Hi Ulric,
I am sure it would work like this.
.--------.
| CLIENT |-----<<-----
`--------´ |
| |
.--------. .----------.
| PEN | | Firewall |
`--------´ `----------´
| |
.--------. |
| APACHE |----->>-----
`--------´
You have to know, that all of my Apaches are in a Private Network.
Firewall is there default gateway.
The Process goes like this:
- Client sends a Request to pen.
- PEN Rewrites the TCP Header
SourceIP = Client IP
DestIP = ApacheX IP
- Apache answers the request directly by routing
thru the Firewall.
- Firewall does masquerading and so the Packet gets
SourceIP = Firewall IP
DestIP = ClientIP
That is what I meant with asyncronous.
But async. rotuing is with HTTP and SSL no problem.
(With FTP and other also UDP based protocols it may
cause Problems.)
The Logging is done by letting ApacheX log into a
SQL DB and then select all Logentries sorted by date and time
into a File for analyzing every night.
Hope you understood what I mean and that you
can help me to modify PEN to do so.
(For Linux OS 2.4.18)
Kindest regards and a lot of thanks in advance.
Markus Binder
Ulric Eriksson wrote:
>
> On Wed, 4 Sep 2002, Markus Binder wrote:
>
> > Hi,
> > is there a possibility to tell pen to rewrite the source IP-Adddress
> > of the TCP Packet it sends to the Webserver to the Source Address
> > the packet of the original request came from ?
> > To use pen only as a "One-Way-Man-in-the-Middle" Loadbalancer ?
>
> No, it is not possible. To do so would require a major rewrite of most of
> pen. And it would not be portable.
>
> > (I know about the asynchronous TCP Connection, but think
> > with HTTP and HTTPS it does not matter.)
> >
> >
> > (CLIENT) ------request----> (PEN)
> > . . . .
> > . . . .
> > . .. .
> > .. . .
> > (APACHE1) (APACHEn)
>
> Then CLIENT would send IP packets to PEN, which would create a new packet
> with the same source address and the same payload, but with APACHEx as
> destination address. APACHEx would send packets back using APACHEx as
> source address and CLIENT as destination address. It would be difficult
> for CLIENT to figure out what TCP session those packets are supposed to be
> part of.
>
> This would work, however:
>
> .--------.
> | CLIENT |
> `--------´
> |
> .--------.
> | PEN |
> `--------´
> |
> .--------.
> | APACHE |
> `--------´
>
> Here pen sits physically between the client and the server, so it sees
> outgoing packets from apache regardless of the destination address. Apache
> has pen as its default gateway. Pen must keep track of client/server
> address combination and "sniff" the server network for packets that should
> be rewritten.
>
> This is all possible, and many commercial load balancers do indeed work
> like that. But it is less portable (although it would probably work
> wherever libnet and libpcap are supported) and places more restrictions on
> the network design. And it doesn't really solve the logging problem, since
> the server logs still need to be combined somehow.
>
> Ulric
-- globalways Internetservice | Sickenhäuser Str. 65 | D-72760 Reutlingen Tel: +49 (0) 7121 38119-10 | Fax: +49 (0) 7121 38119-12 www.globalways.net | info@globalways.net
This archive was generated by hypermail 2.1.2 : Sat Sep 07 2002 - 12:59:47 CEST