Hi John, Willy,
On Mon, 2009-08-10 at 10:07 -0400, John Lauro wrote:
> Do you have haproxy between your web servers and the 3rd party? If not (ie:
> only to your servers), perhaps that is what you should do. Trying to
> throttle the maximum connections to your web servers sounds pointless given
> that it's not a very good correlation to the traffic to the third party
> servers.
That is correct. I was also thinking about that but this was later done
at application level and this issue is supposed to be solved. If it
turns out not to be, I can still try to put another haproxy between our
servers and 3rd party.
> If you need to rate limit the connections per second, you could always do
> that with iptables on linux, or pf on bsd, etc... but it sounds like it's
> something the third party needs to fix.
I did exactly like that because I also have to protect my servers from
users, but that has some limitation. Our users have to click a few times
on HTTP and then a few times more on SSL. I only limit traffic to HTTP
and have to enable keepalive so that once user comes to the site he is
not redirected into waiting room anymore. For such a simple solution it
works really great, but I don't like to reconfigure Apache to use
keepalive (I actually run two instances on each server for that) and
also I have to intervene every time we expect higher load. I would like
to solve this with haproxy. However... :)
This is also a problem with haproxy that I could not figure out.
How can I make sure that one user, that already came to the site is not
redirected to waiting room on the next click? I don't need (and also
don't want) any persistence. So how can this be done? I read that
haproxy doesn't work with keepalive connections so even the only working
solution stops working if I put haproxy in between. Does haproxy have
any solution without changing the application like the user is
redirected to different IP after the first click?
I also decided that (like you suggested) I will try not to limit
connection rate, only total number of connections. The problem is that
with these two rules:
acl toomany connslots(main) lt 10
use_backend sorry if toomany
users don't see waiting room. They just timeout. I also tried with
dst_conn and it didn't work either.
For example rate limit (which I don't use now):
acl toofast be_sess_rate(main) gt 6
use_backend sorry if toofast
works fine.
I have a few more questions:
-Is it possible to see the value of some acl variable at some moment?
Maybe put it into logs or output it in stats?
-Can you estimate the difference in resource usage between redirection
on 3rd/4th and 7th layer? (for example iptables redirect Vs checking
cookies in HTTP header and then redirecting)?
-Is is possible or planned for the future, to use some external
check/script from with which we could decide how to handle traffic (I
would like to monitor database load and use it in acls).
Thank you and best regards
Bostjan
