Re: relayd http-https-redirects with sticky-address

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: <misc@...>

Subject: Re: relayd http-https-redirects with sticky-address

Date: Monday, September 29, 2008 - 5:23 am

On Wed, Sep 17, 2008 at 10:19:11PM +0200, Michiel van Baak wrote:

quoted text> > redirect web {

> > 	listen on $ext_ip1 port 80:443

> > 	sticky-address

> > 	forward to  port http check script "/usr/local/sbin/chksrvs"

> > }

> >

> > note that this will match any traffic in the 80 - 443 port range, make

> > sure that you add additional pf rules to filter any other ports except

> > 80 and 443.  but it works with Source Tracking and should allow your

> > clients to move between http and https on the same server.  another

> > limitation is that it only runs checks on one of the ports.

>

> ugh, this looks ugly ;)

> Instead of going this route I would say: find the source of why the

> visitor should access the same host, and solve that.

> 
no, it is not ugly.  it is a reasonable solution for a very common

case.  you can easilly block other incoming connections with

restrictive pf rules.  but please face reality - not everyone is in

control of their backend web servers since it is VERY common that the

loadbalancers (networking group) are handled by a different group than

the backend webservers (servers group).  and it is also very common

that you run your fancy nice openbsd box in front of some other

"stuff".  indeed, it is very common for loadbalancers and firewalls to

"fix" arbitrary systems attached to the network.
> We use relayd in front of 6 servers, doing http and https.

quoted text> It doesn't matter what backend box the user go. Hell, they can even go

> to another box on a reload.

> This of course means we are storing sessions etc on shared storage (NFS

> in our case, and the new sharedance port looks like an alternative for

> that)

> 
of course this is a better solution if you're in control of the

backend servers.  some people also use solutions like a clustered

database backend (eg. mysql), proprietary solutions like zend cache,

...
reyk
> --

quoted text>

> Michiel van Baak

> michiel@vanbaak.eu

> http://michiel.vanbaak.eu

> GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD

>

> "Why is it drug addicts and computer aficionados are both called users?"

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

relayd http-https-redirects with sticky-address, Mikael Jansson, (Wed Sep 17, 11:45 am)

Re: relayd http-https-redirects with sticky-address, Reyk Floeter, (Wed Sep 17, 3:39 pm)

Re: relayd http-https-redirects with sticky-address, Michiel van Baak, (Wed Sep 17, 4:19 pm)

Re: relayd http-https-redirects with sticky-address, Reyk Floeter, (Mon Sep 29, 5:23 am)

Re: relayd http-https-redirects with sticky-address, Leon Dippenaar, (Mon Sep 29, 2:41 pm)

Re: relayd http-https-redirects with sticky-address, Mikael Jansson, (Thu Sep 18, 4:06 am)


linux-kernel:
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Hiten Pandya	Re: up? (emacs docbook xml ide)
Martin Michlmayr	Network slowdown due to CFS
git:

linux-netdev:
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
David Miller	[GIT]: Networking
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Natalie Protasevich	[BUG] New Kernel Bugs
dragonflybsd-user:
Yaroslav Tarasenko	Re: PC-BSD
Ben Cadieux	DragonFly MBR
justin	Re: dragonfly pdf documentation
dark0s Optik	DragonFly over Sony Vaio