Hi John, Willy,
On Mon, 2009-08-10 at 10:07 -0400, John Lauro wrote:
> Do you have haproxy between your web servers and the 3rd party? If not (ie: only to your servers), perhaps that is what you should do. Trying to throttle the maximum connections to your web servers sounds pointless given that it's not a very good correlation to the traffic to the third party servers.
That is correct. I was also thinking about that but this was later done at application level and this issue is supposed to be solved. If it turns out not to be, I can still try to put another haproxy between our servers and 3rd party.
> If you need to rate limit the connections per second, you could always do that with iptables on linux, or pf on bsd, etc... but it sounds like it's something the third party needs to fix.
I did exactly like that because I also have to protect my servers from users, but that has some limitation. Our users have to click a few times on HTTP and then a few times more on SSL. I only limit traffic to HTTP and have to enable keepalive so that once user comes to the site he is not redirected into waiting room anymore. For such a simple solution it works really great, but I don't like to reconfigure Apache to use keepalive (I actually run two instances on each server for that) and also I have to intervene every time we expect higher load. I would like to solve this with haproxy. However... :)
This is also a problem with haproxy that I could not figure out. How can I make sure that one user, that already came to the site is not redirected to waiting room on the next click? I don't need (and also don't want) any persistence. So how can this be done? I read that haproxy doesn't work with keepalive connections so even the only working solution stops working if I put haproxy in between. Does haproxy have any solution without changing the application like the user is redirected to different IP after the first click?
I also decided that (like you suggested) I will try not to limit connection rate, only total number of connections. The problem is that with these two rules:
acl toomany connslots(main) lt 10
use_backend sorry if toomany
users don't see waiting room. They just timeout. I also tried with dst_conn and it didn't work either.
For example rate limit (which I don't use now):
acl toofast be_sess_rate(main) gt 6
use_backend sorry if toofast
works fine.
I have a few more questions:
-Is it possible to see the value of some acl variable at some moment?
Maybe put it into logs or output it in stats?
-Can you estimate the difference in resource usage between redirection
on 3rd/4th and 7th layer? (for example iptables redirect Vs checking
cookies in HTTP header and then redirecting)?
-Is is possible or planned for the future, to use some external
check/script from with which we could decide how to handle traffic (I
would like to monitor database load and use it in acls).
Thank you and best regards
Bostjan Received on 2009/08/27 14:40
This archive was generated by hypermail 2.2.0 : 2009/08/27 14:45 CEST