|
Fridiric wrote:
>
> Wensong Zhang wrote:
> >
> > Fridiric wrote:
> > >
> > > Hi,
> > >
> > > I wonder if it would be possible to use LVS-NAT to load-balance
> > > virtual-IPs to ssh-forwarded real-IPs ?
> > >
> >
> > Sorry, I don't understand the meaning of ssh-forwarded real-IPs. Ssh
> > is usually doing the encryption on the application-layer. Or, are you
> > mentioning the CIPE?
> >
>
> Ssh can also be used to create a local access that is forwarded to a
> remote access throught the ssh protocol. For example you can use ssh to
> securely map a local acces to a remote POP server:
>
> local:localport ==> local:ssh ~~~~~ ssh port forwarding ~~~~~ remote:ssh
> ==> remote:pop
>
> And when you connect to local:localip you are transparently/securely
> connected to remote:pop
>
Yeah, it is port-forwarding, which works in the application level.
> > Yeah, you can use VPN (or CIPE) to map some external real servers into
> > your private cluster network. If you use LVS-NAT, make sure the
> > routing on the real server must be configuration properly so that the
> > response packets will go through the load balancer to the clients.
>
> I think that it is'nt necessery to have the default router to the load
> balancer when using ssh because when the RS address is the same that the
> VS address (differents ports)
>
> >
> > Wensong
> >
> > > Example:
> > > - VS:81 ---- ssh ---- RS:80
> > > /
> > > INTERNET - - - - > VS:80 (NAT)-- VS:82 ---- ssh ---- RS:80
> > > \
> > > - VS:83 ---- ssh ---- RS:80
> > >
> > > The main idea is to allow RS in differents LANs.
> > >
With the NAT method, your example won't work because the LVS/NAT
treats packets as local ones and forward to the upper layers without
any change.
However, your example give me an idea that we can dynamically redirect
the port 80 to port 81, 82 and 83 respectively for different
connections, then your example can work. However, the performance
won't be good, because lots of works are done in the application
level, and the overhead of copying from kernel to user-space is high.
Another thought is that we might be able to setup LVS/DR with real
server in different LANs by using of CIPE/VPN stuff. For example, we
use CIPE to establish tunnels from the load balancer to real servers
like
10.0.0.1================10.0.1.1 realserer1
10.0.0.2================10.0.1.2 realserer2
--- Load Balancer 10.0.0.3================10.0.1.3 realserer3
10.0.0.4================10.0.1.4 realserer4
10.0.0.5================10.0.1.5 realserer5
Then, you can add LVS/DR configuration commands as:
ipvsadm -A -t VIP:www
ipvsadm -a -t VIP:www -r 10.0.1.1 -g
ipvsadm -a -t VIP:www -r 10.0.1.2 -g
ipvsadm -a -t VIP:www -r 10.0.1.3 -g
ipvsadm -a -t VIP:www -r 10.0.1.4 -g
ipvsadm -a -t VIP:www -r 10.0.1.5 -g
I haven't tested it. Please let me know the result if anyone tests
this configuration.
Thanks,
Wensong
> > > freD.
> > >
>
> ----------------------------------------------------------------------
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe, e-mail: lvs-users-unsubscribe@xxxxxxxxxxxxxxxxxxxxxx
> For additional commands, e-mail: lvs-users-help@xxxxxxxxxxxxxxxxxxxxxx
----------------------------------------------------------------------
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
To unsubscribe, e-mail: lvs-users-unsubscribe@xxxxxxxxxxxxxxxxxxxxxx
For additional commands, e-mail: lvs-users-help@xxxxxxxxxxxxxxxxxxxxxx
|
