Configure two node Squid (Proxy Server) Clustering using Pacemaker on CentOS 7 / RHEL 7

As we all know that squid is a caching proxy server which supports the protocols like HTTP, HTTPS, FTP and more. In other words, squid is known as a web proxy server which helps the ISPs and other organization to reduce their bandwidth and it also considerably improve the response time as it cache the most frequently content locally. Whenever a new request comes then squid serves it from its cache if it is cached otherwise it will fetch it from remote server and save its content in cache for future requests.

Squid-Clustering-CentOS7

In this article we will demonstrate how to configure two node squid (proxy server) clustering using pacemaker on CentOS 7 or RHEL 7 system.

Following are my lab details that I have used for this article,

  • Squid Server 1  (squid01.linuxtechi.lan) – 192.168.1.21 – Minimal CentOS 7 / RHEL 7
  • Squid Server 2  (squid02.linuxtechi.lan) – 192.168.1.22 – Minimal CentOS 7 / RHEL 7
  • Squid Server VIP – 192.168.1.20
  • Firewall enabled
  • SELinux enabled

Step:1) Add the hostname in /etc/hosts file and apply all the updates

Add the following lines on both squid server’s /etc/hosts file.

192.168.1.21 squid01.linuxtechi.lan squid01
192.168.1.22 squid02.linuxtechi.lan squid02

Install all the updates using beneath yum update command and then reboot the nodes

[[email protected] ~]# yum update -y && reboot
[[email protected] ~]# yum update -y && reboot

Step:2) Install Pacemaker and fencing agents packages on both squid servers

Execute the following yum command on both the servers to install pacemaker, pcs and fencing packages,

[[email protected] ~]# yum install pcs pacemaker fence-agents-all -y
[[email protected] ~]# yum install pcs pacemaker fence-agents-all -y

Once above packages are installed on both servers then start & enable the pacemaker (pcsd) service using below commands,

[[email protected] ~]# systemctl start pcsd.service
[[email protected] ~]# systemctl enable pcsd.service

[[email protected] ~]# systemctl start pcsd.service
[[email protected] ~]# systemctl enable pcsd.service

As in my lap setup OS firewall service is running and enabled, so configure the firewall rules for high availability or clustering service, execute the following “firewall-cmd” commands on the squid severs,

[[email protected] ~]# firewall-cmd --permanent --add-service=high-availability
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]#
[[email protected] ~]# firewall-cmd --permanent --add-service=high-availability
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]#

Step:3) Authorize squid servers and form a squid cluster

To form a cluster both nodes / servers should authorize itself, let’s first set the password of “hacluster” user,

[[email protected] ~]# echo "password_here" | passwd --stdin hacluster
[[email protected] ~]# echo "password_here" | passwd --stdin hacluster

Now use the below “pcs cluster auth” command from any of the squid server to authorize both servers using hacluster credentials.

[[email protected] ~]# pcs cluster auth squid01.linuxtechi.lan squid02.linuxtechi.lan
Username: hacluster
Password:
squid02.linuxtechi.lan: Authorized
squid01.linuxtechi.lan: Authorized
[[email protected] ~]#

Use below “pcs cluster setup” command from any of the node to form a cluster, in my case I am running it from squid01 and name of my cluster is “squid_cluster

[[email protected] ~]# pcs cluster setup --start --name squid_cluster squid01.linuxtechi.lan squid02.linuxtechi.lan

Output of above command should be something like below:

Squid-Cluster-CentOS7

Enable the pcs cluster service so that it will be started automatically during the reboot, execute the below command from any of squid server

[[email protected] ~]# pcs cluster enable --all
squid01.linuxtechi.lan: Cluster Enabled
squid02.linuxtechi.lan: Cluster Enabled
[[email protected] ~]#

Use the below commands to verify the cluster status,

[[email protected] ~]# pcs cluster status
[[email protected] ~]# pcs status

Step:4) Install Squid package on both servers and disable fencing

Execute the following yum command on both the servers to install squid (proxy server) packages,

[[email protected] ~]# yum install squid -y
[[email protected] ~]# yum install squid -y

Allow the squid port (3128) in OS firewall using following command

[[email protected] ~]# firewall-cmd --permanent --add-service=squid
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]#
[[email protected] ~]# firewall-cmd --permanent --add-service=squid
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]#

In my lab I don’t have any fencing agent or device, so I am disabling it using the beneath commands,

[[email protected] ~]# pcs property set stonith-enabled=false
[[email protected] ~]# pcs property set no-quorum-policy=ignore
[[email protected] ~]#

Step:5) Configure Squid Cluster resources and cluster group

In my lab setup I have two shared disks of size 1GB and 12 GB, these disks are assigned to both servers.

In cluster we will mount the /etc/squid (i.e squid configuration files) file system on 1 GB disk and “/var/spool/squid” ( i.e squid cache directory) will be mounted on 12 GB disk

  • /dev/sdb (1 GB Disk) – /etc/squid
  • /dev/sdc (12 GB disk) – /var/spool/squid

As these disks are visible on both squid servers, so create a partition on /dev/sdb & /dev/sdc using fdisk command from either of squid server and then format them with xfs file system using mkfs.xfs command

Currently all the squid configuration files are on local folder /etc/squid, Copy the data from local filesystem /etc/squid to shared disk (/dev/sdb1)

[[email protected] ~]# mount /dev/sdb1 /mnt/
[[email protected] ~]# cp -av /etc/squid/* /mnt/
[[email protected] ~]# umount /mnt/

Now create two filesystem resource , one for /etc/squid file system and one for /var/spool/squid

Execute the following “pcs resource create” command from any of the squid server to create file system resource, in my case taking the file system resource name as “squidfs1” & “squidfs2” and group name as “squidgrp

[[email protected] ~]# pcs resource create squidfs1 Filesystem device=/dev/sdb1 directory=/etc/squid fstype=xfs --group squidgrp
[[email protected] ~]# pcs resource create squidfs2 Filesystem device=/dev/sdc1 directory=/var/spool/squid fstype=xfs --group squidgrp 
[[email protected] ~]#

Define the squid (systemd service) resource using pcs resource command, execute the beneath command from any of  the squid server

[[email protected] ~]# pcs resource create proxy systemd:squid op monitor interval=10s --group squidgrp
[[email protected] ~]#

Define squid vip for your cluster, in my case i will be using “192.168.1.20” as squid vip , this IP will float between these servers, end users or squid clients will use this IP as squid proxy server IP while configuring their proxy settings and also use the default squid port 3128.

[[email protected] ~]# pcs resource create squid_vip ocf:heartbeat:IPaddr2 ip=192.168.1.20 cidr_netmask=24 op monitor interval=30s --group squidgrp
[[email protected] ~]#

Now verify the whether all the cluster resources are started or not.  Run “pcs status” command from any of squid server

[[email protected] ~]# pcs status
Cluster name: squid_cluster
Stack: corosync
Current DC: squid01.linuxtechi.lan (version 1.1.19-8.el7_6.4-c3c624ea3d) - partition with quorum
Last updated: Wed Mar 27 06:59:59 2019
Last change: Wed Mar 27 06:59:02 2019 by root via cibadmin on squid01.linuxtechi.lan

2 nodes configured
4 resources configured

Online: [ squid01.linuxtechi.lan squid02.linuxtechi.lan ]
Full list of resources:
 Resource Group: squidgrp
     squidfs1   (ocf::heartbeat:Filesystem):    Started squid01.linuxtechi.lan
     squidfs2   (ocf::heartbeat:Filesystem):    Started squid01.linuxtechi.lan
     proxy      (systemd:squid):        Started squid01.linuxtechi.lan
     squid_vip  (ocf::heartbeat:IPaddr2):       Started squid01.linuxtechi.lan

Daemon Status:
  corosync: active/enabled
  pacemaker: active/enabled
  pcsd: active/enabled
[[email protected] ~]#

As we can see above, all the resources are started on squid01 server. Let’s verify the Squid Service status and squid vip

[[email protected] ~]# systemctl status squid
[[email protected] ~]# ip a s

Output of above two commands should be something like below:

Squid-Service-Status-CentOS7

That’s all from this article, now you can configure the ACLs that suits to your environment in /etc/squid.conf file. Please do share your feedback and comments.

1 Response

  1. zee says:

    hello dear sir,

    very good tutorial sir kindly create a tutorial how to setup squid proxy for HTTPS thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

Pin It on Pinterest