Way 2 - TCP Balanced Round Robin with HAPROXY¶
In this case we will deploy a haproxy node in front of many proxy nodes. Browsers will connect to haproxy node that will distribute TCP connections to proxy nodes using round robin scheme.
Create new type A record for proxy.example.lan with IP address 192.168.178.10. This will be the haproxy frontend to our cluster.
Create new type A record for node11.example.lan with IP address 192.168.178.11.
Create new type A record for node12.example.lan with IP address 192.168.178.12.
Configure haproxy on proxy.example.lan with the following configuration /etc/haproxy/haproxy.cfg.
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon defaults log global mode tcp option tcplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 frontend squid bind 192.168.178.10:3128 default_backend squid_pool backend squid_pool balance roundrobin mode tcp server squid1 192.168.178.11:3128 check server squid2 192.168.178.12:3128 check
Deploy two virtual appliances of Web Safety and assign IP address of 192.168.178.11 for the first node and 192.168.178.12 for the second node. For the instructions on how to assign static IP for a virtual appliance see article How to Set Static IP Address in VA.
Follow the usual Active Directory configuration steps described in previous articles for each virtual appliance, but when configuring Kerberos authenticator provide the SPN based on proxy.example.lan and check the Use GSS_C_NO_NAME checkbox. This will let the node process requests for Kerberos authentication from browsers based on credentials contained in the request and not based on SPN (SPN still needs to be configured though).
Restart haproxy afterwards systemctl restart haproxy. Log in /var/log/haproxy.log should indicate both proxy nodes are working.
Important
When using haproxy to load balance requests to proxy nodes with TCP method of load balancing all connections to proxy nodes will appear to come from haproxy’s IP address. This will mean that you will not be able to use IP based members in web filtering policies. Nevertheless when proxy nodes are integrated with Active Directory and proxy authentication is enabled user name will be available and thus policy management by security group will work as expected. This limitation is fixed in Web Safety 6.0+. See next article.