On Thu, Mar 24, 2011 at 05:41:56PM -0600, Jason J. W. Williams wrote: > > > > somebody wanna make it do DSR next? :) > > > > -r > > > Just from a cursory look, that seems like something TPROXY would need to be > extended to support and then HAProxy could leverage it. Should only take a > weekend right? ;)
Just in case you were not kidding, let me remind you that DSR is not possible on Layer 7, and anybody who sells you that is simply lying : - for DSR to work, the server must be able to respond directly to the client. - for the client to accept the server's stream, the server must use the TCP parameters that were negociated during the handshake, and particularly the random initial sequence number. - for an L7 intermediary to be able to see some data, it must first intercept the stream and manage the session handshake itself, which means chose a random seq number as well as some parameters (eg: MSS, window scaling, timestamps, sack, ...) => if the intermediary chooses a random seq number during the handshake, once it forwards the connection to the server, it has no way to tell the server to reuse the same random and to work with it. It has no way either to force it to use the parameters it used during the handshake. The server will thus chose its own and respond to the client with them. Obviously, the client will reject them, and will either drop the packets, reset the connection or enter in an ACK storm with the server if both sides believe the other is wrong. That said, with the hardware we find nowadays, DSR is less commonly a requirement. Building a 10gig-capable proxy is possible out of a $1500 machine. DSR was invented at a time where LBs were not capable of handling the massive traffic some sites were using. Still, using DSR on L4 LBs in front of an L7 LB farm makes sense to scale to very high loads when you need tens or hundreds of gigabits (fortunately very few sites need that right now). Regards, Willy
