Forum Discussion
hc_andy_35682
Nimbostratus
NimbostratusOneConnect and Proxy/Squid Load Balancing
Hi All,
We provide proxy services (http/https) to a large number of schools (each with their own static IP). Each school can have 1000's of connections to the virtual server at any time.
What we have is a a large squid (proxy) cluster and in front of that is the F5 doing least conns with source address persistence. Each pool member also has a 4000 max conns limit. What we're finding is that several of our squid servers are reaching their max conn limit.
1/ When the max conn limit is reached, will the client (school) request be served by another available pool member taking into consideration that we have source address pesistence enabled so the client (school) is expecting to hit the same pool member all the time? If the client (school) is served by another pool member, wouldn't this then break the source address persistence?
2/ Would something like a OneConnect profile help us reduce the number of connections from the LTM to the squid cluster. I've read up on it but not 100% sure how it applies in a squid/proxy environment.
Is this like having one big pipe (tcp connection) from the LTM to the squid box say for school 1's incoming connections, so that all new connections from school 1 uses that big pipe. What about the return traffic from the squid box back to the school? Is it still returning traffic via this big pipe or does it need to create a new tcp connection for the return traffic?
Thanks.
Andy
31 Replies
- Chris_Miller
Altostratus
You didn't select an HTTP profile for your VS, right?
If you SSH to your F5 and then telnet to a pool member at port 3128, does it work fine?
Try changing your Virtual Server to a performance layer 4 one and see if that helps at all. 
Andrew_HuskingCirrus
There is no HTTP profile on set on the VS if i SSH to the F5 telnet works to any member at 3128. Trying the layer 4 now, but it doesn't appear to make a difference. I'll update when i have a definite result -Update: Layer 4 didn't make a difference
asis_26954hi andrew, or someone else.:)
i m really new in F5 .
and i would like to use F5 to make loadbalanceing for my squid_server. please could could u help me to setup it.
so like to do list, so as to get my proxies up.
thanks and sorry for my english. :)
thnaks from vienna- Andrew_HuskingHi asis,
we have setup our VIP very simply,
we have a pool with two members in it pointing to 3128 for the port and a custom TCP monitor.
The VIP itself has a service port of 3128. everything else has the default settings except for the HTTP profile, which we created our own HTTP profile and changed the maximum header size.
Also, we have SNAT disabled as we needed to see the client IP not the F5 IP in the squid logs.
Feel free to message me if you have any further questions,
Regards, - asis_26954works great.
mikand_61525I just read http://www.f5.com/pdf/deployment-guides/oneconnect-tuning-dg.pdf and by just looking at the graphs it looks impressive but how will oneconnect work in real life regarding a forward http proxy such as squid (thinking of using 11.x of LTM)?
And do someone have some kind of "recommended" values thats valid for 11.x?
In my case I will attempt to use it with SNAT=off (so the forward http-proxy can see the true client ip), will oneconnect still help or will it be just a bad idea to use it through a forward webproxy?
Also is oneconnect usable when doing ssl-proxying (the client visits a https site using the forward webproxy), I saw some comment on devcentral that IE7 and onwards isnt compatible with oneconnect (which I guess means that oneconnect then can/should only be used for http and one should use another vserver (or port) for the https traffic (which has oneconnect disabled))?
Because if oneconnect still is a good option even for forward webproxys this will avoid the need to change the settings in all clients regarding "max-connections-per-proxy=1" which I guess would yield the same result in my case with SNAT=off in the vserver config.
HamishCirrocumulus
I use one-connect quite often with a /32 mask so that individual clients get connection reuse. And the fe/be connections aren't shared between clients. However in testing, doing it this way is actually almost always unnecessary as the clients & servers usually specify connection reuse in the headers anyway.
Having something other than a /32 mask on the profile does add a lot more (Multiple clients get multiplexed across fewer poolmember connections), but you have to be careful. So many servers assume that the same client is coming across a singel connection. So they make assumptions about the 2nd and subsequent connection (e.g. Authentication and authorisation... oops...)
H- HamishOh... One place one-connect with a /32 is really useful is when doign SSL offload AND someone misocnfigures a poolmember without connection re-use... Without one-connect you'd get your SSL licenses thrashed... With it your license use stays sane and you only have to worry about the poolmember having to do lots of unnecessary connections
But that's not relevant in your forward proxy case...
H - nitass
Employee
One place one-connect with a /32 is really useful is when doign SSL offload just curious if oneconnect works well with http connect method. - mikand_61525So to sum it up:
Using oneconnect for http traffic (where the vserver points to for example a bunch of forward http-proxys) along with a /32 mask is a good idea but not for https (ssl) traffic UNLESS you do some ssl-termination. In that case (using ssl-termination) using oneconnect with a /32 mask is also good?
