If you want to configure squid 2.7 or newer load balance several in random or round-robin fashion outgoing connections or IP addresses in a random manner – here is how you can do it:
It can be done but unfortunately it is not as easy as setting “balance_on_multiple_ip on” in squid.conf. This option would load balance multiple IP addresses of remote servers – not your outgoing addresses. If you type “nslookup google.com”, you will see that Google uses multiple IP addresses for this domain: 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199. With “balance_on_multiple_ip on” squid will balance the load between these addresses.
Setting up squid for round robin outgoing network interface usage is based on the following fact: although squid can’t round-robin outgoing interfaces, it can round-robin parent proxy servers. So the solution is to configure squid as both child and parent and round-robin among its own parent instances while each parent instance is set-up to use specific outgoing interface.
In this sample configuration we’ll set up squid to accept client connections on 192.168.0.1 address and randomly use outgoing interfaces 10.0.0.1, 10.0.0.2 and 10.0.0.3. I use 10.0.0.x for demonstration reasons. In a real config these will most likely be replaced with public Internet IPs.
1) Configure squid to listen on all of these interfaces (config directive http_port). 192.168.0.1 will be used by users, while 10.0.0.x will be fake parent proxy servers that squid will connect to itself:
2) Now lets force it to use the same outgoing interface the request came in from by using some ACLs and tcp_outgoing_address directive:
acl src_01 src 10.0.0.1
acl src_02 src 10.0.0.2
acl src_03 src 10.0.0.3
tcp_outgoing_address 10.0.0.1 src_01
tcp_outgoing_address 10.0.0.2 src_02
tcp_outgoing_address 10.0.0.3 src_03
You can use myip instead of src here. At this point you can also start your squid server and make sure that the configuration indeed works. Set one of the outgoing interface addresses as your browser proxy and navigate to http://www.whatismyip.com/. You should always see the address of the interface that you use.
3) Now lets set up cache peers that will point squid to itself:
acl first_req src 192.168.0.0/16
acl second_req src 10.0.0.0/24
cache_peer 10.0.0.1 parent 3128 0 round-robin no-query
cache_peer 10.0.0.2 parent 3128 0 round-robin no-query
cache_peer 10.0.0.3 parent 3128 0 round-robin no-query
cache_peer_access 10.0.0.1 allow first_req
cache_peer_access 10.0.0.2 allow first_req
cache_peer_access 10.0.0.3 allow first_reqcache_peer_access 10.0.0.1 deny second_req
cache_peer_access 10.0.0.2 deny second_req
cache_peer_access 10.0.0.3 deny second_req
never_direct allow first_req
never_direct deny second_req
ACLs and cache_peer_access directives ensure that squid will not forward the request to itself infinitely by denying access to “parent” caches to requests that came from public interfaces. “never_direct” parameters are used to make sure that POST requests are distributed too.
At this point you can set 192.168.0.1:3128 as proxy server in you browser and make sure that each time that you connect random outoing interface is selected and that this outgoing interface periodically changes.
4) Additional things you can do:
- Set up ACLs to prevent external users from accessing squid on public outgoing interfaces (you you can just use firewall to achieve the same effect)
- You can use port number rather than interface to identify fake parent caches and thus avoid listening on outgoing interfaces altogether.
- If you are setting up squid just for load balancing and request forwarding you can disable disk cache by using configuration directive: “cache_dir null /null” and therefore improve proxy performance.
- Make anonymous proxy by using “header_access” and “forwarded_for off” directives
You can achieve similar effects by using “random” ACL that was introduced in squid 3.2. However if you are like me (running on Windows and too lazy to compile your own stuff), you only have access to Squid 3.0 binaries that don’t have this feature yet.