Re: About ssl and cookies

To:	"zhaohf" <zhaohf@xxxxxxxxxxxxxxx>, <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: About ssl and cookies
Cc:	<zhaohf@xxxxxxxxxxxxxxx>
From:	"Ted Pavlic" <tpavlic@xxxxxxxxxxx>
Date:	Fri, 13 Oct 2000 06:51:18 -0400

Right now LVS DIRECTLY supports two types of persistence and INDIRECTLY
supports another.

Now, if you are just asking how to make port 443 persistent so that those
who receive a cookie on 443 will come back to the same real server on 443,
simply:

/sbin/ipvsadm -A -t 192.168.1.110:443 -p
/sbin/ipvsadm -a -t 192.168.1.110:443 -R 192.168.2.1
/sbin/ipvsadm -a -t 192.168.1.110:443 -R 192.168.2.2
/sbin/ipvsadm -a -t 192.168.1.110:443 -R 192.168.2.3
...

Will setup persistence just for port 443.

However, say someone gets a cookie on port 80 and gives it back on port
443 -- in that case you want to have persistence between multiple ports.
Using port 0 accomplishes this:

/sbin/ipvsadm -A -t 192.168.1.110:0 -p
/sbin/ipvsadm -a -t 192.168.1.110:0 -R 192.168.2.1
/sbin/ipvsadm -a -t 192.168.1.110:0 -R 192.168.2.2
/sbin/ipvsadm -a -t 192.168.1.110:0 -R 192.168.2.3
...

In this setup, anyone who visits ANY service will continue to go back to the
same real server. So requests which come in on 80 or 443 will continue to
come in to the same real server regardless of port.

This is an OK solution, but it basically makes all services persistent which
might mess up scheduling. That is, this is a decent solution but sometimes
not extremely desirable.

If you want to simply group ports 80 and 443 together, you need to do
something more intuitive. Use FWMARK...

ipchains -A input -d 192.168.1.110/32 80 -p tcp -m 1
ipchains -A input -d 192.168.1.110/32 443 -p tcp -m 1
/sbin/ipvsadm -A -f 1 -p
/sbin/ipvsadm -a -f 1 -R 192.168.2.1
/sbin/ipvsadm -a -f 1 -R 192.168.2.2
/sbin/ipvsadm -a -f 1 -R 192.168.2.3
...

Now only port 80 and 443 will be grouped together via persistence. Any other
ipvsadm rules will be completely separate. This means that you can make 80
and 443 persistence by their own little "port group" and leave ports 25 and
110 (for example) not persistent. OR... You could group all the FTP ports
together as well on a completely different persistence group... i.e.

ipchains -A input -d 192.168.1.110/32 80 -p tcp -m 1
ipchains -A input -d 192.168.1.110/32 443 -p tcp -m 1
/sbin/ipvsadm -A -f 1 -p
/sbin/ipvsadm -a -f 1 -R 192.168.2.1
/sbin/ipvsadm -a -f 1 -R 192.168.2.2
/sbin/ipvsadm -a -f 1 -R 192.168.2.3
# Really adding port 20 isn't needed
ipchains -A input -d 192.168.1.110/32 20 -p tcp -m 2
ipchains -A input -d 192.168.1.110/32 21 -p tcp -m 2
ipchains -A input -d 192.168.1.110/32 1024:65535 -p tcp -m 2
/sbin/ipvsadm -A -f 2 -p
/sbin/ipvsadm -a -f 2 -R 192.168.2.1
/sbin/ipvsadm -a -f 2 -R 192.168.2.2
/sbin/ipvsadm -a -f 2 -R 192.168.2.3
...

I hope that gives you some ideas.

All the best --
Ted

----- Original Message -----
From: "zhaohf" <zhaohf@xxxxxxxxxxxxxxx>
To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Cc: <zhaohf@xxxxxxxxxxxxxxx>
Sent: Friday, October 13, 2000 3:35 AM
Subject: About ssl and cookies


> Good afternoon, everyone.
>
> I have a problem about ssl and cookies as the following:
> How can i make the ssl and cookies persistent connections?
>
> Thank you.
>
> Best regards.
> Zhao.
>
>
>
>
>

<Prev in Thread]	Current Thread	[Next in Thread>
About ssl and cookies, zhaohf Re: About ssl and cookies, Ted Pavlic <= Fw: About ssl and cookies, zhazha Re: Fw: About ssl and cookies, Horms

Previous by Date:	thankyou!, Stephen Rowles
Next by Date:	Newbie Problems with NAT RH 6.2 & UM 1.0.1 (Kernel 2.2.14-5.0.14.um.3), Shaun McCullagh
Previous by Thread:	About ssl and cookies, zhaohf
Next by Thread:	Fw: About ssl and cookies, zhazha
Indexes:	[Date] [Thread] [Top] [All Lists]