Re: How safe is "balance source".

From: Willy Tarreau <w#1wt.eu>
Date: Thu, 17 Apr 2008 06:23:45 +0200


Hi Unai !

On Wed, Apr 16, 2008 at 08:01:27PM -0600, Unai Rodriguez wrote:
> Hi to everyone,
>
> I am setting up a web application and I need to make sure session
> stickiness is guaranteed 101%.

101% ? :-)

> From my initial testing this works pretty good:
>
> ---------------------------------------------------------------------------------------
> listen DPSOP-UAT 10.123.8.140:80
> mode http
> cookie DPSOP-UAT insert indirect
> balance roundrobin
> server 10.123.8.112 10.123.8.112:80 cookie s1 check inter 1200
> rise 2 fall 3
> server 10.123.12.112 10.123.12.112:80 cookie s2 check inter 1200
> rise 2 fall 3
> option abortonclose
> option httpclose
> ---------------------------------------------------------------------------------------
>
> BUT I am tempted of using "balance source" instead of "balance roundrobin".
> >From the docs:
>
> ---------------------------------------------------------------------------------------
> "As previously stated, version 1.2.12 brought the 'source' keyword. When
> this
> keyword is used, the client's IP address is hashed and evenly distributed
> among
> the available servers so that a same source IP will always go to the same
> server as long as there are no change in the number of available servers.
> This
> can be used for instance to bind HTTP and HTTPS to the same server. It can
> also
> be used to improve stickyness when one part of the client population does
> not
> accept cookies. In this case, only those ones will be perturbated should a
> server fail.
>
> NOTE: It is important to consider the fact that many clients surf the net
> through proxy farms which assign different IP addresses for each
> request. Others use dialup connections with a different IP at each
> connection. Thus, the 'source' parameter should be used with extreme
> care."
> ---------------------------------------------------------------------------------------
> Citation: http://haproxy.1wt.eu/download/1.2/doc/haproxy-en.txt
> ---------------------------------------------------------------------------------------
>
> How safe is "balance source"?

It is safe in that it will guarantee that the same IP will always go to the same server as long as the number of servers does not change. However, a user is not an IP.

> Any idea of how many people out there are using different IPs for each
> request? That sounds to me like these guys would be having a lot of
> problems surfing the net.

Depending on the sites you're managing and the population that goes to your site, you may see between 5 and 20% of the users have a changing IP address. Most users in enterprise environments browse through proxy farms. Many users who browse through their ISP's proxies experience the same behaviour. And fortunately, the web does not care about IP addresses. There still remain a few broken sites which don't like their client's IP to change along a session, but those generally are very old sites which have not been fixed because the development has been externalized, or small sites written by newbies who fell in this trap.

Anyway, if you keep using the cookies, having source+cookies is very reliable, since 99.99% of your users will support cookies, and the remaining ones will at least have a fixed IP address, otherwise they will have really no luck on the net !

At a customer's, there are about 20k users browsing through a proxy farm. In several years, only one site has been found to experience a problem due to this behaviour. So this is basically non-existent.

However, I'm currently working on adding an optional netmask for the source hash so that users coming from the same network will go to the same server, whatever their address suffix.

> Will the servers get unevenly amounts of requests?

It depends on the distribution of source IP addresses. The ones on the net are very smoothly distributed, and if you use pure internet addresses, you will get a very good distribution. If you only have a handful of internal users, you may get less luck. But on the other hand, internal users generally do not see their address changing during a session.

> I work for a corporation
> and lots of requests will come from the same source IP (gateway).

when you say "gateway", you mean a proxy, a masquerading firewall ?

> What
> source IP is based on? I presume, the latest gateway's IP before hitting
> the HAProxy?

It is the address which connects to haproxy. The one you see in haproxy's logs.

> If all this is already written somewhere, my deepest apologies and please
> kindly provide me with the link.

All those information are not necessarily described in details. But you may find interesting add-ons in the configuration manual of version 1.3, as well as the architecture manual.

Regards,
Willy Received on 2008/04/17 06:23

This archive was generated by hypermail 2.2.0 : 2008/04/17 06:45 CEST