From owner-freebsd-isp Sun Dec 10 19:42:31 2000 From owner-freebsd-isp@FreeBSD.ORG Sun Dec 10 19:42:28 2000 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id A3CEB37B400 for ; Sun, 10 Dec 2000 19:42:26 -0800 (PST) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.9.3/8.9.3) id OAA49907; Mon, 11 Dec 2000 14:42:24 +1100 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) Received: from disc-4-161.aipo.gov.au(10.0.4.161) by pericles.IPAustralia.gov.au via smap (V2.0) id xma049892; Mon, 11 Dec 00 14:42:10 +1100 Received: from localhost (anwsmh@localhost) by stan.aipo.gov.au (8.9.3/8.9.3) with ESMTP id OAA03798; Mon, 11 Dec 2000 14:42:09 +1100 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) X-Authentication-Warning: stan.aipo.gov.au: anwsmh owned process doing -bs Date: Mon, 11 Dec 2000 14:42:08 +1100 (EST) From: Stanley Hopcroft X-Sender: anwsmh@stan.aipo.gov.au To: freebsd-isp@FreeBSD.ORG Cc: Netsaint@Netsaint.ORG Subject: Re: Load-Balancing - any solutions? In-Reply-To: <3A337A25.E2074762@free.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: anwsmh@IPAustralia.Gov.AU Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Ladies and Gentlemen, I am writing with some extra stuff about ways of server load balancing that haven't been mentioned in other correspondence about this matter. The Foundy ServerIron (SI) is a well regarded means of doing Server Load Balancing (SLB) and a few other clever things also. The SLB operates using a battery of health checks on the servers it is load balancing. The most important of these are layer 7 or content based checks. The SI can send a GET request to the servers and respond to . content from the real servers using regular expression pattern matching for a good|bad pattern in the HTML returned by the server . 4xx or 5xx return codes . a combination of the above There is no necessity to do this in the SI hardware; the general method of - of a third part checking the health of servers and - reacting to change the selected server according to the results of the health checks can be implemented in other ways. The Netsaint network monitor (http://www.netsaint.org) for example, has had for some time the ability to execute "service handlers" if its content sensitive health checks reveal faults (it too can use regexps to check the returned HTML for pattersn of interest) A service handler is arbitrary code that could for example via a secure channel (ssh) reconfigure the rewriting configuation of an Apache load balancing rewrite box to rewrite requests elsewhere. The service handler could achieve the same result by other mechanisms (as is done by the Foundry Global Server Load Balancing method) such as using the Dynamic DNS capability to select another (by changing the address corresponding to the failed name so that all requests for the failed server will end up at another) server. Eliminating manual intervention in bringing on-line a warm duplicate server may be feasable by a health check triggered change of interface address or state in the standby duplicate. Likewise, routing decisions (in situations where it's undesirable to do so with a routing protocol, perhaps in a firewall situation) may be done by a health check leading to a secure channel update of a static routing table. Perhaps a more extreme case is where a network Intrusion Detection System (IDS)is used to measure health and react with SNMP writes or traps to reconfigure other infrastructure (IDSs such as the ISS Real Secure and the Cisco IDS have this capacity already but it is not difficult to fit to any IDS that has the capacity of running code when it recognises an attack signature). A host-based IDS need not behave so radically; it could react to suspicious log messages by calling someone. That said, there are cases where the SIs capacity to collect comprehensive health indications such as - layer 1 (switch or NIC link signal, when the servers are plugged into the SI) - layer 3 (network reachability) - layer 4 (accepting server port connections) - layer 7 (reacting to a request) and react to them blazingly quickly can't be substituted for. There are other software methods of doing SLB for specific servers. The Eddie Mission (?) does so for DNS servers. Thank you. Yours sincerely, S Hopcroft Network Specialist IP Australia +61 2 6283 3189 +61 2 6281 1353 FAX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message