I can relate to that, having load balancers fix"ing" backend services.
If you have the time, you will probably find "pound reverse proxy"
http://www.apsis.ch/pound/ to be a nice alternative to try out in your lab.
I have pound on openbsd for several years and can recommend it for http
-> https redirects, SSL termination and back-end load balancing with
health checks (not to mention the dynamic scaling ) and and weighted
priority between backend nodes.
Check it out
Reyk Floeter wrote:
On Wed, Sep 17, 2008 at 10:19:11PM +0200, Michiel van Baak wrote:
redirect web {
listen on $ext_ip1 port 80:443
sticky-address
forward to <webservers> port http check script "/usr/local/sbin/chksrvs"
}
note that this will match any traffic in the 80 - 443 port range, make
sure that you add additional pf rules to filter any other ports except
80 and 443. but it works with Source Tracking and should allow your
clients to move between http and https on the same server. another
limitation is that it only runs checks on one of the ports.
ugh, this looks ugly ;)
Instead of going this route I would say: find the source of why the
visitor should access the same host, and solve that.
no, it is not ugly. it is a reasonable solution for a very common
case. you can easilly block other incoming connections with
restrictive pf rules. but please face reality - not everyone is in
control of their backend web servers since it is VERY common that the
loadbalancers (networking group) are handled by a different group than
the backend webservers (servers group). and it is also very common
that you run your fancy nice openbsd box in front of some other
"stuff". indeed, it is very common for loadbalancers and firewalls to
"fix" arbitrary systems attached to the network.
We use relayd in front of 6 servers, doing http and https.
It doesn't matter what backend box the user go. Hell, they can even go
to another box on a reload.
This of course means we are storing sessions etc on shared storage (NFS
in our case, and the new sharedance port looks like an alternative for
that)
of course this is a better solution if you're in control of the
backend servers. some people also use solutions like a clustered
database backend (eg. mysql), proprietary solutions like zend cache,
...
reyk
--
Michiel van Baak
[EMAIL PROTECTED]
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD
"Why is it drug addicts and computer aficionados are both called users?"
