On 16/05/18 02:09, Eliezer Croitoru wrote: > Hey Squid-Dev, > > I am in the middle of writing a load balancer \ router (almost done) for > squid with TPROXY in it. > > The load balancer sits on the Squid machine and intercepts the connections. > > I want to send Squid instances a new connection on a PROXY protocol > enabled http_port but that squid will use TPROXY on the outgoing > connection based on the PROXY protocol details. > > > > Would it be possible? I think it should but not sure. >
Maybe. Since both software are on the same machine it should get past the kernel protections against arbitrary spoofing. You will have to check that BOTH dst-IP:port and src-IP:port pairs are correctly relayed by the PROXY protocol. If not the TPROXY will end up with mangled socket state and undefined behaviour (probably breakage). > > > My plan is to try and load balance connections between multiple squid > instances\workers for filtering purposes and PIN each of the instances > to a CPU (20+ cores Physical host). > > How reasonable is this idea? You don't need a custom LB. iptables is sufficient, or other firewalls if you have a non-Linux machine. <https://wiki.squid-cache.org/ConfigExamples/ExtremeCarpFrontend#Frontend_Balancer_Alternative_1:_iptables> You should be able to fit those LB lines into a normal TPROXY config. Just replace the "-j REDIRECT" with the "-j TPROXY --tproxy-mark ...". Amos _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev