Urko Masse dijo [Fri, Sep 18, 2009 at 08:12:01AM +0700]:
> (…)
> In our environment, we run a Juniper firewall that has a DMZ area, where we
> place our public servers. These servers are regularly used both from outside
> ("Untrusted" area) and inside ("Trusted" area) of our network.
>
> An interesting detail is that, at least in the Apache logs (haven't looked
> at Cherokee), all the internal users, that is, in the "Trusted" area, show
> up as being in the IP address of the firewall. So... ALL of those users
> (more than 100 at a time) use the same IP address.
>
> If I were to use IPHash, they would all hit the same server, and so it would
> give me no advantage at all, because all my other servers would sit there
> doing nothing.
>
> It's not a big deal, as I don't have the volume of usage that would make me
> look at using multiple servers yet, but something for you to think about.
>
> That said, perhaps I can change some setting in the Firewall that would fix
> that.
As others have said, having them go through NAT will undoubtely have
this effect. Of course, I assume it is a stable NAT (i.e. SNAT with a
single outgoing IP). And you _do_ want that, as otherwise some systems
might get confused about the requests for a single IP coming from
seemingly from different IPs.
Of course, if you have a couple tens of machines in your trusted area,
this will be no problem. If you are NATting a B-class or something
like that, well, the short answer is don't do it ;-)
As you describe your configuration, I do not feel that _most_ systems
will suffer from it.
Greetings,
--
Gunnar Wolf • [email protected] • (+52-55)5623-0154 / 1451-2244
_______________________________________________
Cherokee mailing list
[email protected]
http://lists.octality.com/listinfo/cherokee
