vADC Blog

Using Stingray Traffic Manager as a transparent proxy (07/01/2005)

by riverbed on ‎06-20-2012 08:45 AM (3,545 Views)

07/01/2005

Using Stingray Traffic Manager as a transparent proxy

This article will explain how to configure Stingray as a forward proxy for HTTP traffic, while letting all other traffic through. Stingraywill load-balance HTTP traffic across a cluster of Squid caching proxy servers; the squid servers will then forward the traffic to the correct destination.

Load Balancers like Stingray typically sit just in front of a cluster of servers which provide a network service. Traffic for the network service is directed to the load balancer (rather than the server(s)), and the load balancer then distributes the traffic across the servers. This configuration is sometimes referred to as a 'reverse proxy'.

With a little iptables configuration, you can configure Stingray to run in a 'transparent' manner, managing traffic which is not explicitly addressed to the Stingray machine. This is useful in a 'forward proxy' configuration, where Stingray proxies the traffic for a number of clients rather than a number of servers.

This article explains how to configure Stingray as a forward proxy for HTTP traffic, while letting all other traffic through. Stingray will load-balance HTTP traffic across a cluster of Squid caching proxy servers; the squid servers will then forward the traffic to the correct destination.

The network layout

Here's a quick network diagram...

  1. 192.168.1.*        192.168.1.1  External IP
  2. Client1                |              |
  3. Client2      --------   gateway server  ---+------  Internet
  4. Client3                 (running Stingray)     |
  5.                              |             |
  6.                              +--  squid1 --+
  7.                              |             |
  8.                              +--  squid2 --+

Clients run on 192.168.1.*, with a default gateway of 192.168.1.1. 192.168.1.1 can route traffic to the internet and is configured to masquerade packets (eth0 is the WAN interface):

  1. # echo 1 > /proc/sys/net/ipv4/ip_forward
  2. # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

So, clients on the 192.168.1.* network can directly access servers on the internet, NAT'ed through the gateway server.

Stingray and Squid Configuration

Now, install Stingray on the gateway server 192.168.1.1, listening on port 3128 and load-balancing traffic onto two servers (squid1:3128, squid2:3128).

Install the squid software (http://www.squid-cache.org/) onto the servers squid1 and squid2, making the following configuration changes to /usr/local/squid/etc/squid.conf:

  1. # listen on port 3128
  2. http_port 3128
  3. # Allow anyone to access (need to fine-tune this)
  4. http_access allow all
  5. # For the transparent proxying...
  6. httpd_accel_host virtual
  7. httpd_accel_port 80
  8. httpd_accel_with_proxy on
  9. httpd_accel_uses_host_header on

Run /usr/local/squid/sbin/squid -z to initialize the cache directories (you may need to chmod /usr/local/squid/var/ so that the nobody user can write to it), then start squid up in debug mode (for testing) as:

  1. /usr/local/squid/sbin/squid -NCd1

Finally, we need to configure the gateway machine that is running Stingray to intercept all traffic to port 80 (HTTP) and deliver it to the local Stingraysoftware. The following iptables command does so, rewriting all tcp traffic to port 80 to localhost:3128:

  1. # iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

Now, traffic to port 80 will be rewritten on the gateway to localhost:3128. The Stingray software listening on port 3128 will terminate the connection.

Stingray will load-balance the requests across the two proxy servers. The proxy servers will request the resouce from the http server on the internet and return the result to the Stingray, which returns it to the client.

You can test this by logging requests in Stingray (Virtual Server->Access Logging) and by logging requests in the SQUID proxies.