5

I wanted to have an HA forward proxy solution using Squid, and I am trying to use the Squid servers behind ELB solution on page 41.

However, my forward proxy service is a service meant to forwarding traffic to an internal network (back to my corp network), i.e., there is no Internet connection for my Squid servers. Therefore, health check about a well-know URL such as google.com does not work.

With the solution describe on page 41 above what is the best way for ELB to do health checking toward the Squids servers? Which ping path I should be using in this scenario?

chen
  • 319
  • 1
  • 5
  • 13
  • Just checking: are you sure a *forward* proxy is what you are looking for? Because "forward" != "forwarding." A *"service meant to forwarding traffic to an internal network"* is usually implemented with a *reverse* proxy, which uses different semantics (and can be implemented with an Application Load Balancer, without needing Squid). – Michael - sqlbot Jun 06 '18 at 01:59
  • @Michael-sqlbot, I am sure it's a forward proxy -- it is just like a NAT (but instead of NATing to public Internet, this thing NATing to a corp network for various services) – chen Jun 06 '18 at 04:25
  • Offhand, I can't think of a way to health-check squid in forward proxy mode using an ELB Classic's built-in HTTP health check. I would think a TCP check would be required. I would also expect that the balancer would also need to be in TCP mode, not HTTP, in which case, a Network Load Balancer would be the better option. These weren't available when that slide show was created. I'd have to test, but forward proxy semantics shouldn't be compatible with ELB Classic in HTTP mode, because they aren't compatible with Application Load Balancer, which is always in HTTP mode. – Michael - sqlbot Jun 06 '18 at 10:37
  • @Michael-sqlbot, yeah, if nothing else, then I have to just do the TCP check -- however, that only checked that the machine is health and has nothing to say about the Squid Process itself. – chen Jun 07 '18 at 21:28
  • 1
    The TCP check will fail if the squid process is not accepting connections. – Michael - sqlbot Jun 07 '18 at 23:19
  • @Michael-sqlbot, cool, if this is the case, then I feel an ASG of Squid behind an NLB meets all my requirements :-) – chen Jun 08 '18 at 00:05

1 Answers1

2

An ALB health check can be changed to expect a non-200 http status code response from the target. You can go to the squid root path on say port 3128 and expect a 400. In the AWS console, go to the TargetGroups, find your group, select the Health checks and change the Success codes to 400. Set the Path attribute to /.

Mark Sawers
  • 21
  • 2