[Linux-HA] Checking multiple ports for one service?
Amos Shapira
amos.shapira at gmail.com
Sun Oct 25 23:05:01 MDT 2009
2009/10/26 Neil Katin <linuxha at askneil.com>:
>
> I believe if you want them to be jointly persistent you have
> to use firewall marks to do this, then balance on the mark.
>
> The IPVS howto has details on this (see example 2):
>
> http://kb.linuxvirtualserver.org/wiki/Ipvsadm
Thanks, I'm aware of fwmarks, but I'm not sure how they could help
here - here are some more details:
1. The VIP I use for these services are dedicated, so I don't need to
distinguish between separate ports to same VIP - I'm OK with LVS
passing through ALL ports from same client to same host. I think that
using :0 already achieves this. (I use iptables to block all unwanted
ports).
2. My question was about removing a real server from the pool based on
whether ANY of specific ports on it not passing a check, e.g. if a
real server fails on port 443 only (and still passes a check on the
other ports) then I want NO new connections passed to it on ANY port
(443, 80, or 9000), same if it fails on check on port 9000 only, for
instance.
Does this clarify my question or am I still missing something about your reply?
Thanks,
--Amos
>
> Amos Shapira wrote:
>> Hello,
>>
>> We use LVS on CentOS 5 to load-balance servers which serve multiple
>> ports (let's say 80, 443 and 9000 for this question). Some of these
>> ports are served through apache (80, 443) while others are served by a
>> stand-alone process (9000).
>>
>> We set them up as persistent (because all connections to all ports
>> coming from the same client as part of a specific transaction should
>> go to the same real server.
>>
>> We did this by specifying each service for each port separately:
>>
>> virtual=192.168.1.126:80
>> real=192.168.98.117:80 gate
>> real=192.168.98.126:80 gate
>> scheduler=rr
>> protocol=tcp
>> persistent=120
>> checktype=negotiate
>> service=http
>> request="lvs.txt"
>> receive="OK"
>>
>> virtual=192.168.1.126:443
>> real=192.168.98.117:443 gate
>> real=192.168.98.126:443 gate
>> scheduler=rr
>> protocol=tcp
>> persistent=120
>> checktype=negotiate
>> service=https
>> request="lvs.txt"
>> receive="OK"
>> virtualhost=www.company.com
>>
>> virtual=192.168.1.126:9000
>> real=192.168.98.117:9000 gate
>> real=192.168.98.126:9000 gate
>> scheduler=rr
>> protocol=tcp
>> persistent=120
>> checktype=negotiate
>> service=https
>> request="lvs.txt"
>> receive="OK"
>> virtualhost=www.company.com
>>
>> We now noticed that this configuration is wrong - the persistence will
>> be "per port" and not "per client" as we need it to be - port 80 could
>> be served by one real server while port 443 from the same client could
>> be served by another.
>>
>> The documentation says that we should just not specify the port, so
>> the following should replace the above three:
>>
>> virtual=192.168.1.126:0
>> real=192.168.98.117:0 gate
>> real=192.168.98.126:0 gate
>> scheduler=rr
>> protocol=tcp
>> persistent=120
>> checktype=negotiate
>> service=https
>> request="lvs.txt"
>> receive="OK"
>> virtualhost=www.company.com
>>
>> 1. Is this correct?
>>
>> 2. If this is correct - is there a way to do the tests on ALL the
>> ports and fail the entire sever if ANY of the ports fail? The only way
>> I can find so far is to use an external script which will test all
>> ports and fail if any of them is bad - is there a better way?
>>
>> Thanks,
>>
>> --Amos
>> _______________________________________________
>> Linux-HA mailing list
>> Linux-HA at lists.linux-ha.org
>> http://lists.linux-ha.org/mailman/listinfo/linux-ha
>> See also: http://linux-ha.org/ReportingProblems
>>
> _______________________________________________
> Linux-HA mailing list
> Linux-HA at lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha
> See also: http://linux-ha.org/ReportingProblems
>
More information about the Linux-HA
mailing list