> Silly as this may sound at this point I was "trying" to keep things > as simple as I could by using the TCP load balance feature rather > than a third party app like varnish. I, unfortunately at this time, > do not have the option of a separate box/boxes to turn up for load > balancing. > I will be working today to see if the idea you gave me for using a > /31 int the network drop down to snat outbound while keeping an eye > open for dropped packets. If this has problems I will go for 1:1 > NAT for now and then get a pair of boxes to load balance with maybe > Varnish, HA proxy , or possibly Apache traffic server. > Thank You for all the help. > JohnM
That makes sense... but if all you're load-balancing is HTTP, you'll find that using a reverse-proxy like Varnish makes your life a LOT easier than doing it at the TCP or IP level. Using TCP load-balancing to load-balance web servers is kind of like using a sledgehammer to kill a fly, IMHO. If all you have is a sledgehammer, I guess it's better than nothing, but in this case the flyswatter is free, and you're much less likely to hurt yourself with it :-). I know sullrich has commented very favourably on varnish in the past, and I'd have to agree with him. Its only significant limitation is lack of SSL support, IMHO. For reverse-proxies on pfSense 2.1, you currently have Apache, HAproxy, something called "Proxy Server with mod_security" (Apache with a newer version of mod_security), Squid, Varnish, and Varnish v3. Stunnel can be used to SSL-enable any of those that don't do SSL natively. Any of these will take a little bit more setup than TCP load-balancing, but the biggest headache you'll have (usually) is figuring out what the various GUI fields mean. There are some reasons you wouldn't want to use a reverse-proxy - those mainly center around the web server needing to see the original client IP address in the packet (and not just in the HTTP headers, where all the proxies put it IIRC), or the web server needing to terminate SSL connections instead of having the reverse-proxy do that. Stretching my analogy a bit too far, the flyswatter may have been designed by a programmer, and thus may have more adjustable knobs than you know what to do with... -Adam _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
