HTTP load balancing and web server logs

theletterz · ‎06-24-2005

I just configured two web servers behind a CSS11501 box to box cluster.

Both web servers has two interfaces active, the secondary interface on both are on a private 192.168.1.0/25 network so they are on the CSS's LAN.

What is a bit of an issue to us, is that before the web servers were placed behind the CSS's, we logged the src IP address of every host which were pulling a web page, but now, all we see in the web logs are the VIP address of the CSS.

Is there any way to get around this problem, AFAIK the CSS obviously can't "spoof" the source IP address because of routing issues, at least it would be an internal routing issue since the default route for both web servers are on the primary NIC and not the CSS LAN NIC.

This is pretty much unchartered territory for me, so even if the solution to this is not on a CSS level, all help and tips is greatly appreciated.

--

Regards

Stig Bull

Gilles Dufour · ‎06-24-2005

Stig,

this is a common issue for people that starts using loadbalancer - not just the CSS.

As you indicated, the problem comes from your design with 2 NIC forcing you to use client NAT on the CSS.

Unfortunately the only solution is to fix the design and stop client nat or collect statistics in front of the CSS with another device.

The CSS can't collect statistics about incoming clients.

Regards,

Gilles.

theletterz · ‎06-29-2005

Okay, can you please explain this to me as if I was 6 years old. :-)

Is there any way I can avoid nat'ing in my scenario?

We have N number of servers on our public IP range and a LDIR416 which is being replaced by the new CSS box. However, as the 416 use IP addresses from the same IP range on both it's WAN and LAN interfaces, I was unable to use the same range on the CSS which is why I had to use a secondary NIC with a private IP range for the CSS LAN (the CSS just wouldn't let me do so; I unfortunately forgot the error message).

Correct me if I'm wrong, but this is the case with the CSS, yes?

The only workaround *I* (with my minimal knowledge of content networking and load balancers) can see is to further break up and subnet our public IP range,but doing so introduces a lot of hassle and reconfiguration as well as we're loosing valuable IP addresses for network and broadcast.

But the bottom line is, how can I avoid nat'ing on our CSS? By still using the private LAN network but let the default gateway and route for all servers behind the CSS use the CSS itself?

--

Regards

Stig Bull

jfoerster · ‎06-29-2005

Hi Stig,

in regards of you first question (secondary adress on a CSS) you are right. This is not supported. Nor is it supported to use the same IP-Address space in two different circuits (same as with Cisco IOS except that IOS offers the IP-unnumberd thingy)

The Perfect setup would be to place the CSS in line and put the servers behind the CSS in a new address space(my be a private one) and have the CSS be the default gateway of the servers. This avoids client NAT secures the servers from being accessed directly. If you want to have them accessed just route the new network to the CSS and here you go. If you need one of these servers accessed directly from the internet just use destination nat on the firewall or internetrouter.

To be complete but not applicable in your case as you already bought the CSSes is the possibility to use a CSM having a setup either in bridged mode or with client nat. In case of client nat just insert a HTTP-Value like the X-FORWARDED-FOR one (proxies do this to keep the original IP-Address somewhere) in the HTTP-Reuqest and let the server have a look at this to gather the original IP-Address.

Regards,

Joerg Foerster

theletterz · ‎07-05-2005

Thank you for clearing things up, Joerg, just one last question:

Does this mean that I don't need to advertise these networks at all (as in set up routing on firewalls/routers) since the servers are behind the CSS, and the CSS is the only one who's supposed to know of this net?

--

Regards,

Stig Bull

Gilles Dufour · ‎07-05-2005

Stig,

if you replace a ldir with a CSS, all you have to do is create a single vlan, using a single ip range and have all your interfaces in the same circuit-vlan.

If your CSS inside and outside interfaces are connected to the same switch, you keep them in the same circuit vlan on the CSS and on the switch you create 2 vlans.

The CSS will act as a brige between the 2.

You can then connect the router to 1 vlan and your servers to the other vlan.

The servers uses the router as the default gateway.

They should should learn the mac address of the router through the CSS.

Replacing a LDIR with a CSS should be a simple operation.

Let me know if you have more questions.

Regards,

Gilles.

theletterz · ‎08-26-2005

Thanks Gilles (took some time to get back to this issue because of vacation and other rushed assignments at work).

I do have a question, say VLAN1 which is the CSS WAN interface has address 192.168.10.5/24.

VLAN2 which is the CSS LAN is 192.168.1.4/24.

Can I do the following:

Create 2 VLANS, one for the public LAN which the CSS WAN interface is on and a CSS VLAN where I put the servers

Put the servers which has two NIC's configured on the CSS VLAN, even if one NIC is on the 192.168.10.0 network

Put other servers which has two NIC's configured, but whereas the secondary NIC is on the 192.168.1.0 segment, the primary is on a 192.168.20.0 segment

AND have the CSS act as a bridge?

As long as 192.168.20.2 is on the CSS VLAN and its gateway is 192.168.20.1, the traffic should still flow through the CSS with no problems?

Can I do this "out of the box" or will I have to reconfigure the CSS in any way?