IPv6 Load Balancer
Tore Anderson
tore.anderson at redpill-linpro.com
Tue Mar 30 11:50:31 CEST 2010
Hi again,
* Xavier Beaudouin
> Hum.. proxy are good, if the proxiefied backend support the fact the
> IP address is not really the same as it is connected to....
>
> For example, how can you do p0f with this kind of stuff ?
>
> LB that work only on packet level (L2/L3) can run unmodified
> servers... without hacking it to make it run like real life.
No modification on the real servers is necessary, regardless of it being
in packet or proxy mode. The real server thinks it's talking to the
remote client. With the LB in packet mode, that's actually the case -
the LB does not rewrite the source address field in the IP header. With
the LB in proxy mode, the real server isn't talking to the end client,
but it appears so anyway because the LB is using the original client's
IP address as the source when making the connection to the back-end. So
there's really no difference between the two from the real server's
point of view.
In both cases though, the server needs to be set up to be using the LB
as the default router. Except for the "direct routing" mode mentioned
by Bertrand where traffic only flows uni-directionally across the LB,
that will only work in packet mode (you'll have to make sure the virtual
IP address is present on every real-server too in that case, and
possibly filter out any ARP/ND traffic involving that address in order
to prevent the real-server from accidentally grabbing all the traffic).
> And for example if you have several proxies like :
>
> ->Proxy/LB---> Nginx (for static files)---> apache (for PHP stuff and
> nasty things)
>
> You have play with nginx then apache... etc... and add lots of
> bugs...
I would not have daisy-chained nginx and Apache behind an LB like that,
if I were you, but instead put the different functions at the same
level, all right behind the load balancer, and used L7 switching in
order to route the requests to the right back-end system. For example:
/->- /static/* ->- (lighttpd cluster)
/
(client)->-- [LB www.foo.com] +--->- /php/* ---->- (Apache/PHP cluster)
\
\->- /search/* ->- (GoogleMini box)
This type of setup can't be done with a LB operating in packet mode like
IPVS. You'll need something that can do proxy mode and L7 like for
instance nginx, HAProxy, or F5 BIG-IP LTM. I'm not sure if nginx
supports retaining/spoofing the client's IP address in the back-end
connections though, like HAProxy does. Or if HAProxy supports it on any
other OS than Linux for that matter.
Anyway, this exchange has not much to do with IPv6 anymore, so I won't
be posting more to the list about it - do feel free to contact me
directly if you want more input, though.
Best regards,
--
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/
Tel: +47 21 54 41 27
More information about the ipv6-ops
mailing list