reformatted for 80 columns
On Thu, Feb 23, 2006 at 06:04:31PM +0200, [EMAIL PROTECTED] wrote:
Dear misc readers.
i have soekris box to do basic nat/rdr on my home networking, one comp
is a squid proxy server and a client machines http requests are
redirected to that machine trough soekris box. now i would like to
have some kind of basic fail-over mechanism to it, so if that squid
proxy machine is not available it would redirect the requests to
another proxy server in this case the one that ISP offers but only for
that time until the main squid machine is available again. What kind
of basic solutions would you recommend?
For sufficiently basic stuff, there's no reason not to go with a cron
job run as root. Create /etc/pf.conf and /etc/pf.conf.failover, then do
a lynx -dump www.google.com or whatever your site of choice is. Be sure
to set http_proxy in the environment first.
Once this is set up, go with something like the following (which looks
long, but it's really only ten lines plus exception handling), run from
cron, say, every five minutes.
#!/bin/sh
TMPFILE=`mktemp /tmp/fw.` || exit 1;
http_proxy='my.proxy.net';
export http_proxy;
if ! [ -e /etc/pf.nofailover ] \
! [ -e /var/run/fw.error ] \
lynx -dump www.google.com /dev/null 21; then
if [ -e /var/run/fw.running_backup ]; then
if pfctl -f /etc/pf.conf $TMPFILE 21; then
if rm /var/run/fw.running_backup; then
echo 'ok' | mail -s 'Firewall failback' root;
else
{ touch /var/run/fw.error; \
echo 'Could not remove'; \
echo '/var/run/fw.running_backup?!'; \
} 21 | \
mail -s 'Firewall failback: weird error';
fi
else
{ touch /var/run/fw.error; \
echo 'Failed:'; \
echo; \
cat $TMPFILE; \
echo 'Please fix /etc/pf.conf or whatever caused'; \
echo 'the failure and remove /var/run/fw.error'; \
} 21 | \
mail -s 'Firewall failed to failback; stalled' root;
fi
fi
else
if ! [ -e /var/run/fw.running_backup ]; then
if pfctl -f /etc/pf.conf.failover $TMPFILE 21; then
if touch /var/run/fw.running_backup; then
echo 'ok' | mail -s 'Firewall failover' root
else
{ touch /var/run/fw.error; \
echo 'Could not touch'; \
echo '/var/run/fw.running_backup; \
} 21 | \
mail -s 'Firewall failover: weird error';
else
{ touch /var/run/fw.error; \
echo 'Failed:'; \
echo; \
cat $TMPFILE; \
echo 'Please fix /etc/pf.conf.failover or whatever'; \
echo 'caused the failure and remove'; \
echo '/var/run/fw.error'; \
} 21 | \
mail -s 'Firewall failed to failover; stalled' root;
fi
fi
fi
rm $TMPFILE
This is of course rather simplistic (and only guards against the proxy
malfunctioning completely - no attempt is made to detect a proxy that
will only serve up cached pages, for instance), and it should be
possible to improve upon this design, but for a quick and dirty
solution, it works fine. I suppose - I haven't tested it.
Of course, this isn't exactly realtime failover. It should be very much
possible to get (near-)realtime failover, but that will be quite a bit
more difficult. Feel free to ask if that's what you're looking for.
Joachim