Difference between revisions of "Load balancing"

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search
Line 5: Line 5:
 
* Transparent proxy
 
* Transparent proxy
 
* Internet failover
 
* Internet failover
 +
 +
== Load balancing basics ==
 +
The load balancer is most commonly used to forward traffic to multiple servers with load distribution and health checking. This functionality can, with some generalization, be divided into layer 3 (called redirects) and layer 4+ (called relays). They are configured in much the same way, but have some striking technical differences.
  
 
== HTTPS (SSL) acceleration ==
 
== HTTPS (SSL) acceleration ==
Line 17: Line 20:
 
  relay "webservers" {
 
  relay "webservers" {
 
  listen on 192.168.0.100 port 443 ssl
 
  listen on 192.168.0.100 port 443 ssl
  forward to <servers> port 80 mode loadbalance check tcp
+
  forward to <servers> port 80 check tcp
 
  }
 
  }
 
  }
 
  }
Line 54: Line 57:
  
 
== SSL stripping ==
 
== SSL stripping ==
 
+
If you would like to strip the SSL from a service that is only available over SSL (eg. the web administration, even thou it's not recommended nor good practice), this example shows how to make the web administration available for unsecure HTTP connections.
If you would like to strip the SSL from a service that is only available over SSL eg. the Web Administration, even thou it's not recommended nor good practice. But may be required for technical reasons. This example shows how to make the Web Administration available for unsecure HTTP connections.
 
  
 
  load-balancer {
 
  load-balancer {

Revision as of 08:45, 26 March 2012

The load balancer can dynamically redirect and route traffic. It can operate as

  • Load balancer
  • Application layer gateway
  • SSL accelerator
  • Transparent proxy
  • Internet failover

Load balancing basics

The load balancer is most commonly used to forward traffic to multiple servers with load distribution and health checking. This functionality can, with some generalization, be divided into layer 3 (called redirects) and layer 4+ (called relays). They are configured in much the same way, but have some striking technical differences.

HTTPS (SSL) acceleration

This very simple example provides an HTTPS accelerator. If you are using the 64-bit version (amd64) on a router with AES-NI instructions, you can expect gigabit performance. Below is a more or less complete example, using the router exclusively as a layer 7 load balancer, utilizing only one Ethernet interface.

interface em0 {
	address 192.168.0.100/24
	route default 192.168.0.1
}
load-balancer {
	table <servers> { 192.168.0.101 192.168.0.102 }
	relay "webservers" {
		listen on 192.168.0.100 port 443 ssl
		forward to <servers> port 80 check tcp
	}
}
system {
	http-server {
		port 4433
	}
	authentication {
		root-password "extremelyhardpassword"
		user "admin" {
			password "veryhardpassword"
		}
	}
	dns {
		name-server 8.8.8.8
	}
}

Then, upload the certificate and private key. Currently, these are not in the configuration file. Instead, enable root access (already enabled by the above example) and upload the file using for example sep according to the skeleton files guidelines. You can also try out the load balancer by using the web administration's self-signed certificate, by issuing the following commands when logged in as root:

# cp /etc/ssl/server.crt /etc/ssl/192.168.0.100.crt
# cp /etc/ssl/private/server.key /etc/ssl/private/192.168.0.100.key

Internet failover

The load balancer can be used to select one of several default routers (gateways) which is useful for outbound internet failover when more sophisticated protocols such as BGP is unavailable. Below is an incomplete example of such a a configuration.

load-balancer {
	gw1 = 212.37.18.193
	gw2 = 213.12.48.1
	table <gateways> { $gw1 ip ttl 1, $gw2 ip ttl 1 }
	router "internetfailover" {
		route 0.0.0.0/0
		forward to <gateways> check icmp
	}
}

SSL stripping

If you would like to strip the SSL from a service that is only available over SSL (eg. the web administration, even thou it's not recommended nor good practice), this example shows how to make the web administration available for unsecure HTTP connections.

load-balancer {
	relay "webui" {
		listen on 0.0.0.0 port 80
		forward with ssl to 127.0.0.1 port 443
	}
}