tcp_outgoing_address issue how to deny traffic to other IPs

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

tcp_outgoing_address issue how to deny traffic to other IPs

Patrick Chemla
Hi,

I have googled for days and can't find the right settings to distribut
outgoing requests over part on local IPs of my server.

This is my conf I built according to what I found on docs and forums:


Squid Cache: Version 4.0.17

------------

blablabla

blablabla

blablabla

------------

acl Percent001 random 1/5
acl Percent002 random 1/5
acl Percent003 random 1/5
acl Percent004 random 1/5
acl Percent005 random 1/5

server_persistent_connections off


tcp_outgoing_address XX.3X.YYY.10 Percent001
tcp_outgoing_address XX.X3.YYY.21 Percent002
tcp_outgoing_address XX.5X.YYY.31 Percent003
tcp_outgoing_address XX.X9.YYY.34 Percent004
tcp_outgoing_address XX.5X.YYY.38 Percent005

balance_on_multiple_ip on

forwarded_for delete
via off

My problem is that this server as

- a main IP MA.IN.IP.00 of course

- a locahost 127.0.0.1 of course

- some secondary IPs attached to the same interface as the main IP


The input traffic comes through one of the secondaries, and I need the
output traffic to get out randomly through other secondaries IPs, not
any squid traffic from the main IP.

When I look at the log, or using network tcpdump analyzer, I can see
that there is squid outgoing traffic on this IP, and I can't find how to
deny tcp_outgoing_address to be on the main IP.

I hope it's clear, and I need help after I searched for days many
combinations.

Many thanks

Patrick

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: tcp_outgoing_address issue how to deny traffic to other IPs

Ivan Larionov
Your balancing rules are incorrect. This is how we balance 30% per IP:

# 33% of traffic per local IP
acl third random 1/3
acl half random 1/2

tcp_outgoing_address X.X.X.2 third
tcp_outgoing_address X.X.X.3 half
tcp_outgoing_address X.X.X.4


Basically for 1/5 you need something like this:

acl fifth random 1/5
acl fourth random 1/4
acl third random 1/3
acl half random 1/2

tcp_outgoing_address XX.3X.YYY.10 fifth
tcp_outgoing_address XX.X3.YYY.21 fourth
tcp_outgoing_address XX.5X.YYY.31 third
tcp_outgoing_address XX.X9.YYY.34 half
tcp_outgoing_address XX.5X.YYY.38


On Thu, Feb 22, 2018 at 10:15 AM, Patrick Chemla <[hidden email]> wrote:
Hi,

I have googled for days and can't find the right settings to distribut outgoing requests over part on local IPs of my server.

This is my conf I built according to what I found on docs and forums:


Squid Cache: Version 4.0.17

------------

blablabla

blablabla

blablabla

------------

acl Percent001 random 1/5
acl Percent002 random 1/5
acl Percent003 random 1/5
acl Percent004 random 1/5
acl Percent005 random 1/5

server_persistent_connections off


tcp_outgoing_address XX.3X.YYY.10 Percent001
tcp_outgoing_address XX.X3.YYY.21 Percent002
tcp_outgoing_address XX.5X.YYY.31 Percent003
tcp_outgoing_address XX.X9.YYY.34 Percent004
tcp_outgoing_address XX.5X.YYY.38 Percent005

balance_on_multiple_ip on

forwarded_for delete
via off

My problem is that this server as

- a main IP MA.IN.IP.00 of course

- a locahost 127.0.0.1 of course

- some secondary IPs attached to the same interface as the main IP


The input traffic comes through one of the secondaries, and I need the output traffic to get out randomly through other secondaries IPs, not any squid traffic from the main IP.

When I look at the log, or using network tcpdump analyzer, I can see that there is squid outgoing traffic on this IP, and I can't find how to deny tcp_outgoing_address to be on the main IP.

I hope it's clear, and I need help after I searched for days many combinations.

Many thanks

Patrick

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



--
With best regards, Ivan Larionov.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: tcp_outgoing_address issue how to deny traffic to other IPs

Alex Rousskov
In reply to this post by Patrick Chemla
On 02/22/2018 11:15 AM, Patrick Chemla wrote:

> acl Percent001 random 1/5
> acl Percent002 random 1/5
> acl Percent003 random 1/5
> acl Percent004 random 1/5
> acl Percent005 random 1/5

It is trivial to google up wrong configurations. Think about it: Giving
the same "random 1/5" ACL five different names does not make sense,
regardless of what you are trying to do!

As I will show below, you need 4 different ACLs instead (plus "all"):

  acl OneFifth  random 1/5
  acl OneFourth random 1/4
  acl OneThird  random 1/3
  acl OneHalf   random 1/2

> tcp_outgoing_address XX.3X.YYY.10 Percent001
> tcp_outgoing_address XX.X3.YYY.21 Percent002
> tcp_outgoing_address XX.5X.YYY.31 Percent003
> tcp_outgoing_address XX.X9.YYY.34 Percent004
> tcp_outgoing_address XX.5X.YYY.38 Percent005

... and if none of the *random* ACLs match?

You need to make sure that one of the ACLs matches. That cannot be done
with random ACLs alone. You also need to get your probabilities right:


  tcp_outgoing_address XX.3X.YYY.10 OneFifth
  tcp_outgoing_address XX.X3.YYY.21 OneFourth
  tcp_outgoing_address XX.5X.YYY.31 OneThird
  tcp_outgoing_address XX.X9.YYY.34 OneHalf
  tcp_outgoing_address XX.5X.YYY.38 all

If the above looks strange, recall that the first matching
tcp_outgoing_address rule/line wins, and the rules are tested
individually and independently in the order they appear in squid.conf.
The rest is basic probability theory, but it may also think about it in
step-by-steps terms:

1. Given that there are five possible addresses, how much traffic should
the first out of those five address receive? Obviously 1/5.

2. Now, if the first rule did not match, then there are four addresses
left. Given that there are four possible addresses, how much traffic
should the first out of those four address receive? Obviously 1/4.

...


> When I look at the log, or using network tcpdump analyzer, I can see
> that there is squid outgoing traffic on this IP

Yes, AFAICT, your rules did not tell Squid to use a specific secondary
IP in 33% of cases: (1-1/5)^5 = 0.33


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: tcp_outgoing_address issue how to deny traffic to other IPs

Alex Rousskov
In reply to this post by Ivan Larionov
On 02/22/2018 02:52 PM, Ivan Larionov wrote:
> Your balancing rules are incorrect. This is how we balance 30% per IP:

You won the race! Perhaps our similar emails will increase the page rank
of the correct answers to this FAQ. :-).

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: tcp_outgoing_address issue how to deny traffic to other IPs

Patrick Chemla
Hi Alex, Ivan,

I finally found time to change/test the squid config to load balance on
outgoing IPs, and thanks you very much it works very good. All traffic
is not output according to the rules to the right IPs.

Other question I will open a new thread.

Many many thanks.

Patrick


Le 23/02/2018 à 00:09, Alex Rousskov a écrit :

> On 02/22/2018 02:52 PM, Ivan Larionov wrote:
>> Your balancing rules are incorrect. This is how we balance 30% per IP:
> You won the race! Perhaps our similar emails will increase the page rank
> of the correct answers to this FAQ. :-).
>
> Alex.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users