Re: Addition to section 13 in http://www.linuxvirtualserver.org/Joseph.

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>, Jacob.Rief@xxxxxxxxxxxx
Subject:	Re: Addition to section 13 in http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.LVS-NAT.html
From:	Joseph Mack <mack.joseph@xxxxxxx>
Date:	Fri, 25 Apr 2003 10:51:27 -0400

"Rief, Jacob" wrote:
> 
> Hi, Joseph
> 
> The setup below could be added as an addition to section 13 in
> http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.LVS-NAT.html

I'm not quite upto speed on some of this, so have a few questions

> 
> Another posibility to allow real-servers to connect to a service they offer
> themself:


you do mean allowing a client process running on the realserver
to connect to VIP:port on the realservers, when it is running on
on RIP:port. (Outside clients connect to VIP:port on the director.)

How is this a problem at the moment? What does it allow people to do
that they can't do now?
 
> Assume the director offers service http on <VIP>:80 to the world. The
> directord loadbalances this service to n-reals servers on <RIP>:80.
> Everybody can connect,

you mean everybody=clients coming in through the director?

> except the real-servers onto <VIP>:80.

client processes on the realservers cannot connect to VIP:80 on the
realservers as for LVS-NAT, realservers aren't listening on the VIP.
 
> One solution is to rewrite the http-query on the realserver to use
> <RIP> instead of <VIP>. 

rewrite changes requests by a client process on the realserver directed
to VIP into requests to RIP.

> This is errornous and often difficult to handle.
> In case <VIP> is bound to one or a few names, putting a line such as
> 
> <RIP>      service.mycoorp.com
> 
> into /etc/hosts may do the job. This solutions also may add additional
> problems to Your configuration.
> 
> One more solution is to remove the route onto the netmask the realservers
> are connected. This is explained in section 13.12 of Your document.

what part of the problem does this solve?
 
> And this solution probably also is worth mentioning. It works, if the
> real-servers run with Linux 2.4.
> Redirect outgoing traffic from the real-server back to itself. Run
> the following command on a real-server to do the job:
> iptables -t nat -A OUTPUT -p tcp -d <VIP> --dport 80 -j DNAT --to <RIP>:80
> 
> The advantage of this configuration is, that no additional traffic has
> to pass through the director, as everything is kept local.
> The drawback is, that if their own webserver is down,

the one listening on the RIP?


> they can't connect.


Joe
-- 
Joseph Mack PhD, Senior Systems Engineer, SAIC contractor 
to the National Environmental Supercomputer Center, 
ph# 919-541-0007, RTP, NC, USA. mailto:mack.joseph@xxxxxxx

<Prev in Thread]	Current Thread	[Next in Thread>
Addition to section 13 in http://www.linuxvirtualserver.org/Josep h.Mack/HOWTO/LVS-HOWTO.LVS-NAT.html, Rief, Jacob Re: Addition to section 13 in http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.LVS-NAT.html, Joseph Mack <=

Previous by Date:	LVS configuration script with 2 Directors, Didier PEYROL
Next by Date:	RE: Addition to section 13 in http://www.linuxvirtualserver.org/ Joseph.Mack/HOWTO/LVS-HOWTO.LVS-NAT.html, Rief, Jacob
Previous by Thread:	Addition to section 13 in http://www.linuxvirtualserver.org/Josep h.Mack/HOWTO/LVS-HOWTO.LVS-NAT.html, Rief, Jacob
Next by Thread:	LVS configuration script with 2 Directors, Didier PEYROL
Indexes:	[Date] [Thread] [Top] [All Lists]