OneConnect and Proxy/Squid Load Balancing

Firstly, why do you need to have all the school's connections goto the same squid server? Is this an absolute requirement? Or a nice to have?

 

 

Yes, oneConnect COULD help you reduce the number of connections... What it's good at doing is to take X connections from clients and multiplex them on Y connections to the backend server. Where in your scenario, Y < X. You'd get more than 1 connections to the squid. It's basically a way of multiplexing hundreds of clients across fewer connections to the backend (Note that this isn't ALL oneconnect does, but it's the one you want).

 

 

Leaving aside questions of return traffic (Because the LTM will do all this automatically for you), you need to consider the effect of authentication that may occur between the client browser and the proxy (I've seen some scenarios where the webserver only checks the FIRST request and 'assumes' that following requests are the same user... Oops...). You need to get the mask correct for the oneconnect IP address matching too (The only time I really use it is for SSL and bypassing one of the ends that doesn't do HTTP keepalives).

 

 

In order to answer those questions would require a lot more information... e.g. Do you do authentication? And by what method?

 

 

H

Posted By Hamish on 03/23/2010 5:38 AM

 

 

Firstly, why do you need to have all the school's connections goto the same squid server? Is this an absolute requirement? Or a nice to have?

 

 

 

 

This is only in place so that SSL connections goto the same squid box for banking and things like that. We might look at doing SSL persistence and have http traffic load balanced across the squid cluster.

 

 

 

Leaving aside questions of return traffic (Because the LTM will do all this automatically for you), you need to consider the effect of authentication that may occur between the client browser and the proxy (I've seen some scenarios where the webserver only checks the FIRST request and 'assumes' that following requests are the same user... Oops...). You need to get the mask correct for the oneconnect IP address matching too (The only time I really use it is for SSL and bypassing one of the ends that doesn't do HTTP keepalives).

 

 

 

 

This might pose a problem if we are to use OneConnect. A school could have different restrictions for teachers and students, so if a teacher was to authenticate first then from what you're saying this could potentially mean that a student might just be allowed through using the same credentials as the teacher???

 

 

 

In order to answer those questions would require a lot more information... e.g. Do you do authentication? And by what method?

 

 

H

 

 

 

Yes we do authentication. The squid box does the authentication, but I'm not 100% sure how it all works as I don't really look after the squid boxes.

 

 

Hi All,

 

 

Just wondering if we are able to use SSL persistence so that schools use the same node (proxy) for HTTPS traffic (port 443)? We've had problems in the past when schools do their banking and if they do not go through the original proxy that made the HTTPS connection to the bank then the session would not be valid if they then went through a different proxy for subsequent transactions.

 

 

I've had a read of SSL persistence and it doesn't seem to do what I've described above.

 

 

https://support.f5.com/kb/en-us/solutions/public/3000/200/sol3245.html

 

 

"You can only use SSL persistence with nodes that are running SSL, where BIG-IP load balances only encrypted traffic. You cannot use SSL Persistence with any connections that are handled by an SSL proxy."

 

 

The nodes are just proxy servers and are not running any SSL. So based on the literature above, is it correct to say that SSL persistence won't help with us make HTTPS connections sticky???

 

 

Thanks.

 

 

Andy

Hi Andy,

 

 

SSL session ID persistence definitely wouldn't work for HTTPS traffic tunneled over HTTP to a web proxy as the base connection is over HTTP. Persistence isn't really going to affect the server side connection re-use though.

 

 

Aaron

You might be able to use cookie persistence though... I'm pretty sure the browser includes cookies in the CONNECT request...

 

 

You would have to do something clever though to include cookies with every request... Is your authentication browser basic? Or forms based (Browser basic would be a lot easier, because you could then persist on the proxyauth headers).

 

 

Or if the requests include XForwarded-For headers... You could persist on them.

 

 

H

It sounds like you only want persistence for SSL connections, since you are not offloading SSL at the LTM your persistence choices are limited.

 

 

If I understand, your original problem is you are hitting your connection limit on members - due in part to the fact you are using source based persistence (needed for SSL only)

 

 

First a couple of questions:

 

 

Why are you limited to 4000 connections per member?

 

 

IS it an option to add more Squid servers ? (scale horizontal)

 

 

Second a suggestion:

 

 

Set up another virtual server and associated pool for SSL only, use source based persistence, don't use OneConnect if it proves troublesome. Configure client browsers to point to this virtual server for SSL, leaving the orignial virtual server for http to run OneConnect and no persistence which should alleviate some of the load imposed on individual pool members and more evenly distribute load.

 

 

You could balance based on destination domain...

 

 

Compute a hash on the destination domain. Send to that poolmember. With SSL via a proxy, you have access to the host because the SSL is negotiated between the client and the endpoint. The proxy gets to see the initial connection and request as a CONNECT method. The parameters to the connect include the host and port.

 

 

That would help your caching too. Because each proxy would have a unique set of hosts that it was caching for. Hit rates would go up... (We used to do something like this using netscape proxies, but the hashing was done in a PAC file using javascript).

 

 

H

HC_Andy, Would you be able to assist me with setting up the F5's to load balance squid, i've been trying to make it work with our F5's but i'm having a few issues any advice would be great. Cheers

What issues are you having Andrew?

I've been trying to setup the F5 to load balance our two squid boxes, but i've had little success.

 

 

Now i'm only new to the F5's so i'm probably missing something small, or doing something wrong but essentially this is how its setup.

 

 

i've got at Virtual Server setup with an IP address of x.x.x.x and a service port of 3128

 

 

I've got the type set to standard (is this right?)

 

Everything else is pretty much just standard, although i do have SNAT set to Automap.

 

 

the default pool for the Virtual Server has our two squid proxies on them, both pointing to port 3128.

 

 

When i set the F5 virtual server as my proxy, it just times out, and when i telnet to the virtual server address on port 3128 i get a connection, but it returns no data (testing this on the proxies directly does return data).

 

 

Any help would be great.

 

 

Cheers