On 17:37, Wed 10 Sep 08, Rod Whitworth wrote: > I'm suffering from sleep deprivation today so benzedrine.cx sounds > inviting ;-) > > Anyway a friend has a problem and I'd like a check on the sanity of my > hazy proposed solution. > > All addresses are fictitious. > > X has a webserver which has address 1.2.3.4 He wants to change his > hosting to another provider where a new server will be given address > 5.6.7.8 > > The time of changeover is not entirely under X's control but the > domain's DNS is. > > X would like all traffic to proceed to/from 1.2.3.4 until 5.6.7.8 is > ready and then switch with absolutely minimal downtime. Of course.. > > My foggy brain says that it should be possible to use a box running pf > to route requests arriving on one external interface (say 9.8.7.6) out > another one (we have enough spare IPs on separate netblocks) to 1.2.3.4 > until cut-over time and then pf.conf swaps to sending it to 5.6.7.8. > > If we put 9.8.7.6 into the DNS as the webserver address we should be > able to transparently route the traffic to whichever real webserver we > wish .......... I think. > > Then when all is stable we swap the DNS records to point to 5.6.7.8 and > when no more traffic is seen to pass through our "black box router" we > dispense with it. > > Will this scheme work? Do I need to use binat? (all addresses are > global) does it matter if the webserver answers client requests and the > traffic does not come back via the black box? > > Normally I'd throw some boxes together and try it but I need sleep > before doing that and maybe someone cluey will tell me not to bother > because it's crazy or (oh happy day) that of course it will work, don't > i know pf is magic? > > Sure I do but i am not very magic just now and I'd like to give ny > buddy a realistic guess as to how doable it is.
Here's what I would do: install balance-ng on the box with ip 1.2.3.4 Setup the new server and givi it ip 5.6.7.8 once you think the new server is ready to go into production, stop the webserver on 1.2.3.4, start balance to proxy all incomming traffic to 5.6.7.8 change DNS records watch the logs from balance on 1.2.3.4 and give the box a new task once all webtraffic is going directly to 5.6.7.8 No need for extra boxen or whatever. -- Michiel van Baak [EMAIL PROTECTED] http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer aficionados are both called users?"