Hi,
James Northcott wrote:
>
> I'd like to ask for your comments on setting up a rather involved LVS -
> I'm going to describe it in detail so that I can ask meaningful
> questions. I apologize for the length.
>
> I am colocated at an ISP where I am assigned routable IP's in the range
> 64.0.0.226 through 64.0.0.238 (real IP's have been changed :) ) My
> gateway is 64.0.0.225. Here is my proposed setup:
>
> director
> VIP=64.0.0.228 - 64.0.0.237 (on eth0:228 - eth0:237)
> DIP=192.168.1.200 (on eth0:200, netmask 255.255.255.0)
> No default gateway
>
> realserver1
> RIP=192.168.1.226 (on eth0:226, netmask 255.255.255.0)
> RIP=64.0.0.226 (on eth0)
> VIP=64.0.0.228 - 64.0.0.237 (on lo:228 - lo:237)
> default route via 64.0.0.225
>
> realserver2
> RIP=192.168.1.227 (on eth0:227, netmask 255.255.255.0)
> RIP=64.0.0.227 (on eth0)
> VIP=64.0.0.228 - 64.0.0.237 (on lo:228 - lo:237)
> default route via 64.0.0.225
>
> ipvsadm looks like this:
>
> TCP 64.59.129.228:80 rr
> -> 192.168.1.228:80 Route 1 0 0
> -> 192.168.1.229:80 Route 1 0 0
>
> for each of the ten IP's.
this should work,
>
> My goal is to load-balance www services accross the ten VIP's. I need
> 10 IP's because I am hosting a large number of small domains, and Apache
> hits a file descriptor limit per server instance.
>
> I have the private subnet RIP's on the realservers so that I can ssh to
> a realserver and then from there ssh to the director for maintenance.
> Since the DIP is in the same private subnet, it should ONLY be
> accessible in this way.
>
> I have the public IP's on the realservers because some of my web sites
> need to fetch live XML data from outside sources for formatting by the
> web server before being sent back to the client.
>
> I am using Direct Routing for this setup.
>
> I have set this system up for testing, and everything seems to be
> working, but I'd like to get a second (or more) opinion on the
> following:
>
> 1. Security
>
> I think that as long as I close all incoming ports on the public IP's on
> the realservers and only allow the XML data feeds that I need, that this
> should be very secure - the director is not directly accessible, and
> neither are the realservers except on the locally firewalled public
> IP's. Am I right here?
Hmm, for this setup it should be the best you can have.
>
> 2. Performance
>
> I don't think that having public IP's on the realservers will change the
> performance of the DR setup in any way - in fact, I think that it really
> doesn't have anything to do with the LVS. Is that the case?
>
Yes that´s right.
> 3. Feasability
>
> Is this really going to work in production? I doubt that anyone has
> actually tries an identical setup, but if anyone has done anything
> similar (allow the realservers client access to the Internet) I would
> appreciate your comments. I've been having this feeling that I'm
> missing some stupid reason that this won't work at all...
>
What happens if the XML-Feed fails? Perhaps there are routing problems
from your provider...
or the contributor has problems? We´ve run serveral times into the same
Problem, that
http includes in our cutomers websites are not responding --> the
webserver blocks the
request (timout is 30s) --> after 2 minutes the whole cluster is not
responding.
> 4. Anything else
>
> Is there a better way of doing this? Is there something that I haven't
> accounted for here? I am planning on adding more realservers as time
> progresses. I am also planning on making other services accessible, but
> not load-balanced, ie all FTP requests would go to realserver1. Is
> expansion going to be a problem the way I've planned it?
can you cache the XML-requests? Store them into a database?
--> only the database/proxy needs an direct acess to internet, you save
some traffic
(the data is only requested once and som from every realserver) And you
have at least
old Data and not none, when the other side fails.
bye,
Chris
>
> Thanks for your patience, and your comments. This is my first LVS, s
> I'd appreciate any advice.
>
> James Northcott
> I.T. Team Leader
> Defining Presence Marketing Group
>
> "World Leaders in Internet Business Development"
> Visit http://www.dpmg.com or email james@xxxxxxxx
>
>
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
smime.p7s
Description: S/MIME Cryptographic Signature
|