persistence between different RIPs

HoWE nackas at gmail.com
Wed Aug 24 13:51:11 BST 2005


Hi all,
I apologize if this is already answered in the HOWTO or on the list.

I have the following problem (kindof lengthy I'm afraid, bare with me):

At work (swedish university) we are currently deploying a large scale
installation of Oracle Collaboration Suite (100000+ accounts). Oracle
tells us to run SSL on dedicated machines for performance reasons (SSL
handling in java is really slow, Oracle talks about 50% performance
gain if SSL in taken care of someplace else...)

It is an absolut must that persistence is in use for the web
connections. It is very
expensive to have users bouncing between different RS.

SETUP:
=======
A setup-picture is attached.

Two lvs boxes running RHEL AS3, with their kernel.
Two ssl boxes, and 14 oracle boxes.
LVS in DR mode, 

How packets are flowing in this setup:

1) CIP -> SSLVIP (DR )
2) CIP -> SSLRIP1

3) SSLRIP1 -> VIP (DR)
4) SSLRIP1 -> RIP1

A packet coming from client will first go to the director,
director rewrites dest macaddr and send it back out.
One of the ssl machines gets the packet, stunnel on the ssl machines
makes a new connection to VIP, director again rewrites the packet and
send it back out on the wire, one of the RS will get the packet.

PROBLEM:
=========
That is, connections from CIP will make two passes through the
director, and in the second pass I want to take in to account what CIP
the connection had during the first pass. Because otherwise the
persistence handling will only see two clients, the SSL-RS.

Ok, fwmark to the rescue. Then persistence templates will look like 
<CIP,FWMARK,RIP>, right? But that still means CIP is one of the SSL-machines.

Initially I will have templates looking like
<CIP,FWMARK,SSLRIP?> which will be used for the first pass
when the ssl boxes connects to VIP, I will get templates looking like:
<SSLRIP?,FWMARK,VIP> which will be used for the second pass.
Which probably means that connections from the ssl boxes will never
hit more than two RS within a given time frame.

Any thoughts on how this can be attacked?
-------------- next part --------------
                        ________
                       |        |
                       | client |
                       |________|
                       CIP 172.16.1.253
                           |
                        (router)
             ________      |      ________
            |        |     |     |        | SSLRIP1 192.168.1.5
            | ssl1   |----- -----|  ssl2  | SSLRIP2 192.168.1.6
            |________|     |     |________| SSLVIP 192.168.1.109 (non-arping)
                           |
                           |
             __________    |    SSLVIP 192.168.1.109 (arps)
            |          |   |    VIP 192.168.1.110 (arps)
            | director |---     DIP 192.168.1.1
            |__________|   |
                           |
                           |
          -------------------------------------
          |                |                  |
          |                |                  |
   RIP1 192.168.1.2  RIP2 192.168.1.3  RIP3 192.168.1.4
   VIP 192.168.1.110 VIP 192.168.1.110 VIP 192.168.1.110 (non-arping)
   _____________     _____________      _____________
  |             |   |             |    |             |
  | realserver  |   | realserver  |    | realserver  |
  |_____________|   |_____________|    |_____________|
          |                |                  |
      (router)          (router)           (router)
          |                |                  |
          ----------------------------------------------> to client (ssl)
                                                          (or router
                                                           in front of
                                                           director)

Hi all,
I apologize if this is already answered in the HOWTO or on the list.

I have the following problem (kindof lengthy I'm afraid, bare with me):

At work (swedish university) we are currently deploying a large scale
installation of Oracle Collaboration Suite (100000+ accounts). Oracle tells us
to run SSL on dedicated machines for performance reasons (SSL handling in java
is really slow, Oracle talks about 50% performance gain if SSL in taken care
of someplace else...)

It is an absolut must that persistence is in use for the web connections. It
is very 
expensive to have users bouncing between different RS.

SETUP:
=======
A setup-picture is attached.

Two lvs boxes running RHEL AS3, with their kernel.
Two ssl boxes, and 14 oracle boxes.
LVS in DR mode, 

SRC and DST in packets flowing in this setup is:

1) CIP -> SSLVIP
2) CIP -> SSLRIP1

3) SSLRIP1 -> VIP
4) SSLRIP1 -> RIP1

A packet coming from client will first go to the director,
director rewrites dest macaddr and send it back out.
One of the ssl machines gets the packet, stunnel on the ssl machines makes a
new connection to VIP, director again rewrites the packet and send it back out
on the wire, one of the RS will get the packet.

PROBLEM:
=========
That is, connections from CIP will make two passes through the director, and
in the second pass I want to take in to account what CIP the connection had
during the first pass. Because otherwise the persistence handling will only
see two clients, the SSL-RS.

Ok, fwmark to the rescue. Then persistence templates will look like 
<CIP,FWMARK,RIP>, right? But that still means CIP is one of the SSL-machines.

Initially I will have templates looking like
<CIP,FWMARK,SSLRIP?> which will be used for the first pass
when the ssl boxes connects to VIP, I will get templates looking like:
<SSLRIP?,FWMARK,VIP> which will be used for the second pass.
Which probably means that connections from the ssl boxes will never hit more
than two RS within a given time frame.

Any thoughts on how this can be attacked?




More information about the lvs-users mailing list