Discussion:
layer 4-7 load balancing
Aristedes Maniatis
2009-08-21 02:16:25 UTC
Permalink
Is anyone using pfSense to perform load balancing (and failover) for two or more web servers in a redundant configuration? Bonus points for being able to also perform SSL offloading. Our application server uses HTTP cookies to maintain sessions, so it is important that the load balancer be able to maintain connection to a specific web server for the life of the cookie.

Something like these things:

http://www.ultramonkey.org/about.shtml
http://www.coyotepoint.com/products/e250.php


Is this within the scope of the pfSense project?


Regards

Ari Maniatis
--
-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001 fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A

---------------------------------------------------------------------
To unsubscribe, e-mail: discussion-***@pfsense.com
For additional commands, e-mail: discussion-***@pfsense.com

Commercial support available - https://portal.pfsense.org
Chris Buechler
2009-08-21 02:24:06 UTC
Permalink
Post by Aristedes Maniatis
Is anyone using pfSense to perform load balancing (and failover) for two or
more web servers in a redundant configuration?
Yes, lots, but in more generic setups.
Post by Aristedes Maniatis
Bonus points for being able
to also perform SSL offloading. Our application server uses HTTP cookies to
maintain sessions, so it is important that the load balancer be able to
maintain connection to a specific web server for the life of the cookie.
The session stickiness is based on firewall states, which isn't going
to guarantee that it's tied to that server for the life of the cookie.
Current stable versions don't provide the kind of functionality you
require for that.

---------------------------------------------------------------------
To unsubscribe, e-mail: discussion-***@pfsense.com
For additional commands, e-mail: discussion-***@pfsense.com

Commercial support available - https://portal.pfsense.org
Aristedes Maniatis
2009-08-21 09:55:22 UTC
Permalink
Post by Chris Buechler
Post by Aristedes Maniatis
Bonus points for being able
Post by Aristedes Maniatis
to also perform SSL offloading. Our application server uses HTTP cookies to
maintain sessions, so it is important that the load balancer be able to
maintain connection to a specific web server for the life of the cookie.
The session stickiness is based on firewall states, which isn't going
to guarantee that it's tied to that server for the life of the cookie.
Current stable versions don't provide the kind of functionality you
require for that.
Ah, thanks Chris. Is this something planned for the near future (6-9 months)? We aren't in a hurry, and any alternative solution is going to cost us >$5,000 for some appliance (in HA redundant mode). I'd rather fund a good cause (like you guys) with those dollars, but it seems like several pieces would be needed:

1. HA failover (pfSense already has that)
2. load balancing (pfSense already has that as round robin but not balancing response times)
3. layer 7 (HTTP/HTTPS) awareness of cookies to maintain application stickiness
4. SSL offloading (I suspect that 3 requires this since the cookie is inside the HTTPS payload)
5. HTTP dead host detection (as opposed to a simple ping)

Does that sound about right? Do you have a clear idea of how much work is involved in all this?

Ari Maniatis


-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001 fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A

---------------------------------------------------------------------
To unsubscribe, e-mail: discussion-***@pfsense.com
For additional commands, e-mail: discussion-***@pfsense.com

Commercial support available - https://portal.pfsense.org
Aristedes Maniatis
2009-08-25 00:45:08 UTC
Permalink
Post by Aristedes Maniatis
Ah, thanks Chris. Is this something planned for the near future (6-9
months)? We aren't in a hurry, and any alternative solution is going to
cost us >$5,000 for some appliance (in HA redundant mode). I'd rather
fund a good cause (like you guys) with those dollars, but it seems like
1. HA failover (pfSense already has that)
2. load balancing (pfSense already has that as round robin but not
balancing response times)
3. layer 7 (HTTP/HTTPS) awareness of cookies to maintain application stickiness
4. SSL offloading (I suspect that 3 requires this since the cookie is
inside the HTTPS payload)
5. HTTP dead host detection (as opposed to a simple ping)
Does that sound about right? Do you have a clear idea of how much work
is involved in all this?
I've since discovered that our application server doesn't need sessions to be bound to a particular httpd front-end. So 3 & 4 are not actually required (although SSL offloading would be convenient simply to reduce the number of IP addresses we have to configure on each web server).

That leaves 5. How flexible is pfSense's dead host detection? Instead of a ping check can we substitute an arbitrary http check (at a minimum to check for a 200 response, but ideally we want to perform a regex check to find specific content on a page)? Or alternatively since we already have nagios performing these checks can we use that to notify pfsense to perform a failover?


Cheers
Ari Maniatis


-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001 fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A

---------------------------------------------------------------------
To unsubscribe, e-mail: discussion-***@pfsense.com
For additional commands, e-mail: discussion-***@pfsense.com

Commercial support available - https://portal.pfsense.org
RB
2009-08-25 01:12:25 UTC
Permalink
Post by Aristedes Maniatis
That leaves 5. How flexible is pfSense's dead host detection? Instead of a
ping check can we substitute an arbitrary http check (at a minimum to check
for a 200 response, but ideally we want to perform a regex check to find
specific content on a page)? Or alternatively since we already have nagios
performing these checks can we use that to notify pfsense to perform a
failover?
I thought Chris would have mentioned it by now, but the features
you've been asking about (cookies, dead host detection, etc.) are
generally already in the unstable 2.0-alpha version using relayd. Not
something you would want to run for production-critical workloads, but
the groundwork is at least being laid. I do not see configuration
options for SSL offload, but since relayd has the capability it's
probably only a matter of time.

---------------------------------------------------------------------
To unsubscribe, e-mail: discussion-***@pfsense.com
For additional commands, e-mail: discussion-***@pfsense.com

Commercial support available - https://portal.pfsense.org
r***@ipv6.or.id
2009-08-25 07:05:04 UTC
Permalink
Dear Members,


I have a problem with PFSense 2.8.4.1_1
Even I have listed the IP Address which needed to be allowed, snort
keeps block this.
Any enlightenment for this ?

Thanks in Advance

a.r. isnaini r. sutan

---------------------------------------------------------------------
To unsubscribe, e-mail: discussion-***@pfsense.com
For additional commands, e-mail: discussion-***@pfsense.com

Commercial support available - https://portal.pfsense.org

Chris Buechler
2009-08-25 06:02:44 UTC
Permalink
Post by Aristedes Maniatis
I've since discovered that our application server doesn't need sessions to
be bound to a particular httpd front-end. So 3 & 4 are not actually required
(although SSL offloading would be convenient simply to reduce the number of
IP addresses we have to configure on each web server).
That leaves 5. How flexible is pfSense's dead host detection? Instead of a
ping check can we substitute an arbitrary http check (at a minimum to check
for a 200 response, but ideally we want to perform a regex check to find
specific content on a page)? Or alternatively since we already have nagios
performing these checks can we use that to notify pfsense to perform a
failover?
Some of that functionality does exist in relayd, but the
implementation in 2.0 hasn't been finished and currently has a number
of issues. I'll email you off list on taking this on as a project,
we'll find a solution that will meet your needs.

---------------------------------------------------------------------
To unsubscribe, e-mail: discussion-***@pfsense.com
For additional commands, e-mail: discussion-***@pfsense.com

Commercial support available - https://portal.pfsense.org
Loading...