From mboxrd@z Thu Jan 1 00:00:00 1970 From: gypsy Date: Tue, 17 May 2005 03:11:17 +0000 Subject: Re: [LARTC] load balancing causes authentication problems? Message-Id: <428960D5.8A59C352@iswest.com> List-Id: References: <00a101c55a5a$89462800$640fa8c0@hotsitespencer> In-Reply-To: <00a101c55a5a$89462800$640fa8c0@hotsitespencer> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org > Spencer wrote: > > We are currently using iproute2 to perform a round robin type load > balancing. > ip route add default proto static scope global > nexthop via XXX.XXX.XXX.XXX dev eth0 weight 1 > nexthop via XXX.XXX.XXX.XXX dev eth1 weight 1 > nexthop via XXX.XXX.XXX.XXX dev eth2 weight 1 > > From my understanding this is destination based load balancing. And > it has worked fine 99% of the time. The problem we are running into is > for web sites that have a separate authentication server. For example > a user authenticates on an authentication server through eth0. After > authentication the user is redirected to the application server, > however since the application server is a different destination the > user can now be routed out through eth1 or eth2. In the case that the > user is routed out through either eth1 or eth2 the application server > now sees a different ip address than the one used to authenticate and > thus denies the user access. > It is also possible that I'm way off base and this is not at all > what is happening and is not the reason for users getting denied > access after authenticating, but that's what it looks like to me. I > was wondering if anyone else had seen a similar problem and had a > possible solution. I didn't see anything in the archives right off > but I wasn't sure exactly what to search for either. > > Thanks > Spencer I've never seen this happen, so I can't comment except to say that your explanation sounds plausible to me. The "normal" cure is to install Julian's routing patch http://www.ssi.bg/~ja/ and use connmark http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking You may also want to investigate the KeepState stuff in nano.txt (on Julian's site). HTH (but no guarantees...), gypsy _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc