My suggestion goes as follows:
Give 2 IP addresses for your firewall and DNAT each address to a server.
Then any name resolution would resolve in a round robin fashion thus
distributing load among two servers carrying the same web content. The
firewall rules can be given as a /30 netmask thus giving 4 IPs in the
rules.
Mohan
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Martin A. Brown
Sent: Friday, March 07, 2003 7:37 PM
To: A. Peter Mee
Cc: [EMAIL PROTECTED]
Subject: Re: [LARTC] Routing + Proxying
Hello Pete,
: I am hoping to set up a pair of web servers that sit behind a
firewall. The
: firewall will have a single live ip address and the web servers will
be
: internal. So my question is a simple one, which I doubt there is a
simple
: solution to (if any) but that's why I'm asking. ;-)
: In a simple setup of one firewall + one web server, the firewall
would map
: port 80 to the web server's port 80.
Surethis could be netfilter DNAT.
: Would there be a way of 'splitting' or 'load balancing' the requests
between
: the two web servers such that one of the two following scenarios is
possible
: (or any others that you can think of):
Yes.
: 1) Each web server hosts a limited number of web sites the firewall
: intelligently distributes the packets based on the requested url to
the
: respective web server.
This would require application layer logic, i.e., a very smart
proxyyou might examine squid [1].
: 2) Each web server hosts all web sites the firewall intelligently
: distributes whole requests to an individual web server.
You should take a look at LVS [2]. This is probably a safer and more
robust solution to the problem you outline in your first paragraph.
: I've looked into a proxy sitting on the firewall, but this seems to
: pose an additional problem: if the DNS points at the firewall as the
IP
: address for the individual web site and the proxy is sitting at that
: address, how does it know to relay the request internally (this is
the
: part that I realise is not LARTC-based).
-Martin
[1] http://www.squid-cache.org/
[2] http://www.linuxvirtualserver.org/
--
Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED]
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/