Hi
I have OpenBSD 6.0 firewall with round-robin to load balance incoming http(s) traffic to a pool of web servers on internal network. I use sticky-adress to make sure requests from the same source are always being passed to the same internal server be able to use http sessions
My firewall rules look like this. Obviusly have more than one server pool ( table )
Code:
webserver_pub="a.b.c.d.e" # Public IP address
table <webserverpriv> { 10.1.1.100 10.1.1.101 10.1.1.102 etc }
...
match in on egress proto tcp to $webserver_pub port { http https } rdr-to <webserverpool> round-robin sticky-address
pass in quick on egress inet proto tcp from any to <webserverpriv> port { http https }
The problem is that if one of the servers in the pool becomes unresponsive for some reason pf will still redirect requests to it.
I'm looking for a solution that would allow to remove dead servers from the table automatically and add them back when they start responding again.
I found these solutions and was wondering which would be the best to suit my needs
- relayd , but howtos I found say that it does not support "sticky-address" feature
- ifstated - this should support sticky-address, but all howtos refer to load balancing outgoing traffic
How to test if http service on remote internal host is running using ifstated ? Pinging host is not the best option as it may respond to pings even if http is down.
Which method are you using to provide high availability of your web services ?
Thanks
Greg
