On tor, 2008-08-28 at 16:16 -0800, Chris Robertson wrote:
> Consider me interested. I've had a bit of experience with heartbeat and
> Zen (that was a fun learning project) and am looking to turn my visible
> pool of servers into a single front end. What causes you to qualify
> your statement about how well it works?
For Squid you don't want heartbeat to stop/start Squid, let Squid run
all the time on each node.
What you want is a redundant load balancer infront of your Squids. Linux
LVS is a fine load balancer engine, and ldirectord is a fine load
balancer manager & monitor ontop of LVS (monitors the load balanced
servers, making sure traffic only gets forwarded to healty ones.)
heartbeat is a fine failover solution, and a ldirectord based load
balancer is very easy to set up managed by heartbeat (ldirectord is part
of the heartbeat package btw..)
You can run also run Squid on the load balancer nodes if you like, even
if some prefer having the load balancer separate. But if you need
iptables conntrack/nat on the proxies then it's best not to mix the two
on the same box... (LVS and iptables conntrack does not mix that well..
possible but you'll need quite a bunch of special NOTRACK exception
rules in iptables raw table)
For efficiency and scalability reasons you want to run LVS in direct
routing mode, which means that each node (all of them, load balancer and
proxies) will have the service address configured, and this is routed
via a heartbeat managed IP.
clients -> Router -> Internet
|
v
heartbeat managed IP
Service IP with ldirectord/LVS balancer
/ / || \\
Proxy nodes each with the service IP
All connected on a shared switch with direct connection to the router.
To reduce confusion about the location of the service IP it may be
configured as an alias on loopback. There exists no physical network
with the service IP network..
The setup gets a bit simpler if you use NAT forwarding. But the traffic
overhead on the load balancer is then more noticeable as it has to
process all browser traffic, not just the request packets.. and in
addition LVS NAT and transparent interception is a bad mix in case you
need transparent interception of port 80...
Regards
Henrik
Attachment:
signature.asc
Description: This is a digitally signed message part
