[LARTC] Routing + Proxying

[LARTC] Routing + Proxying

[A. Peter Mee]

Hi all,

I am hoping to set up a pair of web servers that sit behind a firewall.  The 
firewall will have a single live ip address and the web servers will be 
internal.  So my question is a simple one, which I doubt there is a simple 
solution to (if any).... but that's why I'm asking. ;-)

In a simple setup of one firewall + one web server, the firewall would map 
port 80 to the web server's port 80.

Would there be a way of 'splitting' or 'load balancing' the requests between 
the two web servers such that one of the two following scenarios is possible 
(or any others that you can think of):

1) Each web server hosts a limited number of web sites & the firewall 
intelligently distributes the packets based on the requested url to the 
respective web server.

2) Each web server hosts all web sites & the firewall intelligently 
distributes whole requests to an individual web server.

I've looked into a proxy sitting on the firewall, but this seems to pose an 
additional problem: if the DNS points at the firewall as the IP address for 
the individual web site and the proxy is sitting at that address, how does it 
know to relay the request internally (this is the part that I realise is not 
LARTC-based).

Cheers,

Pete Mee.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing + Proxying

[Martin A. Brown]

Hello Pete,

 : I am hoping to set up a pair of web servers that sit behind a firewall.  The
 : firewall will have a single live ip address and the web servers will be
 : internal.  So my question is a simple one, which I doubt there is a simple
 : solution to (if any).... but that's why I'm asking. ;-)
 : In a simple setup of one firewall + one web server, the firewall would map
 : port 80 to the web server's port 80.

Sure....this could be netfilter DNAT.

 : Would there be a way of 'splitting' or 'load balancing' the requests between
 : the two web servers such that one of the two following scenarios is possible
 : (or any others that you can think of):

Yes.

 : 1) Each web server hosts a limited number of web sites & the firewall
 : intelligently distributes the packets based on the requested url to the
 : respective web server.

This would require application layer logic, i.e., a very smart
proxy....you might examine squid [1].

 : 2) Each web server hosts all web sites & the firewall intelligently
 : distributes whole requests to an individual web server.

You should take a look at LVS [2].  This is probably a safer and more
robust solution to the problem you outline in your first paragraph.

 : I've looked into a proxy sitting on the firewall, but this seems to
 : pose an additional problem: if the DNS points at the firewall as the IP
 : address for the individual web site and the proxy is sitting at that
 : address, how does it know to relay the request internally (this is the
 : part that I realise is not LARTC-based).

-Martin

  [1]  http://www.squid-cache.org/
  [2]  http://www.linuxvirtualserver.org/

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Routing + Proxying

[S Mohan]

My suggestion goes as follows:

Give 2 IP addresses for your firewall and DNAT each address to a server.
Then any name resolution would resolve in a round robin fashion thus
distributing load among two servers carrying the same web content. The
firewall rules can be given as a /30 netmask thus giving 4 IPs in the
rules.

Mohan

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]
On Behalf Of Martin A. Brown
Sent: Friday, March 07, 2003 7:37 PM
To: A. Peter Mee
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Routing + Proxying



Hello Pete,

 : I am hoping to set up a pair of web servers that sit behind a
firewall.  The
 : firewall will have a single live ip address and the web servers will
be
 : internal.  So my question is a simple one, which I doubt there is a
simple
 : solution to (if any).... but that's why I'm asking. ;-)
 : In a simple setup of one firewall + one web server, the firewall
would map
 : port 80 to the web server's port 80.

Sure....this could be netfilter DNAT.

 : Would there be a way of 'splitting' or 'load balancing' the requests
between
 : the two web servers such that one of the two following scenarios is
possible
 : (or any others that you can think of):

Yes.

 : 1) Each web server hosts a limited number of web sites & the firewall
 : intelligently distributes the packets based on the requested url to
the
 : respective web server.

This would require application layer logic, i.e., a very smart
proxy....you might examine squid [1].

 : 2) Each web server hosts all web sites & the firewall intelligently
 : distributes whole requests to an individual web server.

You should take a look at LVS [2].  This is probably a safer and more
robust solution to the problem you outline in your first paragraph.

 : I've looked into a proxy sitting on the firewall, but this seems to
 : pose an additional problem: if the DNS points at the firewall as the
IP
 : address for the individual web site and the proxy is sitting at that
 : address, how does it know to relay the request internally (this is
the
 : part that I realise is not LARTC-based).

-Martin

  [1]  http://www.squid-cache.org/
  [2]  http://www.linuxvirtualserver.org/

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/