|
Thanks for the information. I'm going to try this approach and see how it
works. Thanks again for the ideas!
-Ryan
On Wed, Oct 01, 2003 at 04:04:01PM -0400, Matthew Crocker wrote:
> >>Hello,
> >> I'm currently using a setup where I have individual webservers
> >>which are
> >>using port based virtual hosts in apache. For instance, I have port
> >>5678
> >>and 5679 which map to ports 80 and 443 on a virtual host. I'm
> >>currently
> >>using a commercial solution to schedule these hosts and keep them
> >>persistant together, however I'm hoping to switch these over to my
> >>LVS-DR
> >>box.
> >>
> >> It appears that the fwmark group is what I would want to do to keep
> >>people going to both ports persistant, but from the documentation it
> >>didn't appear that you could do port mapping while doing fwmarks. I
> >>was
> >>wondering if anyone had done this and if they could share how they
> >>made it
> >>work if they had. This would be for a shopping cart type application
> >>where switching between port "80" and "443" were necessary for
> >>security,
> >>but because the application uses php sessions it has to go back to the
> >>same server each time. It appears very easy to do if they were
> >>actually
> >>listening on port 80 and 443 but since they're not I'm very confused
> >>about
> >>the correct way to configure this.
> >
>
> So the client is going to 12.34.56.78:80 & 12.34.56.78:443 you want to
> redirect them internally to 10.0.0.1:5678 & 10.0.0.1:5679 respectively?
> This can be done with a combination of LVS, fwmark and iptables DNAT
>
> First step is to mark the packets with a fwmark
>
> iptables -t mangle -A PREROUTING -d 12.34.56.78/255.255.255.255 -i eth0
> -p tcp -m tcp --dport 80 -j MARK --set-mark 0x1
> iptables -t mangle -A PREROUTING -d 12.34.56.78/255.255.255.255 -i eth0
> -p tcp -m tcp --dport 443 -j MARK --set-mark 0x1
>
> Second step is to change the destination port to the correct port using
> DNAT
>
> iptables -t nat -A PREROUTING -d 12.34.56.78/255.255.255.255 -i eth0 -p
> tcp -m tcp --dport 80 -j DNAT --to-destination 12.34.56.78:5678
> iptables -t nat -A PREROUTING -d 12.34.56.78/255.255.255.255 -i eth0 -p
> tcp -m tcp --dport 443 -j DNAT --to-destination 12.34.56.78:5679
>
> Third step is to load balance based off of the fwmark with persistance.
>
> ipvsadm -a -f 1 -s wlc -p 600
> ipvsadm -a -f 1 -r 10.0.0.1:0 -g -w 1
> ipvsadm -a -f 1 -r 10.0.0.2:0 -g -w 1
>
>
> This is all off the top of my head but it should work. Step two might
> be an issue because the iptable docs say the nat table only picks up
> socket creation packtes (aka SYN packets).
>
> Hope this helps
>
> -Matt
>
>
>
> >The short answer is that you can't using LVS.
> >But I wonder if it might be possible to change the destination
> >port using nefilter before or after the packets hit LVS.
> >Alternatively it would be possible to modify LVS to do this,
> >the main issue in my mind would be working out a sane
> >way to configure it.
> >
> >--
> >Horms
> >_______________________________________________
> >LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> >Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> >or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> >
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
|
