web replication

hi, i would like realize a sort of replication for my web site based on
load bilancing on n mirror server.
i've read this possible solutions:
using a dns resolution method with its underlying round robin mechanism
using a reverse proxy daemon to traslate the url
using the kernel's trafic shaping

cause the http connection less orientation i've a doubt about session's
information leak.

have you some references/advise about?

thanks

fusillo

sorry for my poor english

On Sun, 06 Aug 2006 20:51:16 +0200
fusillo <(E-Mail Removed)> wrote:

> hi, i would like realize a sort of replication for my web site based
> on load bilancing on n mirror server.
> i've read this possible solutions:
> using a dns resolution method with its underlying round robin
> mechanism using a reverse proxy daemon to traslate the url
> using the kernel's trafic shaping
>
> cause the http connection less orientation i've a doubt about
> session's information leak.
>
> have you some references/advise about?

I suggest using the NAT based solution because HTTP is session based,
unless you have FTP clients of course.

To replicate the file system use rsync, or a SAN/NAS.

Filesystem replication is the bane.

--
Regards, Ed :: http://www.ednevitable.co.uk
proud perl person
Vin Diesel's date to his high school prom was a 5 ft inflatable
penguin named Party Pierre.

ed ha scritto:
>>
>>have you some references/advise about?
>
>
> I suggest using the NAT based solution because HTTP is session based,
> unless you have FTP clients of course.
>
> To replicate the file system use rsync, or a SAN/NAS.
>
> Filesystem replication is the bane.
>
i'm thinking abount 3 tier architecture
client -- load bilancer -- n web server + script engine -- db
to enable the http session information i think about using a network
filesystem placed on backend and setting the mount point as a session
directory path (using the php session's configuration directive)
the cookies should not be a problem, should it?
cookies resides in the client browser and forwarded to the server based
on domain name (the bilancer domain name).
to replicate the db i would use a simple master slave mysql configuration.

the unsolved problem is bilanced the https session, a session must use
the same server because there's an handshake for the simmetric key
exchange..
how do you recognize a single https session from another https session?
the actual idea is not shape this traffic and dedicate one server for
the ssl traffic using port for the nat prerouting rule.

rsync is a good idea to syncing the web content of the n middleware
server. thanks

every advise is really well appreciated

fusillo

> I suggest using the NAT based solution because HTTP is session based,
> unless you have FTP clients of course.
>
ftp in nat enviroment should not be a problem with support of kernel
module ipnat_ftp, because it changes the ip of the application layer
port command in the case of active mode connection, if you use a passive
mode it runs anyway.

On Tue, 08 Aug 2006 04:14:28 +0200
fusillo <(E-Mail Removed)> wrote:

> ftp in nat enviroment should not be a problem with support of kernel
> module ipnat_ftp, because it changes the ip of the application layer
> port command in the case of active mode connection, if you use a
> passive mode it runs anyway.

I'm not so sure about that. It would have to do a bit more since passive
is the client connecting to the host for data, active asks that the host
connects to the client.

Like I said, it's up to you if you want the headaches of it, it's
easiest to INSIST that client connections are always passive. If
possible, turn off active at the FTP.

--
Regards, Ed :: http://www.openbsdhacker.com
just another unix person
Vin Diesel spawned Hulk Hogan from his head.

On Tue, 08 Aug 2006 04:12:01 +0200
fusillo <(E-Mail Removed)> wrote:

> i'm thinking abount 3 tier architecture
> client -- load bilancer -- n web server + script engine -- db
> to enable the http session information i think about using a network
> filesystem placed on backend and setting the mount point as a session
> directory path (using the php session's configuration directive)
> the cookies should not be a problem, should it?

Depends.

Session cookies relate to memory in the server, so if it's a session
cookie, then yes it's a problem if one cannot be certain of which box
the client is going to connect to in 5 mins time.

> cookies resides in the client browser and forwarded to the server
> based on domain name (the bilancer domain name).
> to replicate the db i would use a simple master slave mysql
> configuration.

This depends on your balancing device, some are full protocol proxies
which can do exactly as you ask. I think there's one called 'pound'
which is GNU that can do this for you.

> the unsolved problem is bilanced the https session, a session must use
> the same server because there's an handshake for the simmetric key
> exchange..

Pound does this I think, also look into source/dest hashing on the NAT
level.

> how do you recognize a single https session from another https
> session? the actual idea is not shape this traffic and dedicate one
> server for the ssl traffic using port for the nat prerouting rule.

It's the NAT host that solves this through the socket (sourceip,destip,
sourceport,dstport) that makes what we know as a socket. The socket is
matched against the NAT table.

> rsync is a good idea to syncing the web content of the n middleware
> server. thanks

No problem.

--
Regards, Ed :: http://www.usenix.org.uk
just another bash hacker
Once, Chuck Norris was at the airport. When a plane flying from San
Fransisco to New York wouldn't start, Chuck threw the plane, which
ended up landing in the Gulf of Mexico. Chuck claimed his arm was
sore because of overwork.

ed ha scritto:
>>to enable the http session information i think about using a network
>>filesystem placed on backend and setting the mount point as a session
>>directory path (using the php session's configuration directive)
>>the cookies should not be a problem, should it?
>
>
> Depends.
>
> Session cookies relate to memory in the server, so if it's a session
> cookie, then yes it's a problem if one cannot be certain of which box
> the client is going to connect to in 5 mins time.
>
>

yes but it's this the reason to use a shared memory for the session
information. Get it by mounting the same nfs (placed phisically in the
backend) in the path used to save the session dictionary in every single
web server.

>>cookies resides in the client browser and forwarded to the server
>>based on domain name (the bilancer domain name).
>>to replicate the db i would use a simple master slave mysql
>>configuration.
>
>
> This depends on your balancing device, some are full protocol proxies
> which can do exactly as you ask. I think there's one called 'pound'
> which is GNU that can do this for you.
>
>
i wouldn't play with layer 7, my idea is using a layer 4 load bilancing
, i'm actually studying the lvs documentation, ipvs via nat use nat to
traslate the virtual service ip(the ip of the web bilancer) to one real
server ip, choosing the server by means of a given scheduling algoritm.
if the cookie's domain matches the virtual service ip when a browser
send it in a http header it will be forwarded and bilanced to the real
server thanks a lvs nat rule, it shouldn't be important what server
because the session information is shared by the servers.
could it run?


>>the unsolved problem is bilanced the https session, a session must use
>>the same server because there's an handshake for the simmetric key
>>exchange..
>
>
> Pound does this I think, also look into source/dest hashing on the NAT
> level.
>
>
thanks i will read about it.

>>how do you recognize a single https session from another https
>>session? the actual idea is not shape this traffic and dedicate one
>>server for the ssl traffic using port for the nat prerouting rule.
>
>
> It's the NAT host that solves this through the socket (sourceip,destip,
> sourceport,dstport) that makes what we know as a socket. The socket is
> matched against the NAT table.
>

maybe using a right sized hash table i can force it passing to the same
real server but it depends about traffic volume.


regards

fusillo

ed ha scritto:
> On Tue, 08 Aug 2006 04:14:28 +0200
> fusillo <(E-Mail Removed)> wrote:
>
>
>>ftp in nat enviroment should not be a problem with support of kernel
>>module ipnat_ftp, because it changes the ip of the application layer
>>port command in the case of active mode connection, if you use a
>>passive mode it runs anyway.
>
>
> I'm not so sure about that. It would have to do a bit more since passive
> is the client connecting to the host for data, active asks that the host
> connects to the client.
>
yes you're right, but the problem of data connection is solved
implicitly by that module without adding any nat rules.
i don't know how.

> Like I said, it's up to you if you want the headaches of it, it's
> easiest to INSIST that client connections are always passive. If
> possible, turn off active at the FTP.
>
w the tomato pang, in italian it sounds better being 'w lo spasmo al
pomodoro'
thanks again.

fusillo ha scritto:
> ed ha scritto:
>
>>>to enable the http session information i think about using a network
>>>filesystem placed on backend and setting the mount point as a session
>>>directory path (using the php session's configuration directive)
>>>the cookies should not be a problem, should it?
>>
>>
>>Depends.
>>
>>Session cookies relate to memory in the server, so if it's a session
>>cookie, then yes it's a problem if one cannot be certain of which box
>>the client is going to connect to in 5 mins time.
>>
>>
>
>
> yes but it's this the reason to use a shared memory for the session
> information. Get it by mounting the same nfs (placed phisically in the
> backend) in the path used to save the session dictionary in every single
> web server.
>
>
>>>cookies resides in the client browser and forwarded to the server
>>>based on domain name (the bilancer domain name).
>>>to replicate the db i would use a simple master slave mysql
>>>configuration.
>>
>>
>>This depends on your balancing device, some are full protocol proxies
>>which can do exactly as you ask. I think there's one called 'pound'
>>which is GNU that can do this for you.
>>
>>
>
> i wouldn't play with layer 7, my idea is using a layer 4 load bilancing
> , i'm actually studying the lvs documentation, ipvs via nat use nat to
> traslate the virtual service ip(the ip of the web bilancer) to one real
> server ip, choosing the server by means of a given scheduling algoritm.
> if the cookie's domain matches the virtual service ip when a browser
> send it in a http header it will be forwarded and bilanced to the real
> server thanks a lvs nat rule, it shouldn't be important what server
> because the session information is shared by the servers.
> could it run?
>


i tested it playing with iptables using 2 host. nuvola is the web server
and nat for my pc desktop. yoda play as a fake balancer (in this example
it only redirects and forwawds to nuvola the http requests)

pc desktop (eth0 4.4.4.4) - (eth0 3.3.3.3) nuvola (eth1 2.2.2.2) -
internet - (eth0 1.1.1.1) yoda

nuvola> iptables -A FORWARD -i eth0 -o eth1 -s 4.4.4.4 -j ACCEPT
nuvola> iptables -t nat -A POSTROUTING -s 4.4.4.4 -j SNAT --to 2.2.2.2
#this rules nat pc desktop for Internet
nuvola> iptables -A INPUT -s 1.1.1.1 -p tcp --dport 80 -j ACCEPT
#this enables the web services for yoda
yoda> iptables -t nat -A PREROUTING -s 2.2.2.2 -d 1.1.1.1 -p tcp --dport
80 -j DNAT --to 2.2.2.2
yoda> iptables -A FORWARD -s 2.2.2.2 -d 2.2.2.2 -j ACCEPT
#this enables yoda to redirect the http request
yoda> iptables -t nat -A POSTROUTING -s 2.2.2.2 -d 2.2.2.2 -p tcp
--dport 80 -j SNAT --to 1.1.1.1
#this is becouse my desktop pc is natted by nuvola and i don't want
another pc for this game.

when the browser sends a request for url http://1.1.1.1/mysite, after
the packet's boomarang trip nuvola sends the session id in the http
header to the browser
(i've used the default value for the domain and path for the session's
cookie).
Checking the cookie values saved in pc desktop the domain is 1.1.1.1 and
path is /, this is funny becouse the Netscape's cookie reference states:
The default value of domain is the host name of the server which
generated the cookie response.

hower this enables the cookie in load balancing envirament based on nat
rules.