Pete Vickers wrote:
On 7. jul. 2006, at 00.11, Clint Pachl wrote:
Richard Wilson wrote:
Hulloo list,
Can anyone recommend a load balancer for http/https for OpenBSD?
Currently I'm using Pound, from http://www.apsis.ch/pound/ which
runs under OpenBSD, and supports connection tracking via IP, cookie
and request ID (eg PHPSESSID) and seems to do everything I need.
pf: see pf(4) pf.conf(5) pfctl(8) pfsync(4)
It can balance using round-robin, random, and source-hash. Stickiness
can be applied to the round-robin and random methods. The stickiness
option and source-hash method will satisfy https, and http if you are
not sharing session data among servers.
Best of all, pf is is built right in and simple as hell to use. All
you need to do is config your existing firewall or put a pf box in
front of your webservers. Hell, you could probably even run it on all
of your webservers in a carp group (haven't done this, but seems
feasible). Added bonus, pf inherently balances other services, not
just http! Oh, another bonus, you can easily have automatic fail-over
using pfsync and carp! I'm not sure you can beat the simplicity and
robustness of pf.
As far as I'm concerned, pf obsoleted all load balancers for me. I
used to use pen to balance http traffic. Because of pen's design,
there were discrepancies in the web logs, where all connections, from
the webservers POV, were coming from the pen load balancer. So there
was an add on program, a hack, that was needed to later resolve web
logs. It worked well, but what a mess. I would like to hear why
people would not desire pf over some other load balancing option.
-pachl
pound can
1. operate ( route, alter, etc) on/at L7, e.g HTTP headers/URLs
2. do https<-->http forwarding, e.g SSL off-loading
3. log URLs with source/dest IP etc
none of these can be done via pf (unless i'm mistaken)
/Pete
Those are almost an exact summary of why we use pound. We do certain
things based on the content of the headers, so we need 1), but
admittedly we could probably find a better way if we had to. All the
annoyances of SSL, multiple IPs, and the like, are handled on the
balancer, giving us one place to manage certificates and keeping the web
servers themselves nice and simple, which uses 2). Some of the clients
we host for are big on logging, web stats and the like, and so having
all the logs in an apache-style format in one place is damn handy, and
uses 3).
In addition to these things, the feature that really wins us over is the
connection tracking. Our main piece of software is a corporate CRM
package, and because we host a few instances of it for customers, we can
find that we might get 50 connections all from the same IP, because
there are many people all from the same company, behind NAT, using our
servers at the same time. We have to have connection tracking, otherwise
many things break in interesting ways when someone's session jumps to
another apache node, but if we do say source hashing, we end up with all
50 users on one server, rather than spread around. Pound's ability to
track based on either cookie or a variable in the request header is
exactly what we need.
We have two balancers, for redundancy, and so OpenBSD and CARP were the
clear choice. I would have thought, given it is seems to fill a space
not occupied by anything else, it would be good to have pound in the
ports tree. Is there some reason that it isn't? Perhaps because it
requires threaded OpenSSL? Or is it that no-one has had the time? I
would love to help out, but by my own admission I'm no coder.
That said, if anyone is trying to make a port, and needs help with
testing or some other not-requiring-C-skills assistance, I'd happily do
all I can :-)
Richard W
