Using Stingray Traffic Manager as a transparent proxy
This article will explain how to configure Stingray as a forward proxy for HTTP traffic, while letting all other traffic through. Stingraywill load-balance HTTP traffic across a cluster of Squid caching proxy servers; the squid servers will then forward the traffic to the correct destination.
Load Balancers like Stingray typically sit just in front of a cluster of servers which provide a network service. Traffic for the network service is directed to the load balancer (rather than the server(s)), and the load balancer then distributes the traffic across the servers. This configuration is sometimes referred to as a 'reverse proxy'.
With a little iptables configuration, you can configure Stingray to run in a 'transparent' manner, managing traffic which is not explicitly addressed to the Stingray machine. This is useful in a 'forward proxy' configuration, where Stingray proxies the traffic for a number of clients rather than a number of servers.
This article explains how to configure Stingray as a forward proxy for HTTP traffic, while letting all other traffic through. Stingray will load-balance HTTP traffic across a cluster of Squid caching proxy servers; the squid servers will then forward the traffic to the correct destination.
The network layout
Here's a quick network diagram...
192.168.1.* 192.168.1.1 External IP
Client1 | |
Client2 -------- gateway server ---+------ Internet
Client3 (running Stingray) |
+-- squid1 --+
+-- squid2 --+
Clients run on 192.168.1.*, with a default gateway of 192.168.1.1. 192.168.1.1 can route traffic to the internet and is configured to masquerade packets (eth0 is the WAN interface):
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
So, clients on the 192.168.1.* network can directly access servers on the internet, NAT'ed through the gateway server.
Stingray and Squid Configuration
Now, install Stingray on the gateway server 192.168.1.1, listening on port 3128 and load-balancing traffic onto two servers (squid1:3128, squid2:3128).
Install the squid software (http://www.squid-cache.org/) onto the servers squid1 and squid2, making the following configuration changes to /usr/local/squid/etc/squid.conf:
# listen on port 3128
# Allow anyone to access (need to fine-tune this)
http_access allow all
# For the transparent proxying...
Run /usr/local/squid/sbin/squid -z to initialize the cache directories (you may need to chmod /usr/local/squid/var/ so that the nobody user can write to it), then start squid up in debug mode (for testing) as:
Finally, we need to configure the gateway machine that is running Stingray to intercept all traffic to port 80 (HTTP) and deliver it to the local Stingraysoftware. The following iptables command does so, rewriting all tcp traffic to port 80 to localhost:3128:
Now, traffic to port 80 will be rewritten on the gateway to localhost:3128. The Stingray software listening on port 3128 will terminate the connection.
Stingray will load-balance the requests across the two proxy servers. The proxy servers will request the resouce from the http server on the internet and return the result to the Stingray, which returns it to the client.
You can test this by logging requests in Stingray (Virtual Server->Access Logging) and by logging requests in the SQUID proxies.