Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Example Analysis of load balancing configuration of Web Server in pfSense book

2025-01-28 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/01 Report--

PfSense book Web server load balancing configuration example analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

There are two types of load balancing capabilities in pfsense gateways and servers. Gateway load balancing can distribute Internet bound traffic over multiple WAN connections. Server load balancing manages incoming traffic, so it uses multiple internal servers for load distribution and redundancy. Server load balancing allows traffic to be distributed among multiple internal servers, which is most commonly used in Web servers and SMTP servers. Let's use an example to introduce the setting of server load balancing.

The following describes how to configure load balancing for a Web server through pfsense2.32.

Network environment

The figure above shows an example network environment. It consists of a single firewall, uses its WAN IP address pool, and has two Web servers on the DMZ segment.

Configure the address pool

Navigate to Services > Load Balancer

Click the Pools tab

Click to add a new address pool

Use the following settings as shown in the figure:

Name:WebServersMode:Load BalanceDescription:Web server PoolPort:80Retry:5Pool Members: add two Web servers (10.6.0.11 and 10.6.0.12)

Click Save

Address pool configuration

Configure a virtual server

Virtual server configuration

Click the Virtual Servers tab

Click to add a new virtual server

Use the following settings as shown in the figure:

Name:WebVirtualServerDescription:Web ServerIP Address:The firewall's WAN IP address, 198.51.100.6Port:80Virtual Server Pool:

WebServersFall Back Pool:None

Click Submit (submit)

Click Apply Changes (apply changes)

Note: in this example, if both pool servers are down, the virtual server is inaccessible. If no virtual server is configured, the firewall will work. If some application on the firewall is bound to port 80, then the client will go directly to the application that is bound to that port. This may include access to the built-in Web GUI through port 80, so you should disable or use other ports on the System > Advanced > Admin Access tab.

Configure firewall rules

Firewall rules must be configured to allow access to servers in the pool. Rules must allow traffic to use internal IP addresses and ports, and there are no rule restrictions on the external IP addresses and ports used in the virtual server configuration.

Create an alias that contains all the servers in the pool, so it can be accessed using a single firewall rule.

Navigate to Firewall > Aliases

Click to add an alias

Use the following settings as shown in the figure:

Name:www_serversType:HostsHosts: two Web servers IP addresses: 10.6.0.11 and 10.6.0.12

Click Save

Click Apply Changes (apply changes)

The "Name" in the figure shows the alias used for this sample configuration, which contains two Web servers.

Web server alias settings

Next, create a firewall rule with this alias: navigate to Firewall > Rules, switch to the interface accessed by the external connection (such as WAN), and click to add a new rule at the top, set as follows:

Interface:WANProtocol:TCPSource:anyDestination Type:

Single Host or AliasDestination Address:

Www_serversDestination Port Range:

HTTPDescription:Allow to Web Server

Click Save

Click Apply Changes (apply changes)

The following figure shows the firewall rules set by the Web server, and the options that are not shown remain the default values.

Add firewall rules to the Web server

The rules displayed in the list.

Web Server Firewall rules

View load balancing status

Now that the load balancer is configured, to see its status, browse to Status > Load Balancer, and then click the Virtual Servers tab. This page displays the status of the entire server, usually listed as "Active" or "Down".

The Pools tab displays the individual status of each member of the pool, as shown in the following figure. If the server is online, the server behaves green, and if the server is offline, it is red.

In addition, each server in the pool has a check box. The checked server is active in the pool, and the unselected server is disabled in the pool, the same as the server that enables and disables moving between lists on the pool editing page. To disable the server: uncheck it and click Save.

If the Web server service is stopped on one of the servers, or if the server is completely removed from the network using ICMP Monitor, the status is updated to offline and the server is removed from the pool.

Verify load balancing

To verify load balancing, curl is the best choice to ensure that Web browser caching and persistent connections do not affect test results. Curl can be downloaded from the official curl website and is available in a variety of operating systems. To use it, simply run the following command:

Curl http://mysite

In this command, replace 198.51.100.6 with the IP address or hostname of the site. This must be tested from outside the network (for example, from a remote network or client on the WAN). For example, test with curl on the public network:

# curl http://198.51.100.6 This is server www2-10.6.0.1 "curl http://198.51.100.6 This is server www1-10.6.0.11"

When testing load balancing, set each server to return to specify its hostname, IP address, or both, so it is clear which server responds to the request. If sticky connections are not enabled, different servers will respond to each request.

Troubleshooting

Cannot connect to load balancing

Failure to connect to a load balancer is usually caused by improper use of testing methods, which is usually unique to HTTP. Web browsers usually maintain a connection to the Web server and click Refresh to reuse the existing connection. A single connection will never be changed to another balanced server. Another common problem is the web browser cache, where the browser only reads data from the cache and does not really refresh the page again. It is best to use a command-line tool such as curl to test because it ensures that the test is not affected by problems inherent in Web browser testing. Curl does not have a cache and reestablishes a new connection to the server each time it runs.

If sticky connections are enabled, be sure to perform tests from multiple source IP addresses. Tests from a single source IP address will go to a single server unless a long time elapses between connection attempts.

Shutting down the server is not marked offline

If the server is down but not marked offline, it is because the monitoring signal executed by the load balancing daemon is still up. If you use a TCP monitor, the TCP port must still accept connections. Services on this port can be disconnected in a variety of ways, and TCP connections can still be restored. For ICMP monitors, this problem is even more serious because the server can hang or fail, there is no listening service, and you can still answer ping.

The online server is not marked online

If the server is online but not marked online, it is because from the point of view of the load balancing daemon monitor, it is not online. The server must answer or respond to the ping from the IP address of the firewall interface closest to the server on the TCP port used.

For example, if the server is on LAN, the server must answer requests originating from the LAN IP address of the firewall. To verify the ICMP monitor, navigate to Diagnostics > Ping and use the Ping server IP address of the interface where the server is located.

For TCP monitors, use "Diagnostics > Test Port" and select the LAN interface of the firewall as the source and the IP address and port of the Web server as the destination.

Another test method is to use the firewall's shell prompt, using console or ssh menu option 8 and the nc command:

# nc-vz 10.6.0.12 80nc: connect to 10.6.0.12 port 80 (tcp) failed: Operation timed out

The above is an example of failure.

Here is an example of a successful connection:

# nc-vz 10.6.0.12 80Connection to 10.6.0.12 80 port [tcp/http] succeeded!

If the connection fails, do further troubleshooting on the Web server.

Clients in the same subnet as pool server cannot access virtual server

Client systems in the same subnet as the pool server will not be able to connect correctly using this load balancing method. Relayd forwards the connection to the Web server with the client source address. The server then attempts to respond directly to the client. If the server has a direct path to the client, such as a NIC through a local connection in the same subnet, it will not flow back through the firewall normally, and the client will receive a reply from the server's local IP address instead of the IP address in the relayd. Then, because the server IP address is incorrect from the client's point of view, the connection is discarded as invalid.

One way to do this is to use manual outbound NAT and develop manual outbound NAT rules so that traffic from the LAN subnet to the inside interface (LAN) of the Web server is translated to the interface address of the LAN. In this way, the traffic seems to originate from the firewall, and the server responds to the firewall, which then relays the traffic to the expected address used by the client. The original client source IP address is lost in the process, and the best solution is to move the server to a different network segment.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 219

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report