RE: [LARTC] Routing + Proxying

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

My suggestion goes as follows:

Give 2 IP addresses for your firewall and DNAT each address to a server.
Then any name resolution would resolve in a round robin fashion thus
distributing load among two servers carrying the same web content. The
firewall rules can be given as a /30 netmask thus giving 4 IPs in the
rules.

Mohan

-----Original Message-----
From: lartc-admin@xxxxxxxxxxxxxxx [mailto:lartc-admin@xxxxxxxxxxxxxxx]
On Behalf Of Martin A. Brown
Sent: Friday, March 07, 2003 7:37 PM
To: A. Peter Mee
Cc: lartc@xxxxxxxxxxxxxxx
Subject: Re: [LARTC] Routing + Proxying



Hello Pete,

 : I am hoping to set up a pair of web servers that sit behind a
firewall.  The
 : firewall will have a single live ip address and the web servers will
be
 : internal.  So my question is a simple one, which I doubt there is a
simple
 : solution to (if any).... but that's why I'm asking. ;-)
 : In a simple setup of one firewall + one web server, the firewall
would map
 : port 80 to the web server's port 80.

Sure....this could be netfilter DNAT.

 : Would there be a way of 'splitting' or 'load balancing' the requests
between
 : the two web servers such that one of the two following scenarios is
possible
 : (or any others that you can think of):

Yes.

 : 1) Each web server hosts a limited number of web sites & the firewall
 : intelligently distributes the packets based on the requested url to
the
 : respective web server.

This would require application layer logic, i.e., a very smart
proxy....you might examine squid [1].

 : 2) Each web server hosts all web sites & the firewall intelligently
 : distributes whole requests to an individual web server.

You should take a look at LVS [2].  This is probably a safer and more
robust solution to the problem you outline in your first paragraph.

 : I've looked into a proxy sitting on the firewall, but this seems to
 : pose an additional problem: if the DNS points at the firewall as the
IP
 : address for the individual web site and the proxy is sitting at that
 : address, how does it know to relay the request internally (this is
the
 : part that I realise is not LARTC-based).

-Martin

  [1]  http://www.squid-cache.org/
  [2]  http://www.linuxvirtualserver.org/

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx

_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux