Forum OpenACS Q&A: Using Pound for loadbalancing on three Public IPs

I am thinking about using the Pound Reverse Proxy for load balancing our three public IP gateways, each of provided by separate ISP, instead of its usual role as load balancer for web servers. Our scenario is as given below:

We have three public ip gateways and all traffic goes through these gateways. We have grouped internal computers into three groups and each use one gateway. In case of gateway failure we manually / using script change the gateway of that group to any of the working gw in the remaining two.

1) 63.34.54.67
2) 56.34.67.23
3) 62.45.67.34

We use browsers, RDP and chat clients to communicate with outside clients. The problem with manual resetting of gateways is all existing RDP & HTTPS sections needs to be restarted each time. So, now we plan to use Pound Reverse Proxy, Which will detect and reroute existing sessions in case of failure of any of the ips in the ip pool. Actually Pound is used to distribute traffic coming on one public IP into a group of private ips on which the webservers run in the company. But, we plan to configure it in reverse ie. it will listen on one private ip and distribute load on a group of public ips ( our three gateways).

The sample configuration just for http traffic is as follows:

ListenHTTP
Address 192.168.0.10
Port 80

Service
BackEnd
Address 63.34.54.67
Port 80
End
End

Service
BackEnd
Address 56.34.67.23
Port 80
End
End
Service
BackEnd
Address 62.45.67.34
Port 80
End
End
End

Could you please tell me if I can use such a configuration on Pound or any of other Reverse Proxy Servers? Please help.. Any other solutions for that above problem without using Proxy are also appreciated..

Collapse
Posted by Gustaf Neumann on
If i understand correctly, you want to run a "reverse" reverse proxy configuration (i.e. a failsafe proxy configuration). In the HTTP case, when your internal clients connect to 192.168.0.10:80, they will be redirected to some random provider server on port 80. But what happens there? Most probably, your internal clients will see randomly one of the three providers homepages, which is not what you want.

It should be possible to configure pound as a ordinary proxy in your clients and let pound connect to one the proxies of the three providers (most likely on a port different to 80). This could work, but we use pound only in the true reverse case.

not sure, if this helps.
-gustaf

Collapse
Posted by Vinod VB on
Thank you Gustaf Neumann. Your reply was really helpful and based on it, I redesigned my net configuration for failsafe working using Pound & Squid which is given below.

Public IPs ( Gateways from three different ISPs)

1) 63.34.54.67
2) 56.34.67.23
3) 62.45.67.34

I configure Squid on each gateway server as Proxy.

SERVER1: NIC1 - 63.34.54.67, NIC2 - 192.168.0.10, Squid listen on 192.168.0.10:8080 and use public IP 63.34.54.67.

SERVER2: NIC1 - 56.34.67.23, NIC2 - 192.168.0.20, Squid listen on 192.168.0.20:8080 and use public IP 56.34.67.23.

SERVER3: NIC1 - 62.45.67.34, NIC2 - 192.168.0.30, Squid listen on 192.168.0.30:8080 and use public IP 62.45.67.34.

Now, I configure Pound on SERVER4, IP 192.168.0.40, and all clients connect to that IP 192.168.0.40.

ListenHTTP
Address 192.168.0.40
Port 80

Service
BackEnd
Address 192.168.0.10
Port 8080
End
End

Service
BackEnd
Address 192.168.0.20
Port 8080
End
End
Service
BackEnd
Address 192.168.0.30
Port 8080
End
End
End

Do you think it is workable configuration? Will it keep all connections from clients to internet, including ssl & RDP sections, alive even if the Gateway through which it is connected currently fails? Please help.

I am sure that you can do it as listed above, however, is there a reason that you have not set up BGP and are advertising your own block of IP addresses?

This would let you have instant failover of ALL TCP/IP sessions of any kind.

Collapse
Posted by Vinod VB on
Thanks very much Patrick. I think setting up BGP requires permission from ISPs with added responsibilities. Thats why we go for other options. I have some doubts about the above configuration like if a client creates a https section to a internet website eg. 34.36.45.43, the actual section end points will be 63.34.54.67 and 34.36.45.43.

Client - 192.168.0.55
Pound listening IP - 192.168.0.40
Webserver in Internet - 34.36.45.43

Suppose Pound maps that connection through GW 63.34.54.67, the one selected from available three GWs.

192.168.0.55--->192.168.0.40--->63.34.54.67-->........--->34.36.45.43

Now, 3rd and last are public IPs of our's and webserver respectively. As per my knowledge, this time the HTTPS, SSH etc use these public IPs as endpoints. If the GW goes down, the Pound will route the traffic through next available GW changing 3rd IP.
eg.

192.168.0.55--->192.168.0.40--->56.34.67.23-->........--->34.36.45.43

Now, the connection endpoints are 56.34.67.23 and 34.36.45.43.

So, Will the connection be reset if the any of the endpoint IPs change? If yes, we can not keep existing connections intact if one gw goes down, but at the same time new connections will be routed through next available gw. These are my thoughts!! please advise.

Collapse
Posted by Gustaf Neumann on
Will the connection be reset if the any of the endpoint IPs change?

pound makes for every incoming connection (HTTP over TCP or SSL) and outgoing TCP connection to the backend. In your case, a connection to the external proxy server at the GW. This is a point-to-point connections, where a couple of parameters can be configured (e.g. timeout). If pound is in the middle of a TCP transfer from/to the GW, and the GW goes down, it will hang until the timeout. Pound does not try continue the TCP connection on a different GW (which is more or less impossible due to unknown state of un-flushed buffers, etc). Only retransmits of the failed request will go to a different GW.

You ask "So, Will the connection be reset if the any of the endpoint IPs change? If yes, we can not keep existing connections intact if one gw goes down, but at the same time new connections will be routed through next available gw. "

The only way to have this work correctly, 100% of the time, is to use BGP. You may wish to ask your ISPs (one or more of them) if they will set up BGP for you.

With BGP you would "announce" your IP address block and the various ways to reach your servers via the 3 different ISP connections. You would have 1 set of IP addresses that all 3 network connections would "know" how to reach.

Traffic would automatically switch to using whichever is closest from a network standpoint while all 3 connections were up. If one or two connections went down, traffic would still reach your server via the connection that was still working.

If you are paying more than 1000 USD or Euros per month in connection charges, then you are paying enough to merit setting up BGP, and your ISP should be able to help you for free or at a low cost. If instead you are having different connections but are using low-cost, low-speed links like DSL, then the ISP will probably not assist you.