|
Hi, Joseph
The setup below could be added as an addition to section 13 in
http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.LVS-NAT.html
Another posibility to allow real-servers to connect to a service they offer
themself:
Assume the director offers service http on <VIP>:80 to the world. The
directord loadbalances this service to n-reals servers on <RIP>:80.
Everybody can connect, except the real-servers onto <VIP>:80.
One solution is to rewrite the http-query on the realserver to use
<RIP> instead of <VIP>. This is errornous and often difficult to handle.
In case <VIP> is bound to one or a few names, putting a line such as
<RIP> service.mycoorp.com
into /etc/hosts may do the job. This solutions also may add additional
problems to Your configuration.
One more solution is to remove the route onto the netmask the realservers
are connected. This is explained in section 13.12 of Your document.
And this solution probably also is worth mentioning. It works, if the
real-servers run with Linux 2.4.
Redirect outgoing traffic from the real-server back to itself. Run
the following command on a real-server to do the job:
iptables -t nat -A OUTPUT -p tcp -d <VIP> --dport 80 -j DNAT --to <RIP>:80
The advantage of this configuration is, that no additional traffic has
to pass through the director, as everything is kept local.
The drawback is, that if their own webserver is down, they can't connect.
Jacob
|
