|
I'd like to ask for your comments on setting up a rather involved LVS -
I'm going to describe it in detail so that I can ask meaningful
questions. I apologize for the length.
I am colocated at an ISP where I am assigned routable IP's in the range
64.0.0.226 through 64.0.0.238 (real IP's have been changed :) ) My
gateway is 64.0.0.225. Here is my proposed setup:
director
VIP=64.0.0.228 - 64.0.0.237 (on eth0:228 - eth0:237)
DIP=192.168.1.200 (on eth0:200, netmask 255.255.255.0)
No default gateway
realserver1
RIP=192.168.1.226 (on eth0:226, netmask 255.255.255.0)
RIP=64.0.0.226 (on eth0)
VIP=64.0.0.228 - 64.0.0.237 (on lo:228 - lo:237)
default route via 64.0.0.225
realserver2
RIP=192.168.1.227 (on eth0:227, netmask 255.255.255.0)
RIP=64.0.0.227 (on eth0)
VIP=64.0.0.228 - 64.0.0.237 (on lo:228 - lo:237)
default route via 64.0.0.225
ipvsadm looks like this:
TCP 64.59.129.228:80 rr
-> 192.168.1.228:80 Route 1 0 0
-> 192.168.1.229:80 Route 1 0 0
for each of the ten IP's.
My goal is to load-balance www services accross the ten VIP's. I need
10 IP's because I am hosting a large number of small domains, and Apache
hits a file descriptor limit per server instance.
I have the private subnet RIP's on the realservers so that I can ssh to
a realserver and then from there ssh to the director for maintenance.
Since the DIP is in the same private subnet, it should ONLY be
accessible in this way.
I have the public IP's on the realservers because some of my web sites
need to fetch live XML data from outside sources for formatting by the
web server before being sent back to the client.
I am using Direct Routing for this setup.
I have set this system up for testing, and everything seems to be
working, but I'd like to get a second (or more) opinion on the
following:
1. Security
I think that as long as I close all incoming ports on the public IP's on
the realservers and only allow the XML data feeds that I need, that this
should be very secure - the director is not directly accessible, and
neither are the realservers except on the locally firewalled public
IP's. Am I right here?
2. Performance
I don't think that having public IP's on the realservers will change the
performance of the DR setup in any way - in fact, I think that it really
doesn't have anything to do with the LVS. Is that the case?
3. Feasability
Is this really going to work in production? I doubt that anyone has
actually tries an identical setup, but if anyone has done anything
similar (allow the realservers client access to the Internet) I would
appreciate your comments. I've been having this feeling that I'm
missing some stupid reason that this won't work at all...
4. Anything else
Is there a better way of doing this? Is there something that I haven't
accounted for here? I am planning on adding more realservers as time
progresses. I am also planning on making other services accessible, but
not load-balanced, ie all FTP requests would go to realserver1. Is
expansion going to be a problem the way I've planned it?
Thanks for your patience, and your comments. This is my first LVS, so
I'd appreciate any advice.
James Northcott
I.T. Team Leader
Defining Presence Marketing Group
"World Leaders in Internet Business Development"
Visit http://www.dpmg.com or email james@xxxxxxxx
|
