On Wed, Sep 17, 2008 at 10:19:11PM +0200, Michiel van Baak wrote:
> > redirect web {
> > listen on $ext_ip1 port 80:443
> > sticky-address
> > forward to <webservers> port http check script "/usr/local/sbin/chksrvs"
> > }
> >
> > note that this will match any traffic in the 80 - 443 port range, make
> > sure that you add additional pf rules to filter any other ports except
> > 80 and 443. but it works with Source Tracking and should allow your
> > clients to move between http and https on the same server. another
> > limitation is that it only runs checks on one of the ports.
>
> ugh, this looks ugly ;)
> Instead of going this route I would say: find the source of why the
> visitor should access the same host, and solve that.
>
no, it is not ugly. it is a reasonable solution for a very common
case. you can easilly block other incoming connections with
restrictive pf rules. but please face reality - not everyone is in
control of their backend web servers since it is VERY common that the
loadbalancers (networking group) are handled by a different group than
the backend webservers (servers group). and it is also very common
that you run your fancy nice openbsd box in front of some other
"stuff". indeed, it is very common for loadbalancers and firewalls to
"fix" arbitrary systems attached to the network.
> We use relayd in front of 6 servers, doing http and https.
> It doesn't matter what backend box the user go. Hell, they can even go
> to another box on a reload.
> This of course means we are storing sessions etc on shared storage (NFS
> in our case, and the new sharedance port looks like an alternative for
> that)
>
of course this is a better solution if you're in control of the
backend servers. some people also use solutions like a clustered
database backend (eg. mysql), proprietary solutions like zend cache,
...
reyk
> --
>
> Michiel van Baak
> [EMAIL PROTECTED]
> http://michiel.vanbaak.eu
> GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD
>
> "Why is it drug addicts and computer aficionados are both called users?"
