Forum Discussion

LachlanB_53214's avatar
LachlanB_53214
Icon for Nimbostratus rankNimbostratus
Oct 23, 2014

Load balance squid forward proxy with SNAT

Hi All, Obligatory first post thank you to everyone on Devcentral, This is by far the best vendor help site... thanks to Joe Pruitt its also a wicked Powershell wiki ;)

 

Is anyone load balancing squid in the following way, and have you ever ran into issues with the HTTPS CONNECT method through a "standard" F5 VIP with http profile enabled? I've read of issues for pre 10.x software but haven't seen any problems thus far. Retaining the ability to apply irules is ideal.

 

Load balanced pool of squid servers running in non-transparent mode, this is behind a VIP using SNAT. To ensure our squid ACL's still work behind SNAT the following needs to be added to squid.conf

 

acl bigip_stage src 10.26.6.1

 

follow_x_forwarded_for allow bigip_stage

 

Squid by default follows the indirect IP instead of real IP (if follow_x_forwarded_for is allowed for the client address
  • Irule adds XFF or overwrites if already present.
  • No persistence configured
  • BigIP Version: 11.4

Thanks for the assistance

 

  • Interesting, I didn't think Irules could do layer 7 inspection/modification on a layer2 VIP? I have used SNAT to avoid significant network changes.
  • We have it setup, but we aren't using SNAT, we layer 2 it through the F5's. We haven't had any issues setting irules for various things on there.