[Work in progress] Squid failover AND load balancing for pfSense

deajan

Hello,

I know this has been discussed MULTIPLE times in the forum here, but maybe there has been improvement since the last discussions.

I'm seeking a way to achieve load balancing and fail over with squid proxy.
I know that failover can be achieved with default gateway switching and loadbalancing can be achieved by using multiple tcp_outgoing_address statements, but there used to be a way to achieve both with floating rules back with pfSense <= 2.0.

Has anyone ever managed to get squid load balanced with failover since pfSense >= 2.1 ?
I've tried like any scenario (even played with virtual IPs that are aliases of WANs etc) but I can't get that damn thing to work properly.
It's the last part that I'm missing for the ultimate opensource UTM.

Regards,
Ozy.

deajan

Anyone ? No results with release 2.3 neither?

edosselio

Hi Deajan,

i agree with your own conclusions, also if i don't understand why you're saying that "I'm seeking a way to achieve load balancing and fail over with squid proxy"; as you said yourself failover can be achieved using default gateway switching, and load balancing using for example these directives:

acl LAN1 src 192.168.100.1/24
acl LAN2 src 192.168.200.1/24

tcp_outgoing_address 192.168.0.246 LAN1
tcp_outgoing_address 10.10.0.246 LAN2

In my case they work togheter and correctly; the problem is that squid will use the gateway specified in the ACL even if it is marked as failed; apparently this is the only obstacle for getting work load balancing + failover.

Then the impossibility to do this through firewall policy (or policy routing) is another matter, but for an opensource product is already so much…

Have a nice day,

Edoardo

deajan

Hi,

As I said, it's failover or load balancing. Both don't work toghether as there is no point on having a squid that still laod balances on a failed link.

Btw, I've asked the pfSense team about this in a support ticket. They said it never worked, and never will.
Squid should be on another machine before the pfSense.

If anyone has a solution, I'm pretty sure we'd love to have it described here.

Regards.

edosselio

It would be enough a script that removes the "tcp_outgoing_address" directive from squid config file when the gateway goes down, even if it goes without saying that i would not recommend anybody a similar solution for production environments…

deajan

This is actually a great idea.
The script should be triggered by the dpinger results, a bit like /etc/rc.gateway_alarm.
As long as the acl lines and the interfaces have the same name, it would be possible to comment out acl lines from which the interface is down, and then reload squid service.

edosselio

Hi all,

i've added some lines directly to /etc/rc.gateway_alarm file. I state that i'm a network guy and not very able with programming/scripting, sometimes with bash i throw myself to problem solving and that's it, without looking at the apparences…

My  /etc/rc.gateway_alarm:

GW1="WAN_GW"
GW2="UBNT_GW"
GW="$1"
if [ -z "$GW" ]; then
        exit 1
fi
**if [ "$GW" == "$GW1" ]
      then
                  perl -i -pe 's/tcp_outgoing_address 192.168.1.2 WAN/#tcp_outgoing_address 192.168.1.2 WAN/g' /usr/local/etc/squid/squid.conf
                  /usr/local/etc/rc.d/squid.sh restart

elif [ "$GW" == "$GW2" ]
              then
                  perl -i -pe 's/tcp_outgoing_address 192.168.0.2 UBNT/#tcp_outgoing_address 192.168.0.2 UBNT/g' /usr/local/etc/squid/squid.conf
                  /usr/local/etc/rc.d/squid.sh restart
      else
          exit
fi** /usr/local/sbin/pfSctl
        -c "service reload dyndns ${GW}"
        -c "service reload ipsecdns"
        -c "service reload openvpn ${GW}"
        -c "filter reload" >/dev/null 2>&1

exit $?

In bold the lines added.

This having in my squid.conf the following ALCs:

acl UBNT src 172.16.1.0/24
tcp_outgoing_address 192.168.0.2 UBNT
acl WAN src 10.0.0.0/24
tcp_outgoing_address 192.168.1.2 WAN

and in the variables "GW1" and "GW2" the name of your gateways.

I've tested it and works perfecly; now i'd like to work on "fail back" (if the failed gateway returns online the line should be uncommented).
For this i think need to work on "if [ -z "$GW" ]", but before wanna wait for your eventual advices/correction that (certainly!) could improve the code.

Have a nice day,

Edoardo

deajan

Hello,

I'm working on a script too, but external to /etc/rc.gateway_alarm for better updates.
I will post it once I have it all tested out.

Btw, you should replace "restart" with "reload" on your squid.

deajan

Until I can test everyhting, here's my script.
It will comment / uncomment the corresponding tcp_outgoing_address lines in squid.conf

Usage:

/usr/local/bin/squid_acl_control.sh [action] [gateway]
Action = enable / disable
Gateway = gateway name as in routing

example:

/usr/local/bin/squid_acl_control.sh disable WAN2_GW
/usr/local/bin/squid_acl_control.sh enable SOME_GATEWAY

The script itself to put in /usr/local/bin/squid_acl_control.sh

#!/usr/bin/env sh

SQUID_SERVICE=squid.sh
SQUID_CONF_FILE=/usr/local/etc/squid/squid.conf

if [ -w /var/log ]; then
	LOG_FILE="/var/log/$(basename $0).log"
elif [ w /tmp ]; then
	LOG_FILE="/tmp/$(basename $0).log"
else
	LOG_FILE="./$(basename $0).log"
fi

log() {
	local value="${1}"

	echo -e "$(date) - $value" >> "$LOG_FILE"
}

squid_reload() {
	service $SQUID_SERVICE reload
	if [ $? != 0 ]; then
		log "Could not reload squid configuration."
	else
		log "Reloaded squid configurarion."
	fi
}

disable_gateway() {
	local gateway="${1}"

	sed -i.'bak' "/^tcp_outgoing_address.*$gateway/ s?^?#?" $SQUID_CONF_FILE
	log "Disabled gateway [$1]."
}

enable_gateway() {
	local gateway="${1}"

	sed -i.'bak' "/#tcp_outgoing_address.*$gateway/ s?^#??" $SQUID_CONF_FILE
	log "Enabled gateway [$1]."
}

if [ "$1" != "enable" ] && [ "$1" != "disable" ] || [ "$2" == "" ]; then
	log "Bogus values given [$1], [$2]."
	exit 1
fi

if [ "$1" == "disable" ]; then
	disable_gateway "$2"
	squid_reload
elif [ "$1" == "enable" ]; then
	enable_gateway "$2"
	squid_reload
fi

I still need to find the right trigger, or write a quick cron task that checks dpinger sockets, but pfSense team must already have such a mechanism to add / remove gateways from gateway groups.

edosselio

Hi, any news? Neither from pfSense team?

Your script works, but as you said it must be automatically triggered without user intervention…

Edoardo

deajan

No reply from the pfsense team yet.
Still, there would be some other issues to address.

I am investigating a hook in /etc/inc/gwlb.inc

--- gwlb.inc	2016-05-16 23:22:25.000000000 +0200
+++ alt_gwlb.inc	2016-06-01 18:53:48.173676000 +0200
@@ -951,12 +951,14 @@
 						log_error($msg);
 						notify_via_growl($msg);
 						notify_via_smtp($msg);
+						mwexec("/usr/local/bin/squid_acl_control.sh disable $gwname");
 					} else {
 						/* Online add member */
 						if (!is_array($tiers[$tier])) {
 							$tiers[$tier] = array();
 						}
 						$tiers[$tier][] = $gwname;
+						mwexec("/usr/local/bin/squid_acl_control.sh enable $gwname");
 					}
 				} else if (isset($gateways_arr[$gwname]['monitor_disable'])) {
 					$tiers[$tier][] = $gwname;

I am still waiting for the pfSense team to tell me if there is a better way to implement this.
Maybe even good enough to be merged in a next release.

edosselio

I think you've definitively found a good trigger…by doing this would remain only the "limit" of having the the acl lines and the interfaces with the same name, but at this point, italian proverb, "is better than nothing"...very better ;)
Congratulations, i will test your findings as soon as possible but i'm very hopeful about the success.

Have a nice day,

Edoardo

killmasta93

dont want to necro post but any updates on this?

viktor_g

Feature request: https://redmine.pfsense.org/issues/10541