March 2011
M T W T F S S
« Feb   May »
 123456
78910111213
14151617181920
21222324252627
28293031  

squid random outgoing ip/interface selection

If you want to configure squid 2.7 or newer load balance several in random or round-robin fashion outgoing connections or IP addresses in a random manner – here is how you can do it:

It can be done but unfortunately it is not as easy as setting “balance_on_multiple_ip on” in squid.conf. This option would load balance multiple IP addresses of remote servers – not your outgoing addresses. If you type “nslookup google.com”, you will see that Google uses multiple IP addresses for this domain: 74.125.155.99 74.125.155.105 74.125.155.106 74.125.155.147 74.125.155.103. With ”balance_on_multiple_ip on” squid will balance the load between these addresses.

Setting up squid for round robin outgoing network interface usage is based on the following fact: although squid can’t round-robin outgoing interfaces, it can round-robin parent proxy servers. So the solution is to configure squid as both child and parent and round-robin among its own parent instances while each parent instance is set-up to use specific outgoing interface.

In this sample configuration we’ll set up squid to accept client connections on 192.168.0.1 address and randomly use outgoing interfaces 10.0.0.1, 10.0.0.2 and 10.0.0.3. I use 10.0.0.x for demonstration reasons. In a real config these will most likely be replaced with public Internet IPs.

1) Configure squid to listen on all of these interfaces (config directive http_port). 192.168.0.1 will be used by users, while 10.0.0.x will be fake parent proxy servers that squid will connect to itself:

http_port 192.168.0.101:3128
http_port 10.0.0.1:3128
http_port 10.0.0.1:3128
http_port 10.0.0.1:3128

2) Now lets force it to use the same outgoing interface the request came in from by using some ACLs and tcp_outgoing_address directive:

acl src_01 src 10.0.0.1
acl src_02 src 10.0.0.2
acl src_03 src 10.0.0.3
tcp_outgoing_address 10.0.0.1 src_01
tcp_outgoing_address 10.0.0.2 src_02
tcp_outgoing_address 10.0.0.3 src_03

You can use myip instead of src here. At this point you can also start your squid server and make sure that the configuration indeed works. Set one of the outgoing interface addresses as your browser proxy and navigate to http://www.whatismyip.com/. You should always see the address of the interface that you use.

3) Now lets set up cache peers that will point squid to itself:

acl first_req src 192.168.0.0/16
acl second_req src 10.0.0.0/24
cache_peer 10.0.0.1 parent 3128 0 round-robin no-query
cache_peer 10.0.0.2 parent 3128 0 round-robin no-query
cache_peer 10.0.0.3 parent 3128 0 round-robin no-query
cache_peer_access 10.0.0.1 allow first_req
cache_peer_access 10.0.0.2 allow first_req
cache_peer_access 10.0.0.3 allow first_reqcache_peer_access 10.0.0.1 deny second_req
cache_peer_access 10.0.0.2 deny second_req
cache_peer_access 10.0.0.3 deny second_req
never_direct allow first_req
never_direct deny second_req

ACLs and cache_peer_access directives ensure that squid will not forward the request to itself infinitely by denying access to “parent” caches to requests that came from public interfaces. “never_direct” parameters are used to make sure that POST requests are distributed too.

At this point you can set 192.168.0.1:3128 as proxy server in you browser and make sure that each time that you connect random outoing interface is selected and that this outgoing interface periodically changes.

4) Additional things you can do:

  • Set up ACLs to prevent external users from accessing squid on public outgoing interfaces (you you can just use firewall to achieve the same effect)
  • You can use port number rather than interface to identify fake parent caches and thus avoid listening on outgoing interfaces altogether.
  • If you are setting up squid just for load balancing and request forwarding you can disable disk cache by using configuration directive: “cache_dir null /null” and therefore improve proxy performance.
  • Make anonymous proxy by using “header_access” and “forwarded_for off” directives

You can achieve similar effects by using “random” ACL that was introduced in squid 3.2. However if you are like me (running on Windows and too lazy to compile your own stuff), you only have access to Squid 3.0 binaries that don’t have this feature yet.

4 comments to squid random outgoing ip/interface selection

  • Leon Stein

    Thanks for a great writeup! One thing I’ve discovered with this setup is that Squid persistent connections disregard tcp_outgoing_address directive, so they need to be disabled to properly round-robin requests going to the same host:

    server_persistent_connections off

  • William

    Could you please post or email me a complete example configuration of this setup?

  • Keres

    Please post or email a copy of this configuration.

    I am trying to replicate this configuration with authentication, I have passed the login= options to the cache_peer directives. I am only able to exit the IPs that I enter in on. I do not seem to be able to completely replicate your configuration.

  • admin

    Here’s the copy of my config with comments removed and specific IP addresses masked

    acl all src all
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
    acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src x.x.x.0/24
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access allow localnet
    http_access deny all
    icp_access allow localnet
    icp_access deny all
    http_port 192.168.0.101:9000
    http_port x.x.x.228:9000
    http_port x.x.x.229:9000
    http_port x.x.x.230:9000
    http_port x.x.x.231:9000
    http_port x.x.x.232:9000
    http_port x.x.x.233:9000
    http_port x.x.x.234:9000
    http_port x.x.x.235:9000
    http_port x.x.x.236:9000
    http_port x.x.x.237:9000
    http_port x.x.x.238:9000
    http_port x.x.x.239:9000
    http_port x.x.x.240:9000
    http_port x.x.x.241:9000
    http_port x.x.x.242:9000
    http_port x.x.x.243:9000
    http_port x.x.x.244:9000
    http_port x.x.x.245:9000
    http_port x.x.x.246:9000
    http_port x.x.x.247:9000
    http_port x.x.x.248:9000
    http_port x.x.x.249:9000
    http_port x.x.x.250:9000
    http_port x.x.x.251:9000
    http_port x.x.x.34:9000
    http_port x.x.x.35:9000
    http_port x.x.x.36:9000
    http_port x.x.x.37:9000
    http_port x.x.x.38:9000
    http_port x.x.x.39:9000
    http_port x.x.x.40:9000
    http_port x.x.x.41:9000
    http_port x.x.x.42:9000
    http_port x.x.x.43:9000
    http_port x.x.x.44:9000
    http_port x.x.x.45:9000
    http_port x.x.x.46:9000
    http_port x.x.x.47:9000
    http_port x.x.x.48:9000
    http_port x.x.x.49:9000
    http_port x.x.x.50:9000
    http_port x.x.x.51:9000
    http_port x.x.x.52:9000
    http_port x.x.x.53:9000
    http_port x.x.x.54:9000
    http_port x.x.x.55:9000
    http_port x.x.x.56:9000
    http_port x.x.x.57:9000
    http_port x.x.x.58:9000
    http_port x.x.x.59:9000
    acl src_x_x_x_228 src x.x.x.228
    acl src_x_x_x_229 src x.x.x.229
    acl src_x_x_x_230 src x.x.x.230
    acl src_x_x_x_231 src x.x.x.231
    acl src_x_x_x_232 src x.x.x.232
    acl src_x_x_x_233 src x.x.x.233
    acl src_x_x_x_234 src x.x.x.234
    acl src_x_x_x_235 src x.x.x.235
    acl src_x_x_x_236 src x.x.x.236
    acl src_x_x_x_237 src x.x.x.237
    acl src_x_x_x_238 src x.x.x.238
    acl src_x_x_x_239 src x.x.x.239
    acl src_x_x_x_240 src x.x.x.240
    acl src_x_x_x_241 src x.x.x.241
    acl src_x_x_x_242 src x.x.x.242
    acl src_x_x_x_243 src x.x.x.243
    acl src_x_x_x_244 src x.x.x.244
    acl src_x_x_x_245 src x.x.x.245
    acl src_x_x_x_246 src x.x.x.246
    acl src_x_x_x_247 src x.x.x.247
    acl src_x_x_x_248 src x.x.x.248
    acl src_x_x_x_249 src x.x.x.249
    acl src_x_x_x_250 src x.x.x.250
    acl src_x_x_x_251 src x.x.x.251
    acl src_x_x_x_34 src x.x.x.34
    acl src_x_x_x_35 src x.x.x.35
    acl src_x_x_x_36 src x.x.x.36
    acl src_x_x_x_37 src x.x.x.37
    acl src_x_x_x_38 src x.x.x.38
    acl src_x_x_x_39 src x.x.x.39
    acl src_x_x_x_40 src x.x.x.40
    acl src_x_x_x_41 src x.x.x.41
    acl src_x_x_x_42 src x.x.x.42
    acl src_x_x_x_43 src x.x.x.43
    acl src_x_x_x_44 src x.x.x.44
    acl src_x_x_x_45 src x.x.x.45
    acl src_x_x_x_46 src x.x.x.46
    acl src_x_x_x_47 src x.x.x.47
    acl src_x_x_x_48 src x.x.x.48
    acl src_x_x_x_49 src x.x.x.49
    acl src_x_x_x_50 src x.x.x.50
    acl src_x_x_x_51 src x.x.x.51
    acl src_x_x_x_52 src x.x.x.52
    acl src_x_x_x_53 src x.x.x.53
    acl src_x_x_x_54 src x.x.x.54
    acl src_x_x_x_55 src x.x.x.55
    acl src_x_x_x_56 src x.x.x.56
    acl src_x_x_x_57 src x.x.x.57
    acl src_x_x_x_58 src x.x.x.58
    acl src_x_x_x_59 src x.x.x.59
    acl first_req src 192.168.0.0/16 # RFC1918 possible internal network
    acl second_req src x.x.x.0/24
    acl second_req src x.x.x.0/24
    cache_peer x.x.x.228 parent 9000 0 round-robin no-query
    cache_peer x.x.x.229 parent 9000 0 round-robin no-query
    cache_peer x.x.x.230 parent 9000 0 round-robin no-query
    cache_peer x.x.x.231 parent 9000 0 round-robin no-query
    cache_peer x.x.x.232 parent 9000 0 round-robin no-query
    cache_peer x.x.x.233 parent 9000 0 round-robin no-query
    cache_peer x.x.x.234 parent 9000 0 round-robin no-query
    cache_peer x.x.x.235 parent 9000 0 round-robin no-query
    cache_peer x.x.x.236 parent 9000 0 round-robin no-query
    cache_peer x.x.x.237 parent 9000 0 round-robin no-query
    cache_peer x.x.x.238 parent 9000 0 round-robin no-query
    cache_peer x.x.x.239 parent 9000 0 round-robin no-query
    cache_peer x.x.x.240 parent 9000 0 round-robin no-query
    cache_peer x.x.x.241 parent 9000 0 round-robin no-query
    cache_peer x.x.x.242 parent 9000 0 round-robin no-query
    cache_peer x.x.x.243 parent 9000 0 round-robin no-query
    cache_peer x.x.x.244 parent 9000 0 round-robin no-query
    cache_peer x.x.x.245 parent 9000 0 round-robin no-query
    cache_peer x.x.x.246 parent 9000 0 round-robin no-query
    cache_peer x.x.x.247 parent 9000 0 round-robin no-query
    cache_peer x.x.x.248 parent 9000 0 round-robin no-query
    cache_peer x.x.x.249 parent 9000 0 round-robin no-query
    cache_peer x.x.x.250 parent 9000 0 round-robin no-query
    cache_peer x.x.x.251 parent 9000 0 round-robin no-query
    cache_peer x.x.x.34 parent 9000 0 round-robin no-query
    cache_peer x.x.x.35 parent 9000 0 round-robin no-query
    cache_peer x.x.x.36 parent 9000 0 round-robin no-query
    cache_peer x.x.x.37 parent 9000 0 round-robin no-query
    cache_peer x.x.x.38 parent 9000 0 round-robin no-query
    cache_peer x.x.x.39 parent 9000 0 round-robin no-query
    cache_peer x.x.x.40 parent 9000 0 round-robin no-query
    cache_peer x.x.x.41 parent 9000 0 round-robin no-query
    cache_peer x.x.x.42 parent 9000 0 round-robin no-query
    cache_peer x.x.x.43 parent 9000 0 round-robin no-query
    cache_peer x.x.x.44 parent 9000 0 round-robin no-query
    cache_peer x.x.x.45 parent 9000 0 round-robin no-query
    cache_peer x.x.x.46 parent 9000 0 round-robin no-query
    cache_peer x.x.x.47 parent 9000 0 round-robin no-query
    cache_peer x.x.x.48 parent 9000 0 round-robin no-query
    cache_peer x.x.x.49 parent 9000 0 round-robin no-query
    cache_peer x.x.x.50 parent 9000 0 round-robin no-query
    cache_peer x.x.x.51 parent 9000 0 round-robin no-query
    cache_peer x.x.x.52 parent 9000 0 round-robin no-query
    cache_peer x.x.x.53 parent 9000 0 round-robin no-query
    cache_peer x.x.x.54 parent 9000 0 round-robin no-query
    cache_peer x.x.x.55 parent 9000 0 round-robin no-query
    cache_peer x.x.x.56 parent 9000 0 round-robin no-query
    cache_peer x.x.x.57 parent 9000 0 round-robin no-query
    cache_peer x.x.x.58 parent 9000 0 round-robin no-query
    cache_peer x.x.x.59 parent 9000 0 round-robin no-query
    cache_peer_access x.x.x.228 allow first_req
    cache_peer_access x.x.x.229 allow first_req
    cache_peer_access x.x.x.230 allow first_req
    cache_peer_access x.x.x.231 allow first_req
    cache_peer_access x.x.x.232 allow first_req
    cache_peer_access x.x.x.233 allow first_req
    cache_peer_access x.x.x.234 allow first_req
    cache_peer_access x.x.x.235 allow first_req
    cache_peer_access x.x.x.236 allow first_req
    cache_peer_access x.x.x.237 allow first_req
    cache_peer_access x.x.x.238 allow first_req
    cache_peer_access x.x.x.239 allow first_req
    cache_peer_access x.x.x.240 allow first_req
    cache_peer_access x.x.x.241 allow first_req
    cache_peer_access x.x.x.242 allow first_req
    cache_peer_access x.x.x.243 allow first_req
    cache_peer_access x.x.x.244 allow first_req
    cache_peer_access x.x.x.245 allow first_req
    cache_peer_access x.x.x.246 allow first_req
    cache_peer_access x.x.x.247 allow first_req
    cache_peer_access x.x.x.248 allow first_req
    cache_peer_access x.x.x.249 allow first_req
    cache_peer_access x.x.x.250 allow first_req
    cache_peer_access x.x.x.251 allow first_req
    cache_peer_access x.x.x.34 allow first_req
    cache_peer_access x.x.x.35 allow first_req
    cache_peer_access x.x.x.36 allow first_req
    cache_peer_access x.x.x.37 allow first_req
    cache_peer_access x.x.x.38 allow first_req
    cache_peer_access x.x.x.39 allow first_req
    cache_peer_access x.x.x.40 allow first_req
    cache_peer_access x.x.x.41 allow first_req
    cache_peer_access x.x.x.42 allow first_req
    cache_peer_access x.x.x.43 allow first_req
    cache_peer_access x.x.x.44 allow first_req
    cache_peer_access x.x.x.45 allow first_req
    cache_peer_access x.x.x.46 allow first_req
    cache_peer_access x.x.x.47 allow first_req
    cache_peer_access x.x.x.48 allow first_req
    cache_peer_access x.x.x.49 allow first_req
    cache_peer_access x.x.x.50 allow first_req
    cache_peer_access x.x.x.51 allow first_req
    cache_peer_access x.x.x.52 allow first_req
    cache_peer_access x.x.x.53 allow first_req
    cache_peer_access x.x.x.54 allow first_req
    cache_peer_access x.x.x.55 allow first_req
    cache_peer_access x.x.x.56 allow first_req
    cache_peer_access x.x.x.57 allow first_req
    cache_peer_access x.x.x.58 allow first_req
    cache_peer_access x.x.x.59 allow first_req
    cache_peer_access x.x.x.228 deny second_req
    cache_peer_access x.x.x.229 deny second_req
    cache_peer_access x.x.x.230 deny second_req
    cache_peer_access x.x.x.231 deny second_req
    cache_peer_access x.x.x.232 deny second_req
    cache_peer_access x.x.x.233 deny second_req
    cache_peer_access x.x.x.234 deny second_req
    cache_peer_access x.x.x.235 deny second_req
    cache_peer_access x.x.x.236 deny second_req
    cache_peer_access x.x.x.237 deny second_req
    cache_peer_access x.x.x.238 deny second_req
    cache_peer_access x.x.x.239 deny second_req
    cache_peer_access x.x.x.240 deny second_req
    cache_peer_access x.x.x.241 deny second_req
    cache_peer_access x.x.x.242 deny second_req
    cache_peer_access x.x.x.243 deny second_req
    cache_peer_access x.x.x.244 deny second_req
    cache_peer_access x.x.x.245 deny second_req
    cache_peer_access x.x.x.246 deny second_req
    cache_peer_access x.x.x.247 deny second_req
    cache_peer_access x.x.x.248 deny second_req
    cache_peer_access x.x.x.249 deny second_req
    cache_peer_access x.x.x.250 deny second_req
    cache_peer_access x.x.x.251 deny second_req
    cache_peer_access x.x.x.34 deny second_req
    cache_peer_access x.x.x.35 deny second_req
    cache_peer_access x.x.x.36 deny second_req
    cache_peer_access x.x.x.37 deny second_req
    cache_peer_access x.x.x.38 deny second_req
    cache_peer_access x.x.x.39 deny second_req
    cache_peer_access x.x.x.40 deny second_req
    cache_peer_access x.x.x.41 deny second_req
    cache_peer_access x.x.x.42 deny second_req
    cache_peer_access x.x.x.43 deny second_req
    cache_peer_access x.x.x.44 deny second_req
    cache_peer_access x.x.x.45 deny second_req
    cache_peer_access x.x.x.46 deny second_req
    cache_peer_access x.x.x.47 deny second_req
    cache_peer_access x.x.x.48 deny second_req
    cache_peer_access x.x.x.49 deny second_req
    cache_peer_access x.x.x.50 deny second_req
    cache_peer_access x.x.x.51 deny second_req
    cache_peer_access x.x.x.52 deny second_req
    cache_peer_access x.x.x.53 deny second_req
    cache_peer_access x.x.x.54 deny second_req
    cache_peer_access x.x.x.55 deny second_req
    cache_peer_access x.x.x.56 deny second_req
    cache_peer_access x.x.x.57 deny second_req
    cache_peer_access x.x.x.58 deny second_req
    cache_peer_access x.x.x.59 deny second_req
    tcp_outgoing_address x.x.x.228 src_x_x_x_228
    tcp_outgoing_address x.x.x.229 src_x_x_x_229
    tcp_outgoing_address x.x.x.230 src_x_x_x_230
    tcp_outgoing_address x.x.x.231 src_x_x_x_231
    tcp_outgoing_address x.x.x.232 src_x_x_x_232
    tcp_outgoing_address x.x.x.233 src_x_x_x_233
    tcp_outgoing_address x.x.x.234 src_x_x_x_234
    tcp_outgoing_address x.x.x.235 src_x_x_x_235
    tcp_outgoing_address x.x.x.236 src_x_x_x_236
    tcp_outgoing_address x.x.x.237 src_x_x_x_237
    tcp_outgoing_address x.x.x.238 src_x_x_x_238
    tcp_outgoing_address x.x.x.239 src_x_x_x_239
    tcp_outgoing_address x.x.x.240 src_x_x_x_240
    tcp_outgoing_address x.x.x.241 src_x_x_x_241
    tcp_outgoing_address x.x.x.242 src_x_x_x_242
    tcp_outgoing_address x.x.x.243 src_x_x_x_243
    tcp_outgoing_address x.x.x.244 src_x_x_x_244
    tcp_outgoing_address x.x.x.245 src_x_x_x_245
    tcp_outgoing_address x.x.x.246 src_x_x_x_246
    tcp_outgoing_address x.x.x.247 src_x_x_x_247
    tcp_outgoing_address x.x.x.248 src_x_x_x_248
    tcp_outgoing_address x.x.x.249 src_x_x_x_249
    tcp_outgoing_address x.x.x.250 src_x_x_x_250
    tcp_outgoing_address x.x.x.251 src_x_x_x_251
    tcp_outgoing_address x.x.x.34 src_x_x_x_34
    tcp_outgoing_address x.x.x.35 src_x_x_x_35
    tcp_outgoing_address x.x.x.36 src_x_x_x_36
    tcp_outgoing_address x.x.x.37 src_x_x_x_37
    tcp_outgoing_address x.x.x.38 src_x_x_x_38
    tcp_outgoing_address x.x.x.39 src_x_x_x_39
    tcp_outgoing_address x.x.x.40 src_x_x_x_40
    tcp_outgoing_address x.x.x.41 src_x_x_x_41
    tcp_outgoing_address x.x.x.42 src_x_x_x_42
    tcp_outgoing_address x.x.x.43 src_x_x_x_43
    tcp_outgoing_address x.x.x.44 src_x_x_x_44
    tcp_outgoing_address x.x.x.45 src_x_x_x_45
    tcp_outgoing_address x.x.x.46 src_x_x_x_46
    tcp_outgoing_address x.x.x.47 src_x_x_x_47
    tcp_outgoing_address x.x.x.48 src_x_x_x_48
    tcp_outgoing_address x.x.x.49 src_x_x_x_49
    tcp_outgoing_address x.x.x.50 src_x_x_x_50
    tcp_outgoing_address x.x.x.51 src_x_x_x_51
    tcp_outgoing_address x.x.x.52 src_x_x_x_52
    tcp_outgoing_address x.x.x.53 src_x_x_x_53
    tcp_outgoing_address x.x.x.54 src_x_x_x_54
    tcp_outgoing_address x.x.x.55 src_x_x_x_55
    tcp_outgoing_address x.x.x.56 src_x_x_x_56
    tcp_outgoing_address x.x.x.57 src_x_x_x_57
    tcp_outgoing_address x.x.x.58 src_x_x_x_58
    tcp_outgoing_address x.x.x.59 src_x_x_x_59
    hierarchy_stoplist cgi-bin ?
    cache_dir null /null
    access_log c:/squid/var/logs/access.log squid
    referer_log c:/squid/var/logs/referer.log
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320
    acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
    acl apache rep_header Server ^Apache
    header_access Allow allow all
    header_access Authorization allow all
    header_access WWW-Authenticate allow all
    header_access Proxy-Authorization allow all
    header_access Proxy-Authenticate allow all
    header_access Cache-Control allow all
    header_access Content-Encoding allow all
    header_access Content-Length allow all
    header_access Content-Type allow all
    header_access Date allow all
    header_access Expires allow all
    header_access Host allow all
    header_access If-Modified-Since allow all
    header_access Last-Modified allow all
    header_access Location allow all
    header_access Pragma allow all
    header_access Accept allow all
    header_access Accept-Charset allow all
    header_access Accept-Encoding allow all
    header_access Accept-Language allow all
    header_access Content-Language allow all
    header_access Mime-Version allow all
    header_access Retry-After allow all
    header_access Title allow all
    header_access Connection allow all
    header_access Proxy-Connection allow all
    header_access Cookie allow all
    header_access Set-Cookie allow all
    header_access All deny all
    visible_hostname squid
    never_direct allow first_req
    never_direct deny second_req
    forwarded_for off
    coredump_dir c:/squid/var/cache
    –enable-http-violations
    negative_ttl 0

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>