proxy to use the CARP VIP? I just can set squid / proxy to listen on interfaces, not on VIP.


    2.2.4-RELEASE (amd64)
    squid3 0.2.8

  • There are some locked topics about this case. They said that is not necessary to have squid listening on VIP because is not possible to sync master/slave to have full stateful proxy service.



    I was looking for the solution for this case, because I have two boxes in HA with CARP. Although for proxy service HA is not completely stateful, as posted in some topics, I've thinking that in some cases is necessary that squid listen on VIP. For example, my two boxes are firewall for more than 24 networks. These networks has as gateway other equipments, not the PFSense firewall. So traffic goes through the firewall when has to go to Internet. The proxy server runs on PFSense (that has a VIP to receive the traffic that goes to Internet). And, finally, I have a CNAME proxy.mydomain on internal DNS that points to one IP (configured on all browsers)! This IP should be the CARP VIP.

    If the master stop, even if some sessions are lost (because on this moment squid on slave becomes the operational proxy), the slave becomes the firewall and network continues to work. Losing a few sessions is better than losing navigation.

    One way to get this is configuring "custom options" on proxy service. I put on "Custom ACLs (before auth)" section something like:

    http_port <carp vip="">:3128

    Seems to work.</carp>