Two Squids
19th Apr 2006, 19:10:16
This is an old article. View a more complete overview of Squid.
I've been finding Squid really useful for blocking ads, caching OS updates and generally speeding up web browsing. However, having a single point of failure for everyone's web browsing makes me unpopular when I want to just swap out a hard disk or something.
Now I have two squids, browsers pick one at random and fail over to the other if one's not available...
I have an internal domain imaginatively called .local, which is hosted on a couple of BIND servers. The first thing I did was create a round robin entry called squid.local:
$TTL 3h
@ IN SOA ns.local. root.local. (
2006041801 ; serial
3h ; refresh
1h ; retry
1w ; expire
1h ) ; minimum
;snipsnipsnip
squid 60 IN A 172.16.0.1
squid 60 IN A 172.16.0.81
;snipsnipsnip
So, squid.local either returns 172.16.0.1 and .81 in a random order with the TTL set to 60 seconds, so that things (like lookupd in OS X) don't cache it. So that's it, if one squid isn't working your browser just uses the other one, right? True, but it would be useful if each squid cache knew what the other one had cached. HTCP is the thing to do this.
One of my Squids runs on PPC Debian Linux, the other on OS X. On Linux, I didn't have to do anything special, just insert this into squid.conf:
# Make squid listen for HTCP requests:
htcp_port 4827
# Tell it about the other Squid:
# proxy-only tells squid not to cache stuff it requests from this peer - that would be pointless
cache_peer power-mac.local sibling 3128 4827 proxy-only htcp
# The other squid should only access stuff we have cached - might get 'false hits' otherwise
acl othersquid 172.16.0.81/32
miss_access deny othersquid
OS X was a little trickier because I compiled it from source. I had to recompile thusly (ssl is optional for this exercise):
$ ./configure --enable-ssl --enable-htcp --enable-cache-digests && make
$ sudo make install
Then, similar additions to squid.conf:
# Make squid listen for HTCP requests:
htcp_port 4827
# Tell it about the other Squid:
# proxy-only tells squid not to cache stuff it requests from this peer - that would be pointless
cache_peer firewall.local sibling 3128 4827 proxy-only htcp
# The other squid should only access stuff we have cached - might get 'false hits' otherwise
acl othersquid 172.16.0.1/32
miss_access deny othersquid
It didn't work! That's because I forgot to allow 3130 UDP and 4827 UDP/TCP through the firewalls. Check cache.log to make sure that it is not detecting a dead sibling. You should just see:
2006/04/19 22:21:04| Configuring Sibling firewall.local/3128/4827
You'll know it's working, because you'll see lines like this in the access.log:
1145479715.985 37 172.16.0.13 TCP_MISS/304 359 GET http://www.cwjobs.co.uk/pjb_ui/Controls/WebTrends/SDC.js - CD_SIBLING_HIT/power-mac.local application/x-javascript
Ideally, each squid would have its own internet connection, but I'm not made of money.