|
That's correct, but how does one prevent users from accessing the
realservers directly short of putting in a firewall, or putting the
realservers on a subnet separate from that of the director? Thanks!
Joseph Mack NA3T wrote:
On Mon, 6 Mar 2006, Patrick Ward wrote:
Hello,
Has anyone come across a situation where they wish to restrict
access to their individual web servers so that they can only be accessed
via the LVS server?
if "the LVS server" is the director, then users are only supposed to
access the realservers through the director. You don't want clients to
know that the realservers exist - you want to maintain the facade that
there is only one machine there, and for security you don't want clients
to be accessing the realservers.
For example, say I had a LVS server called "jpl",
but I only wanted people to be able to access the back-end load-balanced
web servers via the name "jpl" and not directly using the name of the
back-end load-balanced web server.
This seems to be problematic as LVS rewrites the packets so that the
back-end load-balacned web servers have no way of knowing that the
packet went through the LVS server, but if there is a way, please let me
know.
tcpip semantics must be maintained. The director just looks like a router.
Joe
--
______________________________________________________
__ _____ __ Patrick Ward
/_/| /____/\ /_/| Jet Propulsion Lab
|| | | |__ \| || | Pasadena, CA
___|| | | |__)/| || |___ M/S 2923-120
/___|| | | |___/ ||/___/| 818-354-7788
|_____|/ |_|/ |_____|/ pward@xxxxxxxxxxxx
______________________________________________________
|
