Below is the info that I can give you, please let me know what
details do you need to have to debug this info.
The servers is only for web server load balancing + high availability
using heartbeat. The director server acting also as a real server and
only have 2 servers using 3 IP . 1 is for VIP and 2 for Real IP .
[root@luigi ~]# cat /etc/redhat-release
CentOS release 5 (Final)
[root@luigi ~]# uname -a
Linux luigi 2.6.18-53.1.14.el5 #1 SMP Wed Mar 5 11:36:49 EST 2008 i686
i686 i386 GNU/Linux
[root@mario ~]# ipvsadm --version
ipvsadm v1.24 2003/06/07 (compiled with popt and IPVS v1.2.0)
iptables is empty and what I can think of is the default sysctl.conf
is allow IP forwarding because of LVS DR setting
# Change the default TTL to help obscure OS fingerprinting
net.ipv4.ip_default_ttl = 128
# Enable packet forwarding
net.ipv4.ip_forward = 1
# hide lo to make lo didnt answer arp request
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.eth0.arp_announce = 2
At first I though that my server has been hacked, but after I check
other site with the same setting (I've 2 setup in different location)
the result is the same. Local user can use the LVS server to become a
proxy. Any suggestion where I need to look into ?
On Mon, Sep 15, 2008 at 4:27 PM, Graeme Fowler <graeme@xxxxxxxxxxx> wrote:
> On Mon, 2008-09-15 at 14:51 +0800, Ahmad Amran Kapi wrote:
>> I've setup LVS successfully using LVS-DR with two servers . The
>> problem however because of some company policy, we're blocking some
>> website from our internal user, but the user can skip this blocking by
>> using the LVS server. e.g
>> They have setup browser to use LVS ip using port 80 to use in their
>> browser. Is there any way I can block user to use my LVS server from
>> using it as a proxy ?
> I think you need to give us more information - your LVS clearly isn't
> frontending a bunch of mail servers, for example!
> What are you load balancing - squid, apache, something else?
> Whatever it is it sounds as though this is an application issue, not
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Ahmad Amran Kapi
Art In Software Sdn Bhd
Suite 2.5 Inkubator K-Ekonomi
75450 Ayer Keroh
06-2322464 / 013-6102545