Hello,

I am working on a setup to replace our current DNS load balancing with
Pound.

The tests work fine so far, but I don't get the redundancy right as I
had it with the Apache servers. I have three webservers, each should
have one pound running, but only one currently being in use. I am using
wackamole to ensure that, should host #1 fail, one of the two other
hosts would take over.

The problem that arises is that I need to reserve IP addresses that I
don't have by the time pound starts.

With Apache that's not a problem. I just make excessive use of IP based
virtual hosts, and listen to all interfaces.
Is there any way to have a setup as in Apache:

Listen 443
NameVirtualhost 1.0.0.1:443
<VirtualHost 10.0.0.1:443>
...
</VirtualHost>
NameVirtualhost 1.0.0.2:443
<VirtualHost 10.0.0.2:443>
...
</VirtualHost>

Meaning it *listens* on all interfaces, including dynamically assigned
IP addresses, but it *handles* only those defined in the given virtual
hosts. The setup above would work even if the IP address 10.0.0.2 was
assigned to a different host as the apache starts up. From what I can
see there is no global option in pound to have it listen to all
interfaces, no matter what is later defined in the listeners (which
would correspond with IP based virtual hosts)...

(Btw.: The readme says that https wouldn't allow virtual hosts. I know
how it is ment but it is not correct as it is said. https DOES allow IP
based virtual hosts. It just does not allow name based virtual hosts.)

Or does anyone know a smart way to switch IP addresses dynamically that
either, upon switching pound is started, or that they are forwarded to
some static addresses?

Thanks for help
Björn

Does:
 ListenHTTP  
   Address 0.0.0.0  

Do anything for you? I believe the 0.0.0.0 means listen on all interfaces.

--Alfonso

-----Original Message-----
From: Björn Keil [mailto:abgrund(at)silberdrache.net] 
Sent: Friday, April 25, 2008 9:17 AM
To: pound(at)apsis.ch
Subject: [Pound Mailing List] Redundant Pounds vs. Listeners

Hello,

I am working on a setup to replace our current DNS load balancing with Pound.

The tests work fine so far, but I don't get the redundancy right as I had it
with the Apache servers. I have three webservers, each should have one pound
running, but only one currently being in use. I am using wackamole to ensure
that, should host #1 fail, one of the two other hosts would take over.

The problem that arises is that I need to reserve IP addresses that I don't
have by the time pound starts.

With Apache that's not a problem. I just make excessive use of IP based virtual
hosts, and listen to all interfaces.
Is there any way to have a setup as in Apache:

Listen 443
NameVirtualhost 1.0.0.1:443
<VirtualHost 10.0.0.1:443>
...
</VirtualHost>
?NameVirtualhost 1.0.0.2:443
?<VirtualHost 10.0.0.2:443>
...
</VirtualHost>

Meaning it *listens* on all interfaces, including dynamically assigned IP
addresses, but it *handles* only those defined in the given virtual hosts. The
setup above would work even if the IP address 10.0.0.2 was assigned to a
different host as the apache starts up. From what I can see there is no global
option in pound to have it listen to all interfaces, no matter what is later
defined in the listeners (which would correspond with IP based virtual
hosts)...

(Btw.: The readme says that https wouldn't allow virtual hosts. I know how it
is ment but it is not correct as it is said. https DOES allow IP based virtual
hosts. It just does not allow name based virtual hosts.)

Or does anyone know a smart way to switch IP addresses dynamically that either,
upon switching pound is started, or that they are forwarded to some static
addresses?

Thanks for help
Björn


--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

--
This message has been scanned for viruses and dangerous content by SecureMail,
and is believed to be clean.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Right, but then I couldn't treat the different interfaces differently
anymore, because this branch would catch all http(s) calls.

Alfonso Espitia schrieb:[...]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIEgYwX74Hc2rrcJwRAganAJ4wjeWLRRLvls6UbX/MxH6VorntgACgg0pe
OHAdOWzZZmBhqj/KvgX3gjA=
=br6d
-----END PGP SIGNATURE-----

Maybe I was not clear enough or the hen/egg problem with ssl
certificates and ssl requests is not known enough.

Example:

MUTUAL EXCLUSION HTTPS / DYNAMIC IP

You have 2 sites and three hosts.
###############################################
# Excerpts from two "bind" DNS zone files
###############################################
secure.example.de.	86400	IN A 172.16.1.1
secure.example.de.	86400	IN A 172.16.1.2
secure.example.de.	86400	IN A 172.16.1.3
secure.example.ch.	86400	IN A 172.16.2.1
secure.example.ch.	86400	IN A 172.16.2.2
secure.example.ch.	86400	IN A 172.16.2.3

Every site has two addresses due because the example company used DNS
load balancing. You have 2 servers, with the following Apache settings:

#################################
# Example apache2.conf (excerpt)
################################
Listen 443
<VirtualHost 172.16.1.1>
	DocumentRoot /var/www/de/
	Cert secure.example.de.crt
	Key  secure.example.de.key
	ca   ca.crt
</VirtualHost>
<VirtualHost 172.16.1.2>
	DocumentRoot /var/www/de/
	Cert secure.example.de.crt
	Key  secure.example.de.key
	ca   ca.crt
</VirtualHost>
<VirtualHost 172.16.1.3>
	DocumentRoot /var/www/de/
	Cert secure.example.de.crt
	Key  secure.example.de.key
	ca   ca.crt
</VirtualHost>
<VirtualHost 172.16.2.1>
	DocumentRoot /var/www/de/
	Cert secure.example.ch.crt
	Key  secure.example.ch.key
	ca   ca.crt
</VirtualHost>
(...)

All three Apaches on the three hosts are equally, despite the fact that
they have only a third of the IP addresses they're configured for during
normal operation.

Now Pound comes into play.
If we made it like:

##############################
# Example pound.conf (excerpt)
##############################
ListenHTTPS
	Address 0.0.0.0:443
	Cert secure.example.de.key-chain.pem
	CAlist ca.crt
	Service
		...
	End
End

This would not work. Pound would show the client the SSL certificate for
secure.example.de, even if the client wanted to connect to
secure.example.ch and the client would reject the connection. We have
only the data from the TCP and IP headers at this point, source and
destination port and address. We do not have any http content such as a
GET statement or a Host header since those are only transfered *after*
the SSL connection has been established.

And that's the hen/egg problem. We cannot transfer headers without
having established a SSL connection. We cannot establish an SSL
connection without knowing which certificate to use, for what we needed
the HTTP headers.

(Unless the user overrules the browsers warning of a faulty certificate,
however both IE7 and Firefox 3 are very, very clear about assuming a
faulty certificate to be a fraud.)

Thus we got to do it like this:

##############################
# Example pound.conf (excerpt)
##############################
ListenHTTPS
	Address 172.16.1.1:443
	Address 172.16.1.2:443
	Cert secure.example.de.key-chain.pem
	CAlist ca.crt
	Service
		...
	End
End
ListenHTTPS
	Address 172.16.2.1:443
	Address 172.16.2.2:443
	Cert secure.example.ch.key-chain.pem
	CAlist ca.crt
	Service
		...
	End
End
...

This does work indeed. But now we have another problem. We still have
hosts running as http backend. But we only have one pound. pound doesn't
 cause heavy load on the server, so it can still run both apache and
pound, with the backend a little less priority to compensate the heavier
load due to the https decryption (which is still minimal compared to
what PHP does on the webservers).

Should host #2 fail everything was alright. But if host #1 fails
everything fails. And host #1 is a heavy duty webserver, host a very
complex service. It is not unlikely to fail.

So we do the same as we did with DNS load balancing. Use "wackamole" to
share the IP addresses in question. In the DNS load balancing system
wackamole would give the IP addresses ending with 2 to host #2 and the
IP addresses ending with #1 to host #1 and so on. If one host would fail
the one of the other hosts would get the failing host's IP addresses,
too continue to run the site without it.

Prefer { eth0:172.16.1.1/12 eth0:172.16.2.1/12 }
VirtualInterfaces {
#        # two packs of two IP addresses to be shared
        { eth0:172.16.1.1/12 eth0:172.16.2.1/12 }
        { eth0:172.16.1.2/12 eth0:172.16.2.2/12 }
}


With pound it's just slightly different. One host gets all IP addresses
and if that one host fails the other one get them. If host #1 fails
host #2 get all the IP addresses and continues to run the site.

VirtualInterfaces {
#       # A single pack of four IP addresses to be shared
        { eth0:172.16.1.1/12 eth0:172.16.2.1/12 eth0:172.16.1.2/12
eth0:172.16.2.2/12 }
}

And that's where the problem starts from where I see it. Because the
pound service on host #2 (and host #3) would have to listen to IP
addresses it doesn't have by the time the service is started up to do
so. Unless it would listen to all interfaces, that's something it always
 can do. But pound can only listen to all interfaces, if all interfaces
need the same SSL certificate, which they don't; and that's a
disadvantage that Apache does not have.

Unless I overlooked something or got something wrong. And that's where
you folks whom I asked for help come in. :)


Alfonso Espitia schrieb:[...]

Hi,

One option you might want to consider:
- set up your pound IP addresses are aliases on the loopback 
interfaces (on both boxes). Ideally /32s *not* in the subnet used on the LAN
- advertise those adresses via RIP (with distance=1 on the primary, 
distance=2 on the backup). This can be done with a few lines of perl, 
I can provide the script if you want
- have your router listen to RIP advertisements
- tweak RIP timers to get the desired failover reactivity

This works pretty well when the issue is the box going down, and it's 
quite easy to make sure the RIP advertiser sends a poisoned update on 
any condition you want (it would be pound going down in this case).

Other ways to do it is to use a failover system with keeps the 
interfaces/IPs on the system even if in backup position (with the 
interface down), like CARP does on the *BSDs.

Yet another option is to start pound whenever a host becomes primary?

Probably the best option would be to patch pound so that it binds to 
all interfaces (you would need to use a different port for your 
backends, obviously), but uses a different cert for each IP. Given 
the current structure it might not be a trivial change though.

Jacques.

At 21:08 25/04/2008, Björn Keil wrote:[...]