User redirection by rules in Squid

At work, I encountered such a problem: there are a dozen proxy servers (squid) in different countries and not one dozen users. Each of them decides through which server to work - there is a chrome extension in which they can make a choice.

But all the servers are located at different distances from the user and the user from Russia, using a server in Canada, faces good brakes. On the other hand, all servers are connected in the data centers to the highways and there are much less delays between them.

It was decided to direct each user to the server closest to him, and from there to the selected one.

Proxy proxy

The first item you need to configure the proxy to work with each other. The simplest way was to specify:
acl localnet srcdomain мой домен.com

But it turned out that not everyone allows the reverse conversion to the domain you specified. I had to register all ip servers:
acl localnet srcdomain IP серверa 1
acl localnet srcdomain IP серверa 2
acl localnet srcdomain IP серверa 3

If someone tells me another solution, I will be glad to fix it. While the servers do not change often, and in case of a change, they are quickly corrected using puppets.

Redirection management

The next step is to configure acl for server redirection:
cache_peer		{сервер 1}	parent	3128	3130	name=peer1
cache_peer		{сервер 2}	parent	3128	3130	name=peer2
cache_peer		{сервер 3}	parent	3128	3130	name=peer3
cache_peer_access		peer1		allow	user1
cache_peer_access		peer2		allow	user2
cache_peer_access		peer3		allow	user3

In this case, user1, user2 and user3 are acl users.


The company has already configured a radius server for these cases. In centos 5, I went through the configuration via pam, since squid itself was not built, but then I had to go the path of self-assembly (ssl is not included in the standard one) and I used the key --enable-basic-auth-helpers = squid_radius_auth. Also, for those who do not want to bother with pam, I would recommend a separate library:

tar xvzf squid_radius_auth-1.10.tar.gz
cd squid_radius_auth-1.10
cp Makefile.default Makefile
make install

In any installation option, the squid configuration does not change, only the file paths in the first line:
auth_param basic program        /usr/local/squid/libexec/basic_radius_auth -f /usr/local/squid/etc/radius_config
auth_param basic children 5
auth_param basic realm {мой сервер} // будет отображаться в окошке авторизации
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl     radius  proxy_auth      REQUIRED

Example radius_config file:
server {адрес radius сервера}
password {секретная фраза для подключения к radius}

Each server has its own user

The rules were simple enough. First we indicate which user will be controlled by which rule:
acl     user1      proxy_auth      "/usr/local/squid/userlist/user1" no_cache
acl     user2      proxy_auth      "/usr/local/squid/userlist/user2" no_cache
acl     user3      proxy_auth      "/usr/local/squid/userlist/user3" no_cache

And, of course, we allow them to use proxies:
http_access allow localnet // для proxy-proxy
http_access allow radius // для тех, кто не выбрал прокси - пользуется ближайшим
http_access allow user1
http_access allow user2
http_access allow user3
http_access deny all // не забываем запретить остальным

That's all. When the user selects a server, a separate program deletes the user from the files in the userlist and adds to the selected one. But that's another story.


The basic information was taken from the squid wiki, but there are not enough examples:
  • The main site is . Without translation into Russian. I do not indicate individual pages, since I used them a lot.
  • Configuring radius Setup Squid and FreeRADIUS on CentOS 5 and CentOS 6
  • And this is Acl reference - ACL elements

  • This article does not describe the entire service, but only the squid configuration. But what is not written applies only to dynamics, and everyone can have their own. I noted only the necessary points. Do not try to set everything up using the copy-paste method - lines that are not relevant to the topic of the article are missing.

Also popular now: