2009/11/5 Willy Tarreau <w#1wt.eu>:
> Hi,
>
> On Wed, Nov 04, 2009 at 05:31:35PM +0000, Matt wrote:
>> Thanks for the quick response Mike. Which option is it for passing
>> the clients source IP? I haven't looked to configure anything like
>> that.
>>
>> I realised my test harness was on both networks, i've now run the
>> tests again with it just on the 10.x network while failing haproxy
>> over a couple of times. I'm only getting a handful (out of 100 users)
>> socket resets every time I fail it over. Looking at the routing table
>> the source IP must be the haproxy servers as i'm unable to see the
>> 10.x network from the backend servers. So haproxy is handling the
>> whole request.
>>
>> Make sense?
>
> Yes this makes sense and is a very common setup in fact.
> You just have to wonder why you want your haproxy to sit between
> two networks. Maybe you're bypassing a firewall, which is not good
> security-wise. I think that's why Michael asked you if your haproxy
> machine was going to be the gateway for the servers, because it
> could have made sense that this machine was the router/fw between
> the two LANs.
>
> Also, when building HA clusters, it's a good idea to set
> /proc/sys/net/ipv4/ip_non_local_bind to 1. It will allow a process
> from one machine to bind to a service address it doesn't yet own
> (typically the backup server). At the beginning you don't need this
> because you use *:80, but quite soon you may support multiple
> service addresses on the same port and you will need this.
So if I was to have a route for the 10.x network on the backend servers that used the haproxy servers as a gateway, I guess this would cause issues? I could get around this however by having the backend servers on the 10.x network, all requests would still go through haproxy though as the backend server sees the VIP as the source IP right?
So the /proc/sys/net/ipv4/ip_non_local_bind option would enable me to have the VIP:80 in the config file even though the VIP is not yet assigned to that server? This would be cool as I could then have the VIPs as different frontends. I tried this initially and haproxy failed to start.
Thanks for helping me get my head around this.
Matt Received on 2009/11/05 11:00
This archive was generated by hypermail 2.2.0 : 2009/11/05 11:15 CET