Marian Hettwer wrote:
Hi OpenBSD'lers,
I'm about to use OpenBSD's pf(4) for load balancing some webservers.
So far, everything is looking just perfect.
Compared to pound, pf(4) is incredibly fast with few CPU and memory
usage.
So I'd say: Thats great :)
However, one thing is bothering me.
Obviously, my apache access logs on those load balanced machines can
only show the IP address of my load balancer, not the real remote ip
of the request.
This is, to my knowledge, due to the fact that pf(4) is working on the
TCP layer and is doing NAT.
Is there any possible way to get the real ip addresses in my apache
access log?
I do need them for several reasons.
- I'd like to see who's actually accessing the website
- If there's some botnet attack, usually I'm using pf(4) to block the
offending IP's for a specific time period. This can't be done if all I
can see is the load balancers IP address.
That's by any means not good and I'm thinking wether this could be a
"no-go" for using pf as a load balancer :-(
- web statistics: do look pretty bad too... "Uh, see, there's only one
user on our website" *argh*
Okay... anybody with any usable suggestions?
There's the X-Forwarded-to Information in a http header, which can be
set via some software load balancers. However, those are operating on
the application layer, which pf isn't... too bad.
Uhmm... Why don't use carp(4). I think it will suit you well.
--
With best regards,
Gregory Edigarov
