RE: [squid-users] Squid + Policy-Based Routing +LoadBalancing/Clustering???

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Mon, 30 Apr 2007 09:45:01 +0200

sön 2007-04-29 klockan 13:59 -0500 skrev Fiero, Paul:
> Aaahhhh, I see your point. I wasn't thinking before I spoke. To
> bypass the normal route to the outside world would be in violation of
> our security policy and would set a precedent that I don't think our
> CIO is ready to defend

Well, I can't speak for the design of your network. That's your
headache. Can only give you alernatives in how to solve your question.

If you replace a WCCP capable router with one without WCCP or other load
balancing capabilities, and want to still have the same functionality
then something needs to be added between the new router and Squid to
distribute the load and provide fallback if the Squid is not running.

This something may be running on the Squid servers (i.e. Linux LVS +
heartbeat or similar running directly on one the servers in an HA
setup), or separate (i.e. load balancer, or WCCP capable router). Having
it separate is usually preferred as it is a fairly isolated and
fail-proof thing needing much less administration and maintenance than
the Squid servers.

And I can only second what Amos said. All of this should most likely
take place on the internal side of the firewall. Having servers outside
the firewall is well, kind of defeats the purpose of having a firewall
in the first place.. but if you trust the security awareness and
strictness of everyone maintaining the servers you may obviously have
local firewalls on each server or strictly secured servers, also works
but requires a fair bit more discipline in server maintenance and setup.

Regards
Henrik

Received on Mon Apr 30 2007 - 01:45:06 MDT

This archive was generated by hypermail pre-2.1.9 : Tue May 01 2007 - 12:00:01 MDT