Hi Donovan,
> Have you considered using Haproxy with Direct Server Return to work > around the routing issue? You cannot use HAProxy with "Direct Server Return", because HAProxy terminates the TCP connection on both sides. > Now the customer has added the requirement that the requests look like > they came from the client — i.e. transparent proxying. If you have all those requirements, you need "Direct Server Return", as Vivek mentioned. This is probably how the Foundry solution works. I suspect you can do this (Direct Return) only with LVS. Anyway, I wouldn't recommend such a solution. Things like SYN floods will directly hit your backends. > I've asked if the customer can use the X-Forwarded-For header instead, but > I'm not expecting them to agree to that. Keep in mind that you cannot insert any HTTP headers on the proxy when the traffic is passing SSL/TLS encrypted. You would have to offload SSL on the load balancer to be able to insert the IP in the header. > The best option I can come up with is to break the backends into groups and > assign each group to an haproxy, which would then be the backends' default > gateway. But then my backends are silo'd and I'm really relying on > round-robin DNS to keep things even, which I don't consider reliable. Thats correct. Consider that reverse proxying in TCP mode is extremely cheap in terms of CPU and memory. With decent hardware (10G NIC, lots of RAM and a beefy CPU) you will be able to forward 20Gbps on a single box. Depending on your load you may be able to do everything with a single active/standby proxy "group". If thats not enough, and you need even more performance (or you need to be able to scale horizontally), an alternative to RRDNS would be some geo-based load balancing (via DNS for example). Then you can deploy proxies and backends more closer to the client and lower the load on a single proxies, thus eliminating the need for backend "groups". > Persistence is a bonus (to reduce SSL negotiations) but not absolutely > required You probably want to make this a hard requirement, as those SSL negotiations will have a huge performance impact. Regards, Lukas
