Provides address tables stored in kernel for fast access.
Provides an interface to allow the userland to modify tables.
Provides different kind of load-balancing methods.
Example rule:
rdr from any to $public_ip port http -> <webservers>
High-Availability tools in OpenBSD: Carp and Pfsync
Carp provides virtual adresses.
Pfsync provides shared firewall states across firewalls.
Carp interfaces can be grouped together.
A Carp group can be manipulated from userland to force failover.
Types of load-balancing: Layer 3
Packet level.
Extension of NAT.
Types of load-balancing: Layer 7
Application level.
Man-in-the-middle approach.
Allows packet processing.
The need
Knowing when a service fails to stop directing requests at it.
A tool that is able to maintain address tables up to date with
regard to host availability.
A tool that is able to create and remove pf rules based on the
status of the hosts it monitors.
A tool that can provide a solution to a general failure.
Similar or related applications
Many vendors provide commercial solutions: F5, Nortel and Cisco
for instance.
A few linux projects provide limited load-balancing solutions
such as keepalived.
Design goals
Security: use privilege separation and separate the
different aspects of the daemon into several processes.
Efficiency: create a fast and asynchronous host checking
engine with various commonly used checking methods.
Simplicity: provide a clean and familiar looking configuration
file syntax. Consistent syntax across layer 3 and layer 7, standard
and SSL.
Administrator Friendly: provide a simple control tool to
report host statuses and manually set status.
Design
Parent Process
Handle configuration loading and reloading.
Handle external script execution.
Handle carp demotion requests.
HCE: Host check engine
Mono-process, fully asynchronous checks.
Schedule checks and notify PFE of state transitions.
Design (cont.)
PFE: PF Engine
Create and destroy PF rules.
Update PF tables based on HCE notifications.
Relay Engine
Create listening sockets for services.
Filter protocols before relaying.
Design details
Steal as much as possible from recent OpenBSD daemons:
ospfd, bgpd.
Use safe buffer routines.
Use the imsg protocol to communicate between the different
processes.
Create a set of easy asynchronous SSL routines.
Use libevent to facilitate asynchronous socket programming.
Configuration elements
hosts: real service providers.
tables: groups of hosts providing a common service.
services: layer 3 load-balancing declarations.
protocols: protocol specific parameters for relays.
relays: layer 7 load-balancing declarations.
Simple layer 3 setup
One internet reachable host.
Two web servers using private addressing.
Initial Configuration
In pf.conf
rdr-anchor "hoststated/*"
In hoststated.conf
public_addr=81.81.81.81
webhost1=10.1.1.100
webhost2=10.1.1.101
table webhosts {
real port http
check http "/" code 200
host $webhost1
host $webhost2
}
service www {
virtual host $public_addr port http interface trunk0
table webhosts
}
Retrieving status information
# hoststatectl show summary
Type Id Name Avlblty Status
service 0 www active
table 0 webhosts active (2 hosts up)
host 1 10.1.100.2 100.00% up
host 0 10.1.100.1 100.00% up
Type Id Name Avlblty Status
service 0 www active (using backup table)
table 0 webhosts empty
host 1 10.1.1.101 0.00% down
host 0 10.1.1.100 0.00% down
table 2 sorry_server:80 active (1 hosts up)
host 3 127.0.0.1 100.00% up
Bringing things down
Forcible disabling of hosts is useful for maintenance updates
# hoststatectl table disable webhosts:80
command succeeded
# hoststatectl show su
Type Id Name Avlblty Status
service 0 www active (using backup table)
table 2 webhosts:80 disabled
table 3 sorry_server:80 active (1 hosts up)
host 5 127.0.0.1 100.00% up
Layer 7 Features
Generic TCP relaying.
HTTP/HTTPS relaying.
DNS relaying.
Generic UDP relaying can not be achieved due to the stateless
datagram based nature of the protocol.
Table forwarding, with either roundrobin, loadbalance or hash
method.
Service: use address of specified service.
Available HTTP actions
Select connection direction (request / response).
Manipulate cookies and urls (in the request), headers and path.
Append key/value pairs.
Change key/value pairs.
Remove a key and its value.
Expect a value to be present in a key/value pair.
Filter connections which contain a key/value pair.
Feed a value to a table's hash.
Log a key/value pair.
Available variables for the HTTP protocol
$REMOTE_ADDR: The IP address of the connected client.
$REMOTE_PORT: The TCP source port of the connected client.
$SERVER_ADDR: The configured IP address of the relay.
$SERVER_PORT: The configured TCP server port of the relay.
$TIMEOUT: The configured session timeout of the relay.
Other protocol options
TCP
Backlog.
IP minttl, ip ttl.
Nodelay, sack and socket buffer.
SSL
Ciphers.
Session cache.
SSLv2, SSLv3, TLSv1.
Tips and Tricks
Load Balancing across networks.
Combining hoststated and carp.
Following development.
The Future
Layer 7 reloading.
More layer 7 protocols.
Conditionnal tables.
More reverse proxy features.
Layer 3 weighted hosts and other methods.
The Future (cont.)
GSLB: dns.
GSLB: bgpd.
Direct Server Return.
TCP Splicing.
Thank you
Questions ?
‘Yes, sir. I felt sure you understood that. She said she had told you.’ "Why, eh,--I--I don't know that my movements need have anything to do with his. Yours, of course,--" "Ah, but if it saved your life!" "No, I'm not," grumbled the Doctor, "I've had enough of this wild-goose chase. And besides, it's nearly dinner time." "I am coming to that," Lawrence said, lighting a fresh cigarette. "As soon as Bruce was in trouble and the plot began to reel off I saw that it was mine. Of course there were large varyings in the details, but the scheme was mine. It was even laid on the same spot as my skeleton story. When I grasped that, I knew quite well that somebody must have stolen my plot." Judy In a coach-house, through which we passed on our way to see the prince's favourite horses with the state carriages—quite commonplace and comfortable, and made at Palitana—was a chigram,[Pg 68] off which its silk cover was lifted; it was painted bright red and spangled with twinkling copper nails. This carriage, which is hermetically closed when the Ranee goes out in it, was lined with cloth-of-gold patterned with Gohel Sheri's initials within a horseshoe: a little hand-glass on one of the cushions, two boxes of chased silver, the curtains and hangings redolent of otto of roses. "Are you certain of it? You have seen so very little of him, and you may be mistaken." "And your wife?" "I drawed on my man's bundle o' wood," said Gid, "and then dropped a little, so's to git him where he was biggest and make sure o' him." HoME波多野结衣左线视频
ENTER NUMBET 0016maimaimai.net.cn www.lt17b.net.cn into386.com.cn n9n51.net.cn www.nxhply.com.cn www.tychain.com.cn qitfmd.com.cn www.valilly.com.cn www.tspdkf.com.cn www.odchsl.com.cn