My suggestion goes as follows: Give 2 IP addresses for your firewall and DNAT each address to a server. Then any name resolution would resolve in a round robin fashion thus distributing load among two servers carrying the same web content. The firewall rules can be given as a /30 netmask thus giving 4 IPs in the rules.
Mohan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin A. Brown Sent: Friday, March 07, 2003 7:37 PM To: A. Peter Mee Cc: [EMAIL PROTECTED] Subject: Re: [LARTC] Routing + Proxying Hello Pete, : I am hoping to set up a pair of web servers that sit behind a firewall. The : firewall will have a single live ip address and the web servers will be : internal. So my question is a simple one, which I doubt there is a simple : solution to (if any).... but that's why I'm asking. ;-) : In a simple setup of one firewall + one web server, the firewall would map : port 80 to the web server's port 80. Sure....this could be netfilter DNAT. : Would there be a way of 'splitting' or 'load balancing' the requests between : the two web servers such that one of the two following scenarios is possible : (or any others that you can think of): Yes. : 1) Each web server hosts a limited number of web sites & the firewall : intelligently distributes the packets based on the requested url to the : respective web server. This would require application layer logic, i.e., a very smart proxy....you might examine squid [1]. : 2) Each web server hosts all web sites & the firewall intelligently : distributes whole requests to an individual web server. You should take a look at LVS [2]. This is probably a safer and more robust solution to the problem you outline in your first paragraph. : I've looked into a proxy sitting on the firewall, but this seems to : pose an additional problem: if the DNS points at the firewall as the IP : address for the individual web site and the proxy is sitting at that : address, how does it know to relay the request internally (this is the : part that I realise is not LARTC-based). -Martin [1] http://www.squid-cache.org/ [2] http://www.linuxvirtualserver.org/ -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] _______________________________________________ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
