RE: Addition to section 13 in http://www.linuxvirtualserver.org/ Joseph

To:	'Joseph Mack ' <mack.joseph@xxxxxxx>, <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>, "Rief, Jacob" <Jacob.Rief@xxxxxxxxxxxx>
Subject:	RE: Addition to section 13 in http://www.linuxvirtualserver.org/ Joseph.Mack/HOWTO/LVS-HOWTO.LVS-NAT.html
From:	"Rief, Jacob" <Jacob.Rief@xxxxxxxxxxxx>
Date:	Fri, 25 Apr 2003 18:03:04 +0200

Hi, 

Joseph Mack wrote:

> I'm not quite upto speed on some of this, so have a few questions

> you do mean allowing a client process running on the realserver
> to connect to VIP:port on the realservers, when it is running on
> on RIP:port. (Outside clients connect to VIP:port on the director.)

> How is this a problem at the moment? What does it allow people to do
> that they can't do now?

This is a problem we have. We have many hundered domain-names registered
onto the same IP-address. Therefore an /etc/hosts approach does not fit.
Sometimes webdesigners use some kind of include-function to include
content from one project into another, by means of server-side-includes. 
(see http://www.php.net/manual/en/function.require.php) using 
http-subrequests.

>> Assume the director offers service http on <VIP>:80 to the world. The
>> directord loadbalances this service to n-reals servers on <RIP>:80.
>> Everybody can connect,

> you mean everybody=clients coming in through the director?
yes, everybody from "outside".

>> except the real-servers onto <VIP>:80.

> client processes on the realservers cannot connect to VIP:80 on the
> realservers as for LVS-NAT, realservers aren't listening on the VIP.

with the entry in iptables
iptables -t nat -A OUTPUT -p tcp -d <VIP> --dport 80 -j DNAT --to <RIP>:80
they can, and it works.

Julians solution

           +-------------+
           |    <vip>    |
           |  director   |
           +-------------+
            ^           |
            |           |req
            |req        v
  +-------------+     +-------------+
  |  <rip1>     |<--- |  <rip2>     |
  |  Realserver | ans |  Realserver |
  |  = client   | wer |  = server   |
  +-------------+     +-------------+

this does not work: R1 does a request request to <vip>
which goes to the director.
The director rewrites dst-ip of packet to <rip2>.
R2 serves the request. Since src-ip is on the same
sub-net, R2 contacts R1 directly, but R1 refuses the
packet because it expected a reply from <vip>.

Therefore Julian removes the local routing and forces
every packet to pass trough the director. The director
can therefore rewrite src-rip2 to vip and R1 accepts.

           +-------------+
           |    <vip>    |
           |  director   |
           +-------------+
            |^         |^
         ans||      req||ans
            v|req      v|
  +-------------+     +-------------+
  |  <rip1>     |     |  <rip2>     |
  |  Realserver |     |  Realserver |
  |  = client   |     |  = server   |
  +-------------+     +-------------+

ok. But this puts extra netload onto the director.

The solution proposed here does not put that extra load
onto the director. However R1 will always contact itself.

Jacob

<Prev in Thread]	Current Thread	[Next in Thread>
RE: Addition to section 13 in http://www.linuxvirtualserver.org/ Joseph.Mack/HOWTO/LVS-HOWTO.LVS-NAT.html, Rief, Jacob <= Re: Addition to section 13 in http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.LVS-NAT.html, Joseph Mack

Previous by Date:	Re: Addition to section 13 in http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.LVS-NAT.html, Joseph Mack
Next by Date:	Re: Addition to section 13 in http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.LVS-NAT.html, Joseph Mack
Previous by Thread:	LVS configuration script with 2 Directors, Didier PEYROL
Next by Thread:	Re: Addition to section 13 in http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.LVS-NAT.html, Joseph Mack
Indexes:	[Date] [Thread] [Top] [All Lists]