Re: Bug#416397: ITP: haproxy -- fast and reliable load balancing reverse proxy
On Wednesday 28 March 2007 21:51, Javier Fernández-Sanguino Peña
<jfs@computer.org> wrote:
> On Wed, Mar 28, 2007 at 10:11:51AM +1100, Russell Coker wrote:
> > Has this problem been solved for a protocol other than HTTP? In theory
> > you could have a user-space TCP stack that sends data to the back-end
> > server with a source address that is the same as that of the origin. Has
> > anyone done this?
>
> If it has, I've not seen it in any RFCs nor in any of the most common
> load-balancing solutions for Enterprises (all products I know of are
> closed-sourced so I will not provide names) I've worked with. Most of them
> avoid this issue by working inline and NATting the destination IP of
> incoming requests transparently. That way they original IP address is
> preserved.
An RFC would not be needed for such things. Van Jacobson has demonstrated TCP
in user-space for performance reasons. dsniff is one of the packages in
Debian that has user-space TCP code for sniffing data.
There's nothing radically new about this idea, it's just a matter of whether
it's been implemented for HA proxies.
NATing connections avoids the issue of source addresses at the cost of being
unable to modify data in-flight (apart from the minor modifications needed
for NAT - eg the FTP module).
If you want to do serious modifications to the data (EG taking a HTTPS stream
from the net and then forwarding HTTP to the back-end server) then writing a
kernel module isn't a good option - I don't think that Linus would accept
GNUTLS in kernel-space.
--
russell@coker.com.au
http://etbe.blogspot.com/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
Reply to: