|
On Mon, 6 Mar 2006, Patrick Ward wrote:
Hello,
Has anyone come across a situation where they wish to restrict
access to their individual web servers so that they can only be accessed
via the LVS server?
if "the LVS server" is the director, then users are only
supposed to access the realservers through the director. You
don't want clients to know that the realservers exist - you
want to maintain the facade that there is only one machine
there, and for security you don't want clients to be
accessing the realservers.
For example, say I had a LVS server called "jpl",
but I only wanted people to be able to access the back-end load-balanced
web servers via the name "jpl" and not directly using the name of the
back-end load-balanced web server.
This seems to be problematic as LVS rewrites the packets so that the
back-end load-balacned web servers have no way of knowing that the
packet went through the LVS server, but if there is a way, please let me
know.
tcpip semantics must be maintained. The director just looks
like a router.
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
|
