Hi Emilio,
I tried to replicate the contents of the subdirectories by changing the
rsync parameters and it works only if I replicate the config files
manually. The problem is that inotify wont trigger a sync, because it
doesnt monitor subdirs. As the config files are named <farm name>_<service>
I just kept the stunnel conf files in the same directory, so the
replication works without any further modifications.
The next problem I have is,that stunnel is unable to connect to the
VIP/VPort of the l4txnat farm (connection refused).
The following are the rules added by the l4txnat farm:
/sbin/iptables -t mangle -A PREROUTING -m statistic --mode random
--probability 1 -d <VIP> -p tcp -m multiport --dports 6465 -j MARK
--set-mark 0x201 -m comment --comment ' FARM_<FARM NAME>_1_ '
/sbin/iptables -t mangle -A PREROUTING -m statistic --mode random
--probability 0.5 -d <VIP> -p tcp -m multiport --dports 6465 -j MARK
--set-mark 0x200 -m comment --comment ' FARM_<FARM NAME>_0_ '
/sbin/iptables -t nat -A PREROUTING -m mark --mark 0x200 -j DNAT -p tcp
--to-destination <BackEnd_IP_1>:25 -m comment --comment ' FARM_<FARM
NAME>_0_ '
/sbin/iptables -t nat -A PREROUTING -m mark --mark 0x201 -j DNAT -p tcp
--to-destination <BackEnd_IP_2>:25 -m comment --comment ' FARM_<FARM
NAME>_1_ '
/sbin/iptables -t nat -A POSTROUTING -m mark --mark 0x200 -j SNAT -p tcp
--to-source <VIP> -m comment --comment ' FARM_<FARM NAME>_0_ '
/sbin/iptables -t nat -A POSTROUTING -m mark --mark 0x201 -j SNAT -p tcp
--to-source <VIP> -m comment --comment ' FARM_<FARM NAME>_1_ '
The problem here is, that the PREROUTING chain is only used by packets
comming from the network interface and not for packets created by the
system itself (locally). I was able to make it work by adding the following
rules:
/sbin/iptables -t mangle -A OUTPUT -m statistic --mode random --probability
1 -d <VIP> -p tcp -m multiport --dports 6465 -j MARK --set-mark 0x201 -m
comment --comment ' FARM_<FARM NAME>_1_ '
/sbin/iptables -t mangle -A OUTPUT -m statistic --mode random --probability
0.5 -d <VIP> -p tcp -m multiport --dports 6465 -j MARK --set-mark 0x200 -m
comment --comment ' FARM_<FARM NAME>_0_ '
/sbin/iptables -t nat -A OUTPUT -m mark --mark 0x200 -j DNAT -p tcp
--to-destination <BackEnd_IP_1>:25 -m comment --comment ' FARM_<FARM
NAME>_0_ '
/sbin/iptables -t nat -A OUTPUT -m mark --mark 0x201 -j DNAT -p tcp
--to-destination <BackEnd_IP_1>:25 -m comment --comment ' FARM_<FARM
NAME>_1_ '
These rules would mark the locally generated packets and change their
destination IP address (DNAT), allowing the local stunnel process to
communicate with the VIP/VPort.
In general, adding those rules would make the VIP/Vport of l4txnat farms
locally reachable. I dont think those rules would affect anything else, but
you may want to double check.. I havent used iptables much in the past, so
I may be overseeing some details.
Regards,
Alberto
2013/3/4 Emilio Campos <[email protected]>
> OK Alberto, it's more clear now.
>
> I'm going to give you a help in your stunnel integration with zen. If you
> have problems with the sync of directories you can change easily the params
> that rsync uses for do it, in the web gui go to "Setting >> Server" and
> take a look in the field named *Rsync replication parameters, *those
> values are used by rsync command line for syncing config directory content
>
> Regards
>
>
> 2013/3/4 Alberto Stapelfeld <[email protected]>
>
>> Hi Emilio,
>>
>> sure I would share it, and it would be nice, if it were included in a
>> future release.. But I'm just not sure, if my perl *fluency* is enough to
>> write something, that doesnt look ugly :)
>>
>> I was planning to run stunnel and make it listen, in my case for SMTPS
>> (smtp over ssl) , on the TCP port 465. Stunnel should then forward the
>> connections to the Virtual Port of a farm, which would load balance SMTP.
>> The communication between the internet and stunnel (port 465) would be SSL,
>> between stunnel and the Virtual Port (on the local server) would be plain
>> SMTP and between Zen and the backend servers plain SMTP. The idea is to
>> combine SSL offloading provided by stunnel and load balancing from Zen.
>>
>> My idea was just to install stunnel, then create a subdirrectory under
>> /usr/local/zenloadbalancer/config, which would contain the configuration
>> files for stunnel (one .conf file per listening port/service). I would then
>> change the variable FILES in /etc/default/stunnel14
>> from FILES="/etc/stunnel/*.conf" to
>> FILES="/usr/local/zenloadbalancer/config/stunnel". I should then start
>> stunnel in the startlocal section of /etc/init.d/zenloadbalancer and, I
>> assume, stop it in the stoplocal section, doing somehting like
>> /etc/init/stunnel14 start/stop or service stunnel14 start/stop.
>>
>> If this kind of functionality is included in some future relase, it would
>> obviously nice to have it added in the web interface as an option for
>> l4txnat farms, and the start/stop logic also integrated with the
>> start/stop logic of the farms in /etc/init.d/zenloadbalancer.
>>
>> First problem I have at the moment, is that subdirectories under
>> /usr/local/zenloadbalancer/config are syncrhonized, but not their contents.
>> Maybe you could change that in future releases? It may make easier to add
>> custom configuration files to be syncrhonized maintaining them separated
>> from the rest.
>>
>> If this were implemented, it could be used also for IMAPS, SPOP, etc or
>> in general to offload SSL for any protocol.
>>
>> Regards,
>>
>> Alberto
>>
>>
>> 2013/3/2 Emilio Campos <[email protected]>
>>
>>> Open /etc/init./zenloadbalancer, section "startlocal" between 491-492
>>> line, there enter your perl call for your script.
>>>
>>> What do you think to do Alberto? If you share with us your idea of
>>> implementation maybe we can study for including in the next release.
>>>
>>> Regards!
>>>
>>> 2013/3/1 Alberto Stapelfeld <[email protected]>
>>>
>>>> Hello,
>>>>
>>>> I would like to load balance SMTP with SSL termination. I was planning
>>>> to install stunnel for the SSL termination and then forward the
>>>> connections to a farm defined in Zen, which would load balance SMTP to the
>>>> backend servers. This would run on a cluster, so I would need the stunnel
>>>> processes to be stopped and started during a failover. I have checked the
>>>> configuration files,and it looks like all the files in the config directory
>>>> are synched with the passive node (except the if_eth* of the cluster and
>>>> webserver), so I think I could just store the config files of stunnel there
>>>> and they would be synchonized automatically. I assume that during a
>>>> failover, all the processes related to the load balancing funtionality are
>>>> started/stopped (e.g. pound). Is there any specific place where I could add
>>>> some other processes to be started or stopped?
>>>> Maybe you can give me some hints, or just tell me, if it is too
>>>> complicated to achieve.
>>>>
>>>> Regards,
>>>>
>>>> Alberto
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Everyone hates slow websites. So do we.
>>>> Make your web apps faster with AppDynamics
>>>> Download AppDynamics Lite for free today:
>>>> http://p.sf.net/sfu/appdyn_d2d_feb
>>>> _______________________________________________
>>>> Zenloadbalancer-support mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
>>>>
>>>>
>>>
>>>
>>> --
>>> Load balancer distribution - Open Source Project
>>> http://www.zenloadbalancer.com
>>> Distribution list (subscribe):
>>> [email protected]
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Everyone hates slow websites. So do we.
>>> Make your web apps faster with AppDynamics
>>> Download AppDynamics Lite for free today:
>>> http://p.sf.net/sfu/appdyn_d2d_feb
>>> _______________________________________________
>>> Zenloadbalancer-support mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_d2d_feb
>> _______________________________________________
>> Zenloadbalancer-support mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
>>
>>
>
>
> --
> Load balancer distribution - Open Source Project
> http://www.zenloadbalancer.com
> Distribution list (subscribe):
> [email protected]
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Zenloadbalancer-support mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
>
>
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Zenloadbalancer-support mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
