* [gentoo-user] HA-Proxy or iptables?
@ 2013-08-29 7:54 Pandu Poluan
2013-08-30 15:54 ` Kerin Millar
0 siblings, 1 reply; 6+ messages in thread
From: Pandu Poluan @ 2013-08-29 7:54 UTC (permalink / raw
To: gentoo-user
Hello list!
Here's my scenario:
Currently there is a server performing 2 functions; one runs on, let's
say, port 2000, and another one runs on port 3000.
Due to some necessary changes, especially the need to (1) provide more
resource for a function, and (2) delegate management of the functions
to different teams, we are going to split the server into two.
The problem is: Many users -- spread among 80+ branches throughout the
country -- access the server using IP Address instead of DNS name.
So, my plan was to leave port 2000's application on the original
server, implement port 3000's application on a new server, and have
all access to port 3000 of the original server to be redirected to
same port on the new server.
I can implement this using iptables SNAT & DNAT ... or I can use HA-Proxy.
Can anyone provide some benefit / drawback analysis on either solution?
Thank you very much!
--
FdS Pandu E Poluan
~ IT Optimizer ~
• LOPSA Member #15248
• Blog : http://pepoluan.tumblr.com
• Linked-In : http://id.linkedin.com/in/pepoluan
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] HA-Proxy or iptables?
@ 2013-08-29 12:12 Randy Barlow
2013-08-29 12:45 ` thegeezer
2013-08-29 14:11 ` Pandu Poluan
0 siblings, 2 replies; 6+ messages in thread
From: Randy Barlow @ 2013-08-29 12:12 UTC (permalink / raw
To: gentoo-user
Honestly, I think the best solution is to switch the company to using domain names to access these resources. This makes it much easier to silently introduce things like load balancers later on if you ever need to scale. It's also much easier to communicate to new users how to find this resource. Once you migrate to IPv6 it becomes a very long address to tell people as well.
To answer your specific question, I would just do it with iptables if you must continue accessing it by IP address. I will point out that the service on the new IP address now has doubled its chances of going out of service, because it depends on both machines running, even though the first has nothing to do with it. Also, doing this with firewall rules isn't very nice from a systems management perspective for the future, as it's not very obvious what's going on with some server rewriting packets for another one. If someone sees that in two years, are they going to know what to do? What if they want to take server 1 down, and forget that it also disrupts 2? Using DNS is much cleaner for these reasons.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] HA-Proxy or iptables?
2013-08-29 12:12 Randy Barlow
@ 2013-08-29 12:45 ` thegeezer
2013-08-29 14:14 ` Pandu Poluan
2013-08-29 14:11 ` Pandu Poluan
1 sibling, 1 reply; 6+ messages in thread
From: thegeezer @ 2013-08-29 12:45 UTC (permalink / raw
To: gentoo-user
On 08/29/2013 01:12 PM, Randy Barlow wrote:
> Honestly, I think the best solution is to switch the company to using domain names to access these resources. This makes it much easier to silently introduce things like load balancers later on if you ever need to scale. It's also much easier to communicate to new users how to find this resource. Once you migrate to IPv6 it becomes a very long address to tell people as well.
>
> To answer your specific question, I would just do it with iptables if you must continue accessing it by IP address. I will point out that the service on the new IP address now has doubled its chances of going out of service, because it depends on both machines running, even though the first has nothing to do with it. Also, doing this with firewall rules isn't very nice from a systems management perspective for the future, as it's not very obvious what's going on with some server rewriting packets for another one. If someone sees that in two years, are they going to know what to do? What if they want to take server 1 down, and forget that it also disrupts 2? Using DNS is much cleaner for these reasons.
With iptables this could be tricky if everything is in the same LAN
subnet, you will need to ensure you have both DNAT and SNAT otherwise
you will have:
PC ---> serverA:3000 ---DNAT----> serverB
serverB ---replies---> PC
PC ignores packet "i wasn't talking to you, i was talking to serverA"
Also bear in mind that from serverB's perspective, all connections on
port 3000 will appear to come from serverA. I know that a VT based
terminal server can set up users based on their originating IP, which
would previously have been a good detector of which terminal they are
connecting from.
Rather than using iptables on serverA, you may like to consider EBtables
or IPtables on a server that sits in front of both serverA and serverB.
this would act as a bridge, and rewrite packets for serverA on port 3000
to go to serverB on port 3000
or
it could act as a router for NAT (iptables) if you change the ip subnet
of serverA and serverB, and make the NAT box have the original IP of serverA
this would allow connections by IP to be tracked
hth
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] HA-Proxy or iptables?
2013-08-29 12:12 Randy Barlow
2013-08-29 12:45 ` thegeezer
@ 2013-08-29 14:11 ` Pandu Poluan
1 sibling, 0 replies; 6+ messages in thread
From: Pandu Poluan @ 2013-08-29 14:11 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1557 bytes --]
On Aug 29, 2013 7:13 PM, "Randy Barlow" <randy@electronsweatshop.com> wrote:
>
> Honestly, I think the best solution is to switch the company to using
domain names to access these resources. This makes it much easier to
silently introduce things like load balancers later on if you ever need to
scale. It's also much easier to communicate to new users how to find this
resource. Once you migrate to IPv6 it becomes a very long address to tell
people as well.
>
I agree, but considering that the split is Really Urgent™, I'll just have
to make do with redirection for the time being.
> To answer your specific question, I would just do it with iptables if you
must continue accessing it by IP address. I will point out that the service
on the new IP address now has doubled its chances of going out of service,
because it depends on both machines running, even though the first has
nothing to do with it. Also, doing this with firewall rules isn't very nice
from a systems management perspective for the future, as it's not very
obvious what's going on with some server rewriting packets for another one.
If someone sees that in two years, are they going to know what to do? What
if they want to take server 1 down, and forget that it also disrupts 2?
Using DNS is much cleaner for these reasons.
Again , I agree 100%.
Fortunately, nobody is allowed to bring down a server without my team's
blessing, so if they ever need to bring the server down, we will force them
to arrange a schedule with the other team.
Rgds,
--
[-- Attachment #2: Type: text/html, Size: 1767 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] HA-Proxy or iptables?
2013-08-29 12:45 ` thegeezer
@ 2013-08-29 14:14 ` Pandu Poluan
0 siblings, 0 replies; 6+ messages in thread
From: Pandu Poluan @ 2013-08-29 14:14 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 2647 bytes --]
On Aug 29, 2013 7:46 PM, "thegeezer" <thegeezer@thegeezer.net> wrote:
>
> On 08/29/2013 01:12 PM, Randy Barlow wrote:
> > Honestly, I think the best solution is to switch the company to using
domain names to access these resources. This makes it much easier to
silently introduce things like load balancers later on if you ever need to
scale. It's also much easier to communicate to new users how to find this
resource. Once you migrate to IPv6 it becomes a very long address to tell
people as well.
> >
> > To answer your specific question, I would just do it with iptables if
you must continue accessing it by IP address. I will point out that the
service on the new IP address now has doubled its chances of going out of
service, because it depends on both machines running, even though the first
has nothing to do with it. Also, doing this with firewall rules isn't very
nice from a systems management perspective for the future, as it's not very
obvious what's going on with some server rewriting packets for another one.
If someone sees that in two years, are they going to know what to do? What
if they want to take server 1 down, and forget that it also disrupts 2?
Using DNS is much cleaner for these reasons.
> With iptables this could be tricky if everything is in the same LAN
> subnet, you will need to ensure you have both DNAT and SNAT otherwise
> you will have:
> PC ---> serverA:3000 ---DNAT----> serverB
> serverB ---replies---> PC
> PC ignores packet "i wasn't talking to you, i was talking to serverA"
>
I do have some experience with double NAT-ting, but thanks for the reminder
anyways :-)
> Also bear in mind that from serverB's perspective, all connections on
> port 3000 will appear to come from serverA. I know that a VT based
> terminal server can set up users based on their originating IP, which
> would previously have been a good detector of which terminal they are
> connecting from.
>
Luckily, to the best of my knowledge, the apps do not make such
distinction, so I can get away with such sleight of hand...
> Rather than using iptables on serverA, you may like to consider EBtables
> or IPtables on a server that sits in front of both serverA and serverB.
> this would act as a bridge, and rewrite packets for serverA on port 3000
> to go to serverB on port 3000
> or
> it could act as a router for NAT (iptables) if you change the ip subnet
> of serverA and serverB, and make the NAT box have the original IP of
serverA
> this would allow connections by IP to be tracked
>
Interesting... I'll consider that. Although not strictly needed, tracking
by IP will certainly be helpful.
Thank you for the tip!
[-- Attachment #2: Type: text/html, Size: 3108 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] HA-Proxy or iptables?
2013-08-29 7:54 [gentoo-user] HA-Proxy or iptables? Pandu Poluan
@ 2013-08-30 15:54 ` Kerin Millar
0 siblings, 0 replies; 6+ messages in thread
From: Kerin Millar @ 2013-08-30 15:54 UTC (permalink / raw
To: gentoo-user
On 29/08/2013 08:54, Pandu Poluan wrote:
> Hello list!
>
> Here's my scenario:
>
> Currently there is a server performing 2 functions; one runs on, let's
> say, port 2000, and another one runs on port 3000.
>
> Due to some necessary changes, especially the need to (1) provide more
> resource for a function, and (2) delegate management of the functions
> to different teams, we are going to split the server into two.
>
> The problem is: Many users -- spread among 80+ branches throughout the
> country -- access the server using IP Address instead of DNS name.
>
> So, my plan was to leave port 2000's application on the original
> server, implement port 3000's application on a new server, and have
> all access to port 3000 of the original server to be redirected to
> same port on the new server.
>
> I can implement this using iptables SNAT & DNAT ... or I can use HA-Proxy.
>
> Can anyone provide some benefit / drawback analysis on either solution?
I don't have any practical experience of using HA-Proxy. However, if you
are sizing up Netfilter as a solution then I would suggest that you also
consider Linux Virtual Server (LVS). It provides a lightweight NAT
implementation and scales well. It is natively administered with the
ipvsadm tool but I would recommend using ldirectord or such:
http://horms.net/projects/ldirectord/
--Kerin
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2013-08-30 15:54 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-29 7:54 [gentoo-user] HA-Proxy or iptables? Pandu Poluan
2013-08-30 15:54 ` Kerin Millar
-- strict thread matches above, loose matches on Subject: below --
2013-08-29 12:12 Randy Barlow
2013-08-29 12:45 ` thegeezer
2013-08-29 14:14 ` Pandu Poluan
2013-08-29 14:11 ` Pandu Poluan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox