On Thu, 9 Aug 2018 15:59:32 +0200
Joerg Streckfuss <streckf...@dfn-cert.de> wrote:
> Dear list,
>
> i'm playing around with a squid setup, where the http traffic from a
> client is transparently routed from the gateway (openbsd 6.3) to two
> squid caches (squid 3.5.28). This means the caches are _not_ placed
> on the gateway.
>
> With PF this is very easy to achieve:
>
> pass in quick on $INT_IF inet proto tcp from $CLIENT to any port 80 \
> route-to { ( $DMZ_IF $SQUID_1), (trunk2 SQUID_2) } least-states
>
> So far, so good. My next goal is redundancy. In other words the
> gateway should stop routing traffic to an unreachable cache. Imho I
> thought this is very easy to achieve with the help of relayd.
>
> To map the upper PF rule to a fully redundant setup, I tried
> something like this:
>
> PF:
> pass in quick on $INT_IF inet proto tcp from $CLIENT to any port http
> \ divert-to 127.0.0.1 port 3130
>
> Relayd:
> relay webproxy_3130 {
> listen on 127.0.0.1 port 3130
> transparent forward to <squid_3130> port 80 check tcp mode
> loadbalance }
>
> But of course this doesn't work because the relay translates the
> destination address which it should not. I didn't found any options
> like a pf route-to for relays and think it wouldn't make much sense
> in the context of relays. Relayd supports a route-to option for
> redirects but I dind't found a working configuration.
Hi there,
I believe you may be looking for a redirect not a relay. It all really
depends on your network topology and what you are trying to do but in
general something like this is what you are looking at:
browser --- > gateway (relayd) ----> proxy (squid etc.)
proxy ---> gateway (pf/nat) ---> internet (whatever the world has to
offer...)
internet ---> gateway (pf/nat) ---> proxy
proxy ---> gateway (relayd) ---> browser
I have not played or experimented with the setup you are working on but
I did buy the excellent Michael W Lucas book "Relayd and Httpd"
Mastery(https://mwl.io/nonfiction/tools) which I am reading at the
moment and can tell you that there are 2 ways of doing things with
relayd one is redirect (i.e. send request somewhere else while checking
availability and state of redundant set/table and let the communication
happen between the 2 parties after that) or relay play a MIT role and be
able to alter things in both directions of the communication where in
you are the one who can control certain aspects read packet content. I
see your setup is the latter which is more powerful and interesting but
maybe by design more difficult to get right, why don't you start with
the first redirect and see how far that gets you.
Cheers,
George
