From: gypsy <gypsy@iswest.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] load balancing causes authentication problems?
Date: Tue, 17 May 2005 03:11:17 +0000 [thread overview]
Message-ID: <428960D5.8A59C352@iswest.com> (raw)
In-Reply-To: <00a101c55a5a$89462800$640fa8c0@hotsitespencer>
> Spencer wrote:
>
> We are currently using iproute2 to perform a round robin type load
> balancing.
> ip route add default proto static scope global
> nexthop via XXX.XXX.XXX.XXX dev eth0 weight 1
> nexthop via XXX.XXX.XXX.XXX dev eth1 weight 1
> nexthop via XXX.XXX.XXX.XXX dev eth2 weight 1
>
> From my understanding this is destination based load balancing. And
> it has worked fine 99% of the time. The problem we are running into is
> for web sites that have a separate authentication server. For example
> a user authenticates on an authentication server through eth0. After
> authentication the user is redirected to the application server,
> however since the application server is a different destination the
> user can now be routed out through eth1 or eth2. In the case that the
> user is routed out through either eth1 or eth2 the application server
> now sees a different ip address than the one used to authenticate and
> thus denies the user access.
> It is also possible that I'm way off base and this is not at all
> what is happening and is not the reason for users getting denied
> access after authenticating, but that's what it looks like to me. I
> was wondering if anyone else had seen a similar problem and had a
> possible solution. I didn't see anything in the archives right off
> but I wasn't sure exactly what to search for either.
>
> Thanks
> Spencer
I've never seen this happen, so I can't comment except to say that your
explanation sounds plausible to me.
The "normal" cure is to
install Julian's routing patch
http://www.ssi.bg/~ja/
and use connmark
http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
You may also want to investigate the KeepState stuff in nano.txt (on
Julian's site).
HTH (but no guarantees...),
gypsy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
prev parent reply other threads:[~2005-05-17 3:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-16 20:06 [LARTC] load balancing causes authentication problems? Spencer
2005-05-17 3:11 ` gypsy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=428960D5.8A59C352@iswest.com \
--to=gypsy@iswest.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.