Re: http load balancing with pf (apache access log)

Tue, 30 Jan 2007 00:16:39 -0800 

Hej Bob,

Bob Beck schrieb:

* Marian Hettwer <[EMAIL PROTECTED]> [2007-01-29 09:49]:

Hi OpenBSD'lers,
I'm about to use OpenBSD's pf(4) for load balancing some webservers. So far, everything is looking just perfect. 
Compared to pound, pf(4) is incredibly fast with few CPU and memory usage.
So I'd say: Thats great :)

However, one thing is bothering me.
Obviously, my apache access logs on those load balanced machines can only show the IP address of my load balancer, not the real remote ip of the request. 

        Completely untrue. if you are doing an rdr, it will change the
destination IP, not the source IP
Thats true so far... however, I was told by Stuart that the connections are going like this: 

<quote>
requests go like this:
origin -> balancer -> destination

replies like this:
destination -> origin

but they need to go like this so they can be "un-rdr'ed":
destination -> balancer -> origin

I'm not certain whether it will help so I won't bother posting to misc@
now, but you could try adding a NAT rule in addition to the RDR.
</quote>


        Unless in *addition* to load balancing you are doing NAT.


I do, which seems I have to.
My boxes are some dedicated servers with a "standard" network configuration. Means, official IP address, some default gateway and off they go. However, I can't change the network configuration as those boxes are rented servers with no possibility to mess around with the network config. 


        I'm not using NAT, my load balancer looks like this:

web2# more /etc/pf/webmail_servers
142.244.12.130
142.244.12.132
142.244.12.133
142.244.12.134
142.244.12.135
142.244.12.136
142.244.12.137
142.244.12.138
142.244.12.139
142.244.12.140

pf.conf:

table <webmail_servers> persist file "/etc/pf/webmail_servers"
WEBMAIL_IP = "{129.128.98.89}"
rdr pass on $ext_if proto tcp to $WEBMAIL_IP port 80 -> <webmail_servers> port 8
0 round-robin sticky-address
rdr pass on $ext_if proto tcp to $WEBMAIL_IP port 443 -> <webmail_servers> port 443 round-robin sticky-address 

        I get the real connection IP's in my apache log.


That looks interesting.
I wonder why I need NAT to get the communication working... strange...
How are you webmail servers configured (in regards to networking) ?


Regards,
./Marian

Reply via email to