Squid with more than 128 ports?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid with more than 128 ports?

Roeeklinger60
Hello,

We have a few Squid proxy servers with a total of around 400 ports, that we have been connecting to directly so far. We have decided that we want to add a cloud instance in the middle of the connections, that will authenticate users and only then send them to the squid instance.

I was thinking of using Squid for that, but we have to use over 400 ports, and I know Squid has a limit of 128. I also know that it is possible to build Squid in a way to will enable more ports than 128, but this comes with a performance hit.

Is it a smart idea to use Squid for this use case or just use a different proxy software that doesn't have this limitation?

Thanks,
Roee

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid with more than 128 ports?

Antony Stone
On Thursday 10 December 2020 at 13:02:19, roee klinger wrote:

> Hello,
>
> We have a few Squid proxy servers with a total of around 400 ports

What do you mean by that?  What are you using 400 ports for?

> We have decided that we want to add a cloud instance in the middle of the
> connections, that will authenticate users and only then send them to the
> squid instance.

What authentication method / protocol do you want to use?

> Is it a smart idea to use Squid for this use case or just use a different
> proxy software that doesn't have this limitation?

I think the best starting point is to ask what sort of authentication you want
to perform (ie: what is the authoritative system which holds the information
about who can authenticate and who cannot), then you can decide on the best
software to use to do that in front of Squid.


Antony.

--
Under UK law, no VAT is charged on biscuits and cakes - they are "zero rated".  
Chocolate covered biscuits, however, are classed as "luxury items" and are
subject to VAT.  McVitie's classed its Jaffa Cakes as cakes, but in 1991 this
was challenged by Her Majesty's Customs and Excise in court.

The question which had to be answered was what criteria should be used to
class something as a cake or a biscuit.  McVitie's defended the classification
of Jaffa Cakes as a cake by arguing that cakes go hard when stale, whereas
biscuits go soft.  It was demonstrated that Jaffa Cakes become hard when stale
and McVitie's won the case.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid with more than 128 ports?

Roeeklinger60
Hey Anthony,

Giving this a second thought, I believe I didn't explain myself correctly.

I have 5 Squid servers, each listening on 80 ports, I would like to add another
Squid server in the middle of the client and these servers to authenticate users
before sending them to their ports. I already have ACL controls and auth control tools
which I wrote and are working fine.

My question is regarding how to configure this, I have found this configuration online 
but I am not sure how it will work performance-wise with 500+ proxies (could be 1000s in
the future):

http_port 3128 name=port_3128
http_port 3127 name=port_3127
nonhierarchical_direct off
acl port_3128_acl myportname port_3128
acl port_3127_acl myportname port_3127
always_direct deny port_3128_acl
always_direct deny port_3127_acl
never_direct allow port_3128_acl
never_direct allow port_3127_acl
# 3128
cache_peer proxy1 parent 3128 0 proxy-only default name=proxy3128
cache_peer_access proxy3128 allow port_3128_acl
cache_peer_access proxy3128 deny all
# 3127
cache_peer proxy2 parent 3128 0 proxy-only default name=proxy3127
cache_peer_access proxy3127 allow port_3127_acl
cache_peer_access proxy3127 deny all

Combine these 2000+ lines in squid.conf with 2 external ACLs and a custom authenticator,
can this cause a hit on performance or should it be no problem for squid to handle?





On Thu, Dec 10, 2020 at 2:29 PM Antony Stone <[hidden email]> wrote:
On Thursday 10 December 2020 at 13:02:19, roee klinger wrote:

> Hello,
>
> We have a few Squid proxy servers with a total of around 400 ports

What do you mean by that?  What are you using 400 ports for?

> We have decided that we want to add a cloud instance in the middle of the
> connections, that will authenticate users and only then send them to the
> squid instance.

What authentication method / protocol do you want to use?

> Is it a smart idea to use Squid for this use case or just use a different
> proxy software that doesn't have this limitation?

I think the best starting point is to ask what sort of authentication you want
to perform (ie: what is the authoritative system which holds the information
about who can authenticate and who cannot), then you can decide on the best
software to use to do that in front of Squid.


Antony.

--
Under UK law, no VAT is charged on biscuits and cakes - they are "zero rated". 
Chocolate covered biscuits, however, are classed as "luxury items" and are
subject to VAT.  McVitie's classed its Jaffa Cakes as cakes, but in 1991 this
was challenged by Her Majesty's Customs and Excise in court.

The question which had to be answered was what criteria should be used to
class something as a cake or a biscuit.  McVitie's defended the classification
of Jaffa Cakes as a cake by arguing that cakes go hard when stale, whereas
biscuits go soft.  It was demonstrated that Jaffa Cakes become hard when stale
and McVitie's won the case.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid with more than 128 ports?

Eliezer Croitoru-3

You should use Haproxy in a Fail-over setup.

Squid is great but it’s possible that Haproxy does this much better theses days then Squid.

You can leave the authentication on the Squid servers and use the Haproxy as TCP Load balancer.

If you need the clients Original IP address you can use the PROXY protocol to send these details between the haproxy and squid.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: squid-users <[hidden email]> On Behalf Of roee klinger
Sent: Thursday, December 10, 2020 8:39 PM
To: [hidden email]
Subject: Re: [squid-users] Squid with more than 128 ports?

 

Hey Anthony,

 

Giving this a second thought, I believe I didn't explain myself correctly.

 

I have 5 Squid servers, each listening on 80 ports, I would like to add another

Squid server in the middle of the client and these servers to authenticate users

before sending them to their ports. I already have ACL controls and auth control tools

which I wrote and are working fine.

 

My question is regarding how to configure this, I have found this configuration online 

but I am not sure how it will work performance-wise with 500+ proxies (could be 1000s in

the future):

 

http_port 3128 name=port_3128
http_port 3127 name=port_3127
nonhierarchical_direct off
acl port_3128_acl myportname port_3128
acl port_3127_acl myportname port_3127
always_direct deny port_3128_acl
always_direct deny port_3127_acl
never_direct allow port_3128_acl
never_direct allow port_3127_acl
# 3128
cache_peer proxy1 parent 3128 0 proxy-only default name=proxy3128
cache_peer_access proxy3128 allow port_3128_acl
cache_peer_access proxy3128 deny all
# 3127
cache_peer proxy2 parent 3128 0 proxy-only default name=proxy3127
cache_peer_access proxy3127 allow port_3127_acl
cache_peer_access proxy3127 deny all

 

Combine these 2000+ lines in squid.conf with 2 external ACLs and a custom authenticator,

can this cause a hit on performance or should it be no problem for squid to handle?

 
 
 

 

 

On Thu, Dec 10, 2020 at 2:29 PM Antony Stone <[hidden email]> wrote:

On Thursday 10 December 2020 at 13:02:19, roee klinger wrote:

> Hello,
>
> We have a few Squid proxy servers with a total of around 400 ports

What do you mean by that?  What are you using 400 ports for?

> We have decided that we want to add a cloud instance in the middle of the
> connections, that will authenticate users and only then send them to the
> squid instance.

What authentication method / protocol do you want to use?

> Is it a smart idea to use Squid for this use case or just use a different
> proxy software that doesn't have this limitation?

I think the best starting point is to ask what sort of authentication you want
to perform (ie: what is the authoritative system which holds the information
about who can authenticate and who cannot), then you can decide on the best
software to use to do that in front of Squid.


Antony.

--
Under UK law, no VAT is charged on biscuits and cakes - they are "zero rated". 
Chocolate covered biscuits, however, are classed as "luxury items" and are
subject to VAT.  McVitie's classed its Jaffa Cakes as cakes, but in 1991 this
was challenged by Her Majesty's Customs and Excise in court.

The question which had to be answered was what criteria should be used to
class something as a cake or a biscuit.  McVitie's defended the classification
of Jaffa Cakes as a cake by arguing that cakes go hard when stale, whereas
biscuits go soft.  It was demonstrated that Jaffa Cakes become hard when stale
and McVitie's won the case.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid with more than 128 ports?

Roeeklinger60
Hey Eliezer,

Thanks, but actually what I want to achieve is not dynamic load balancing, I want each user to always go to a predefined proxy.

For a failover solution, I will have an outside program checking for failed proxies, and then I will remove them from the list and send the user to a different proxy while I handle the failed ones.

Is Haproxy good for that it is Squid in the way I proposed OK?

Thanks


On Dec 10, 2020, at 23:14, Eliezer Croitor <[hidden email]> wrote:



You should use Haproxy in a Fail-over setup.

Squid is great but it’s possible that Haproxy does this much better theses days then Squid.

You can leave the authentication on the Squid servers and use the Haproxy as TCP Load balancer.

If you need the clients Original IP address you can use the PROXY protocol to send these details between the haproxy and squid.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: squid-users <[hidden email]> On Behalf Of roee klinger
Sent: Thursday, December 10, 2020 8:39 PM
To: [hidden email]
Subject: Re: [squid-users] Squid with more than 128 ports?

 

Hey Anthony,

 

Giving this a second thought, I believe I didn't explain myself correctly.

 

I have 5 Squid servers, each listening on 80 ports, I would like to add another

Squid server in the middle of the client and these servers to authenticate users

before sending them to their ports. I already have ACL controls and auth control tools

which I wrote and are working fine.

 

My question is regarding how to configure this, I have found this configuration online 

but I am not sure how it will work performance-wise with 500+ proxies (could be 1000s in

the future):

 

http_port 3128 name=port_3128
http_port 3127 name=port_3127
nonhierarchical_direct off
acl port_3128_acl myportname port_3128
acl port_3127_acl myportname port_3127
always_direct deny port_3128_acl
always_direct deny port_3127_acl
never_direct allow port_3128_acl
never_direct allow port_3127_acl
# 3128
cache_peer proxy1 parent 3128 0 proxy-only default name=proxy3128
cache_peer_access proxy3128 allow port_3128_acl
cache_peer_access proxy3128 deny all
# 3127
cache_peer proxy2 parent 3128 0 proxy-only default name=proxy3127
cache_peer_access proxy3127 allow port_3127_acl
cache_peer_access proxy3127 deny all

 

Combine these 2000+ lines in squid.conf with 2 external ACLs and a custom authenticator,

can this cause a hit on performance or should it be no problem for squid to handle?

 
 
 

 

 

On Thu, Dec 10, 2020 at 2:29 PM Antony Stone <[hidden email]> wrote:

On Thursday 10 December 2020 at 13:02:19, roee klinger wrote:

> Hello,
>
> We have a few Squid proxy servers with a total of around 400 ports

What do you mean by that?  What are you using 400 ports for?

> We have decided that we want to add a cloud instance in the middle of the
> connections, that will authenticate users and only then send them to the
> squid instance.

What authentication method / protocol do you want to use?

> Is it a smart idea to use Squid for this use case or just use a different
> proxy software that doesn't have this limitation?

I think the best starting point is to ask what sort of authentication you want
to perform (ie: what is the authoritative system which holds the information
about who can authenticate and who cannot), then you can decide on the best
software to use to do that in front of Squid.


Antony.

--
Under UK law, no VAT is charged on biscuits and cakes - they are "zero rated". 
Chocolate covered biscuits, however, are classed as "luxury items" and are
subject to VAT.  McVitie's classed its Jaffa Cakes as cakes, but in 1991 this
was challenged by Her Majesty's Customs and Excise in court.

The question which had to be answered was what criteria should be used to
class something as a cake or a biscuit.  McVitie's defended the classification
of Jaffa Cakes as a cake by arguing that cakes go hard when stale, whereas
biscuits go soft.  It was demonstrated that Jaffa Cakes become hard when stale
and McVitie's won the case.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid with more than 128 ports?

Eliezer Croitoru-3

You can use 2 squid servers with VRRP Infront of the other proxies.

I would advise you to learn a little about haproxy authentication methods.

There is a possibility that you will be able to do somethings you haven’t done until now.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: roee klinger <[hidden email]>
Sent: Friday, December 11, 2020 1:23 PM
To: Eliezer Croitor <[hidden email]>; [hidden email]
Subject: Re: [squid-users] Squid with more than 128 ports?

 

Hey Eliezer,

 

Thanks, but actually what I want to achieve is not dynamic load balancing, I want each user to always go to a predefined proxy.

 

For a failover solution, I will have an outside program checking for failed proxies, and then I will remove them from the list and send the user to a different proxy while I handle the failed ones.

 

Is Haproxy good for that it is Squid in the way I proposed OK?

 

Thanks

 


On Dec 10, 2020, at 23:14, Eliezer Croitor <[hidden email]> wrote:



You should use Haproxy in a Fail-over setup.

Squid is great but it’s possible that Haproxy does this much better theses days then Squid.

You can leave the authentication on the Squid servers and use the Haproxy as TCP Load balancer.

If you need the clients Original IP address you can use the PROXY protocol to send these details between the haproxy and squid.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: squid-users <[hidden email]> On Behalf Of roee klinger
Sent: Thursday, December 10, 2020 8:39 PM
To: [hidden email]
Subject: Re: [squid-users] Squid with more than 128 ports?

 

Hey Anthony,

 

Giving this a second thought, I believe I didn't explain myself correctly.

 

I have 5 Squid servers, each listening on 80 ports, I would like to add another

Squid server in the middle of the client and these servers to authenticate users

before sending them to their ports. I already have ACL controls and auth control tools

which I wrote and are working fine.

 

My question is regarding how to configure this, I have found this configuration online 

but I am not sure how it will work performance-wise with 500+ proxies (could be 1000s in

the future):

 

http_port 3128 name=port_3128
http_port 3127 name=port_3127
nonhierarchical_direct off
acl port_3128_acl myportname port_3128
acl port_3127_acl myportname port_3127
always_direct deny port_3128_acl
always_direct deny port_3127_acl
never_direct allow port_3128_acl
never_direct allow port_3127_acl
# 3128
cache_peer proxy1 parent 3128 0 proxy-only default name=proxy3128
cache_peer_access proxy3128 allow port_3128_acl
cache_peer_access proxy3128 deny all
# 3127
cache_peer proxy2 parent 3128 0 proxy-only default name=proxy3127
cache_peer_access proxy3127 allow port_3127_acl
cache_peer_access proxy3127 deny all

 

Combine these 2000+ lines in squid.conf with 2 external ACLs and a custom authenticator,

can this cause a hit on performance or should it be no problem for squid to handle?

 
 
 

 

 

On Thu, Dec 10, 2020 at 2:29 PM Antony Stone <[hidden email]> wrote:

On Thursday 10 December 2020 at 13:02:19, roee klinger wrote:

> Hello,
>
> We have a few Squid proxy servers with a total of around 400 ports

What do you mean by that?  What are you using 400 ports for?

> We have decided that we want to add a cloud instance in the middle of the
> connections, that will authenticate users and only then send them to the
> squid instance.

What authentication method / protocol do you want to use?

> Is it a smart idea to use Squid for this use case or just use a different
> proxy software that doesn't have this limitation?

I think the best starting point is to ask what sort of authentication you want
to perform (ie: what is the authoritative system which holds the information
about who can authenticate and who cannot), then you can decide on the best
software to use to do that in front of Squid.


Antony.

--
Under UK law, no VAT is charged on biscuits and cakes - they are "zero rated". 
Chocolate covered biscuits, however, are classed as "luxury items" and are
subject to VAT.  McVitie's classed its Jaffa Cakes as cakes, but in 1991 this
was challenged by Her Majesty's Customs and Excise in court.

The question which had to be answered was what criteria should be used to
class something as a cake or a biscuit.  McVitie's defended the classification
of Jaffa Cakes as a cake by arguing that cakes go hard when stale, whereas
biscuits go soft.  It was demonstrated that Jaffa Cakes become hard when stale
and McVitie's won the case.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users