Re: relayd l7 loadbalancing

2017-08-16 Thread Mischa Peters 
> On 16 Aug 2017, at 10:41, Claudio Jeker  wrote:
> On Wed, Aug 16, 2017 at 10:27:58AM +0200, Maxim Bourmistrov wrote:
>> 
>> Once connection is established, state is created in PF. Subsequent requests 
>> will be ???pipelined???.
>> It is possible to influence this behavior by manipulating tcp.established in 
>> pf.conf,
>> but I don???t think this is what you want.
>> 
> 
> This is not correct. The problem is keep-alive and the fact the once a
> backend is selected by relayd it sticks to it until the session is closed.
> This is a bug and something benno@ and I have on our radar to fix.

Great to hear! This will make relayd even more flexible. I guess your todo list 
must to long so I will wait patiently.
My C skills are non existent otherwise I would have tried to help.

> The workaround for now is to disable keep-alive this can be done by
> adding:
>   match header set "Connection" value "close"
> to your config. The solution is not ideal and will make page load times
> slower.

Will check the load times with and without, maybe it's workable for now.

Much appreciated!

Mischa

Re: relayd l7 loadbalancing

2017-08-16 Thread Claudio Jeker 
On Wed, Aug 16, 2017 at 10:27:58AM +0200, Maxim Bourmistrov wrote:
> 
> Once connection is established, state is created in PF. Subsequent requests 
> will be ???pipelined???.
> It is possible to influence this behavior by manipulating tcp.established in 
> pf.conf,
> but I don???t think this is what you want.
> 

This is not correct. The problem is keep-alive and the fact the once a
backend is selected by relayd it sticks to it until the session is closed.
This is a bug and something benno@ and I have on our radar to fix.

The workaround for now is to disable keep-alive this can be done by
adding:
match header set "Connection" value "close"
to your config. The solution is not ideal and will make page load times
slower.

> > 16 aug. 2017 kl. 10:05 skrev Mischa Peters :
> > 
> > Hi All,
> > 
> > I have somewhat the following config for relayd running on 6.1.
> > And I am trying to forward certain request paths to different hosts.
> > 
> > table  { xx.xx.xx.131 }
> > table  { xx.xx.xx.31 }
> > http protocol httpsfilter {
> >   match request header remove "Proxy"
> >   match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
> >   match request header append "X-Forwarded-By" value 
> > "$SERVER_ADDR:$SERVER_PORT"
> > 
> >   match response header set "Server" value "Sever"
> >   match response header set "X-Powered-By" value "Power"
> >   match response header set "X-Frame-Options" value "SAMEORIGIN"
> >   match response header set "X-Xss-Protection" value "1; mode=block"
> >   match response header set "X-Content-Type-Options" value "nosniff"
> > 
> >   match request quick path "/crm/" forward to 
> > 
> >   tcp { no splice }
> > }
> > relay host_tls {
> >   listen on $ext_addr_v4 port 443 tls
> >   listen on $ext_addr_v6 port 443 tls
> >   protocol httpsfilter
> >   forward to  port 80 check http "/" host example.com code 200
> >   forward to  port 80
> > }
> > 
> > I have tried both "match request quick path" and "match request quick url" 
> > but what I noticed is that as soon as you have visited one of the URLs that 
> > needs forwarding to a different host you end up at the  for all 
> > subsequent requests.
> > With "match request quick url" this is to be expected as it checks 
> > everything up to /.
> > 
> > For example:
> > 
> > http://example.com/ -> wwwhost
> > http://example.com/crm/ -> otherhost
> > http://exmaple.com/folder/ -> otherhost
> > 
> > Is this expected behaviour for "match request quick path" as well?
> > Is there any way to do this type of load balancing?
> > 
> > Thanx!!
> > 
> > Mischa
> > 
> 

-- 
:wq Claudio

Re: relayd l7 loadbalancing

2017-08-16 Thread Maxim Bourmistrov 

Once connection is established, state is created in PF. Subsequent requests 
will be ’pipelined’.
It is possible to influence this behavior by manipulating tcp.established in 
pf.conf,
but I don’t think this is what you want.

> 16 aug. 2017 kl. 10:05 skrev Mischa Peters :
> 
> Hi All,
> 
> I have somewhat the following config for relayd running on 6.1.
> And I am trying to forward certain request paths to different hosts.
> 
> table  { xx.xx.xx.131 }
> table  { xx.xx.xx.31 }
> http protocol httpsfilter {
>   match request header remove "Proxy"
>   match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>   match request header append "X-Forwarded-By" value 
> "$SERVER_ADDR:$SERVER_PORT"
> 
>   match response header set "Server" value "Sever"
>   match response header set "X-Powered-By" value "Power"
>   match response header set "X-Frame-Options" value "SAMEORIGIN"
>   match response header set "X-Xss-Protection" value "1; mode=block"
>   match response header set "X-Content-Type-Options" value "nosniff"
> 
>   match request quick path "/crm/" forward to 
> 
>   tcp { no splice }
> }
> relay host_tls {
>   listen on $ext_addr_v4 port 443 tls
>   listen on $ext_addr_v6 port 443 tls
>   protocol httpsfilter
>   forward to  port 80 check http "/" host example.com code 200
>   forward to  port 80
> }
> 
> I have tried both "match request quick path" and "match request quick url" 
> but what I noticed is that as soon as you have visited one of the URLs that 
> needs forwarding to a different host you end up at the  for all 
> subsequent requests.
> With "match request quick url" this is to be expected as it checks everything 
> up to /.
> 
> For example:
> 
> http://example.com/ -> wwwhost
> http://example.com/crm/ -> otherhost
> http://exmaple.com/folder/ -> otherhost
> 
> Is this expected behaviour for "match request quick path" as well?
> Is there any way to do this type of load balancing?
> 
> Thanx!!
> 
> Mischa
>

relayd l7 loadbalancing

2017-08-16 Thread Mischa Peters 
Hi All,

I have somewhat the following config for relayd running on 6.1.
And I am trying to forward certain request paths to different hosts.

table  { xx.xx.xx.131 }
table  { xx.xx.xx.31 }
http protocol httpsfilter {
   match request header remove "Proxy"
   match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
   match request header append "X-Forwarded-By" value 
"$SERVER_ADDR:$SERVER_PORT"

   match response header set "Server" value "Sever"
   match response header set "X-Powered-By" value "Power"
   match response header set "X-Frame-Options" value "SAMEORIGIN"
   match response header set "X-Xss-Protection" value "1; mode=block"
   match response header set "X-Content-Type-Options" value "nosniff"

   match request quick path "/crm/" forward to 

   tcp { no splice }
}
relay host_tls {
   listen on $ext_addr_v4 port 443 tls
   listen on $ext_addr_v6 port 443 tls
   protocol httpsfilter
   forward to  port 80 check http "/" host example.com code 200
   forward to  port 80
}

I have tried both "match request quick path" and "match request quick url" but 
what I noticed is that as soon as you have visited one of the URLs that needs 
forwarding to a different host you end up at the  for all subsequent 
requests.
With "match request quick url" this is to be expected as it checks everything 
up to /.

For example:

http://example.com/ -> wwwhost
http://example.com/crm/ -> otherhost
http://exmaple.com/folder/ -> otherhost

Is this expected behaviour for "match request quick path" as well?
Is there any way to do this type of load balancing?

Thanx!!

Mischa