I can relate to that, having load balancers fix"ing" backend services.
If you have the time, you will probably find "pound reverse proxy"

http://www.apsis.ch/pound/ to be a nice alternative to try out in your lab.

I have pound on openbsd for several years and can recommend it for http

-> https redirects, SSL termination and back-end load balancing with

health checks (not to mention the dynamic scaling ) and and weighted

priority between backend nodes.
Check it out
Reyk Floeter wrote:

quoted text
> On Wed, Sep 17, 2008 at 10:19:11PM +0200, Michiel van Baak wrote:

>

>>> redirect web {

>>> 	listen on $ext_ip1 port 80:443

>>> 	sticky-address

>>> 	forward to  port http check script "/usr/local/sbin/chksrvs"

>>> }

>>>

>>> note that this will match any traffic in the 80 - 443 port range, make

>>> sure that you add additional pf rules to filter any other ports except

>>> 80 and 443.  but it works with Source Tracking and should allow your

>>> clients to move between http and https on the same server.  another

>>> limitation is that it only runs checks on one of the ports.

>>>

>> ugh, this looks ugly ;)

>> Instead of going this route I would say: find the source of why the

>> visitor should access the same host, and solve that.

>>

>>

>

> no, it is not ugly.  it is a reasonable solution for a very common

> case.  you can easilly block other incoming connections with

> restrictive pf rules.  but please face reality - not everyone is in

> control of their backend web servers since it is VERY common that the

> loadbalancers (networking group) are handled by a different group than

> the backend webservers (servers group).  and it is also very common

> that you run your fancy nice openbsd box in front of some other

> "stuff".  indeed, it is very common for loadbalancers and firewalls to

> "fix" arbitrary systems attached to the network.

>

>

>> We use relayd in front of 6 servers, doing http and https.

>> It doesn't matter what backend box the user go. Hell, they can even go

>> to another box on a reload.

>> This of course means we are storing sessions etc on shared storage (NFS

>> in our case, and the new sharedance port looks like an alternative for

>> that)

>>

>>

>

> of course this is a better solution if you're in control of the

> backend servers.  some people also use solutions like a clustered

> database backend (eg. mysql), proprietary solutions like zend cache,

> ...

>

> reyk

>

>

>> --

>>

>> Michiel van Baak

>> michiel@vanbaak.eu

>> http://michiel.vanbaak.eu

>> GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD

>>

>> "Why is it drug addicts and computer aficionados are both called users?"