|
Hello,
I have been trying to duplicate our ssl accelerator/load balancer
using stunnel and the virtual server capabilities of the linux kernel.
What I would like to do is have stunnel take ssl requests decrypt them
(pass them as plain http) then load balance the plain text traffic
across multiple webservers. If possible, the stunnel and virtual server
on the same machine.
I don't quite understand yet what you want to do, but that's normal for me.
My stunnel config looks like
[https]
accept = extenal_ip:443
connect = 127.0.0.1:80
TIMEOUTclose = 0
don't you need 'transparent = yes', so a load balancer would actually
see the client's IP?
and the ipvs looks like
/sbin/ipvsadm -A -t 127.0.0.1:80 -s rr
/sbin/ipvsadm -a -t 127.0.0.1:80 -r 192.168.5.5:80 -w 1
This is nice but stunnel connects to a socket but LVS doesn't work with
sockets. You need to queue those packets up into the netfilter stack
again, so IPVS can process them. I don't know any trivial way to do this.
I have compiled all the virtual server code into the 2.6.7 kernel.
Ok.
Can I do this all on the same machine? Or at all?
I would think not.
I have read about
persistant connections and ssl in conjunction with the virtual server
code, but I do not believe that is the problem here.
I think it would be since there is no notion of persistency in the
stunnel code and if you're not transparent forwarding the IP address I
don't see how persistency spans over your solution. Maybe on Layer 5 or so.
I believe since I
never see a syn packet hitting my webserver (192.168.5.5) behind the
stunnel/virtual server machine. Also I know my stunnel works when I do
not try to use the virtual server. I have also flushed all of my
iptables rules.
LVS doesn't do sockets.
Any ideas?
Not at the moment. Regards,
Roberto Nibali, ratz
--
echo
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
|
