switching to squid automatically in case of isa2000 failure
switching to squid automatically in case of isa2000 failure
Salam,
I have 2 proxy servers
isa 2000 having ip 10.1.28.126
squid having ip 10.1.28.94
please tell me what additional setting should i do in order to divert all my clients automatically to squid proxy in case of isa failure.
Thanks in advance.
I have 2 proxy servers
isa 2000 having ip 10.1.28.126
squid having ip 10.1.28.94
please tell me what additional setting should i do in order to divert all my clients automatically to squid proxy in case of isa failure.
Thanks in advance.
-
- Battalion Havaldaar Major
- Posts: 252
- Joined: Sun May 29, 2005 1:45 am
- Location: Karachi
- Contact:
Re
Hi,
if i was the same situation then i can accomplished this scenario with two methods....
1)-
shutdown / change ip of the isa & configure squid with the ip of the isa.
*but i think u need automatic so it is not suitable for you.
2)-
established a firewall between clients n servers.
a little scripting needed which surely ping to test wether the server is on or not. if it doesn't get response from ISA then it automatically flush iptables and creates new rules which forwards request to squid.
the scenario will be something like that :
first it pings www.yahoo.com through ISA. if it doesnt response it seems that there should be a link problem or ISA SERVER is down.
it immediately flush iptables rules (if u use iptables as firewall) which was configured as to forward request to ISA.
and set new rules to forward request to SQUID instead if ISA SERVER.
however, one more thing in this scenario. your script must be run after ever 5 or whatsoever minutes to check the link. it is easy with crontab
the fun part is scripting.
its just my concepts. may be there are some other way to do this. but it will be my procedure if i have to set it up. you can just wait for seniors to pass their remarks on my way or to give you another way.
i m waiting for more response, too...
if i was the same situation then i can accomplished this scenario with two methods....
1)-
shutdown / change ip of the isa & configure squid with the ip of the isa.
*but i think u need automatic so it is not suitable for you.
2)-
established a firewall between clients n servers.
a little scripting needed which surely ping to test wether the server is on or not. if it doesn't get response from ISA then it automatically flush iptables and creates new rules which forwards request to squid.
the scenario will be something like that :
first it pings www.yahoo.com through ISA. if it doesnt response it seems that there should be a link problem or ISA SERVER is down.
it immediately flush iptables rules (if u use iptables as firewall) which was configured as to forward request to ISA.
and set new rules to forward request to SQUID instead if ISA SERVER.
however, one more thing in this scenario. your script must be run after ever 5 or whatsoever minutes to check the link. it is easy with crontab
the fun part is scripting.
its just my concepts. may be there are some other way to do this. but it will be my procedure if i have to set it up. you can just wait for seniors to pass their remarks on my way or to give you another way.
i m waiting for more response, too...
pinging external host is not a good idea cauze most of time in cablenet are in bottle neck condition hence ping wont respond you in that case. you should ping any IP on your ISP end this should respond you any time if the WAN connection is established.
Azfar Hashmi
Email : azfarhashmi@hotmail.com
Email : azfarhashmi@hotmail.com
Reverse proxy
Salam,
Is it possible to do it by using reverse proxy?
if yes then please tell me the steps
Thanks in advance.
Regards,
Turab
Is it possible to do it by using reverse proxy?
if yes then please tell me the steps
Thanks in advance.
Regards,
Turab
-
- Naik
- Posts: 72
- Joined: Fri Dec 16, 2005 9:44 am
- Location: Karachi, Pakistan
- Contact:
-
- Battalion Havaldaar Major
- Posts: 252
- Joined: Sun May 29, 2005 1:45 am
- Location: Karachi
- Contact:
as far i dont have linux installed currently. and i am not a bash programmer. you can create your own if you know iptables syntax and bash commands. i can just help you at starting but you can take help with Linux Phreak. he has very excellent Scripting Skills & after all my teacher. may be when he comes to that post he will automatically help you...crazy_frog wrote:Dear syedali999,
I have no knowledge in scripting language but I am suffering with the same scenario and problems. I would be thankful if you could giv us some detailed solution or scripts which could help us in this regard.
Thank You !!
or in case of emergency you can send him msg.
oh by the way let's revice some thing.
first create a file (filename : checkconn) :
touch checkconn
Edit File To enter codes :
vi checkconn
Codes (not sure it is correct or not but just examples) :
#check ping
$ping = /bin/ping
$ping <your destination ip address>
#check response & Resume or change route :
i dont know how but it can be done by Conditional Expression. e.g : if estatement.
Theory :
If Ping Response = yes then dont do any thing just exit
exit 0
Else
Iptables -f Flush
and so on...
fi
#Save File :
Press ":" then write "write" an press enter.
again press ":" then write "exit" and press enter.
make the file executive by :
chmod u+x checkconn
and then start your crontab editing by :
crontab -e
and place your scripts here to automatically run your script after every 5 minutes.
That's the main concept which i think and according to my knowledge...
i will only recommend you to contact Linux Phreak. he is really a phreak and very help you....
Thanks,
S. Rizvi
===============================
Customer Support Executive
Customer Support Department
World Online (TM)
E-mail: alirizvi@khi.wol.net.pk
================================
-
- Battalion Havaldaar Major
- Posts: 252
- Joined: Sun May 29, 2005 1:45 am
- Location: Karachi
- Contact:
Code: Select all
#!/bin/sh
while sleep 60
do
for ip in 123.123.123.123 111.111.111.111
do
if ping -c 1 -t 2 $ip >/dev/null
then
echo "$ip ok"
else
echo "$ip dropped one"
sleep 10
if ! ping -c 1 -t 2 $ip >/dev/null
then
echo "$ip dropped two, Changing Route"
echo could not ping $ip
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "Route Changed Successfully"
fi
fi
done
done 2>&1
This is the address of the real script & then changed by me for your need.
as i mentioned above i m not a bash programmer. i m a VB Programmer and only edit this script according to theme & Logics.
i will try it myself too.
and should not be run in any critical environment.
suggestion & Correction will be appreciated.
Thanks,
S. Rizvi
===============================
Customer Support Executive
Customer Support Department
World Online (TM)
E-mail: alirizvi@khi.wol.net.pk
================================
-
- Naik
- Posts: 72
- Joined: Fri Dec 16, 2005 9:44 am
- Location: Karachi, Pakistan
- Contact:
-
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
- Contact:
Re:
Dear syedali999,
Salam,
# man route
BTW is there any difference in this command.
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Best Regards.
Salam,
There is mistake in your script. If 2nd IP is not pinging then it should try to ping 1st IP and if got response then change route to 1st IP other wise do nothing because its Network Failure and BTW it does not change routesyedali999 wrote:Code: Select all
#!/bin/sh while sleep 60 do for ip in 123.123.123.123 111.111.111.111 do if ping -c 1 -t 2 $ip >/dev/null then echo "$ip ok" else echo "$ip dropped one" sleep 10 if ! ping -c 1 -t 2 $ip >/dev/null then echo "$ip dropped two, Changing Route" echo could not ping $ip iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 echo "Route Changed Successfully" fi fi done done 2>&1
# man route
BTW is there any difference in this command.
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Best Regards.
Farrukh Ahmed
-
- Battalion Havaldaar Major
- Posts: 252
- Joined: Sun May 29, 2005 1:45 am
- Location: Karachi
- Contact:
Re:
Hi Farrukh,LinuxFreaK wrote:Dear syedali999,
Salam,
There is mistake in your script. If 2nd IP is not pinging then it should try to ping 1st IP and if got response then change route to 1st IP other wise do nothing because its Network Failure and BTW it does not change route
# man route
BTW is there any difference in this command.
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Best Regards.
Nice to see you. i was really waiting for you to check this script.
as i mention earlier to contact you.
hmm....
i was not trying to change route. i was trying to redirect packets to squid through iptables.
let's gave you a theory so you can help us.
the scenario is something like this :
client -> Firewall (i assume squid is here) ->ISA ->ISP ->IP ADDRESS
if isa server is up then firewall dont redirect packets to local system on port 3128 to squid. it redirect packets to ISA server. that's all.
(this setting must be done manually)
now let's say, squid has also a modem and connection with Internet.
if ISA Server goes down for any reason and the script can't get ping response. then it will flush iptables rules & create new rules which forward request to local system and squid proxied it through modem to Internet.
first i try to ping both primary & secondary dns server on the same ISP (if they allow). i ping both coz may be the primary server could be down. and if it got response then it exits the script.
otherwise it again tries. and if again failes then it will do what i said above.
whenever ISA become available you can run another script which again flushes the rules and set new rules to redirects all packets to ISA.
may be i misunderstood, or i m unable to tell you what is my concept.
but as u seen above i mention it that i m not aware to bash very well...
and the there is also a theoritical concept of the script mentioned above.
S. Rizvi
====================
Customer Support Executive
Customer Support Department
World Online(TM)
Cybersoft Technologies Inc.
====================
-
- Battalion Havaldaar Major
- Posts: 252
- Joined: Sun May 29, 2005 1:45 am
- Location: Karachi
- Contact:
hi
Hi Farrukh,
Sorry, mistakenly echo "Route changed"
It just for confirm you that iptables has been flushed and new rules are set up successfully.
Sorry, mistakenly echo "Route changed"
It just for confirm you that iptables has been flushed and new rules are set up successfully.
-
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
- Contact:
Re:
Dear syedali999,
Salam,
Best Regards.
Salam,
I have not seen flush rules in your script.Sorry, mistakenly echo "Route changed" Embarassed It just for confirm you that iptables has been flushed and new rules are set up successfully.
Best Regards.
Farrukh Ahmed
-
- Battalion Havaldaar Major
- Posts: 252
- Joined: Sun May 29, 2005 1:45 am
- Location: Karachi
- Contact:
Re:
Oh My Dear,LinuxFreaK wrote:Dear syedali999,
Salam,
I have not seen flush rules in your script.Sorry, mistakenly echo "Route changed" Embarassed It just for confirm you that iptables has been flushed and new rules are set up successfully.
Best Regards.
it is just a theory he can add as many rules he wants. may be he wants to add shutdown -h now
-
- Naik
- Posts: 72
- Joined: Fri Dec 16, 2005 9:44 am
- Location: Karachi, Pakistan
- Contact:
-
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
- Contact:
Re:
Dear crazy_frog,
Salam,
# iptables -F
To Removed User Defined Chains.
# iptables -X
Best Regards.
Salam,
To Flushcrazy_frog wrote: no shutdowns yet ....
anyways what would you suggest LinuxFreak .... How it should be done ? ... How to flush the entries?
# iptables -F
To Removed User Defined Chains.
# iptables -X
Best Regards.
Farrukh Ahmed