Load Balancing with LVS-NAT, Keepalived, and iptables
To begin with we need a quick overview of load balancing in general and some background on Linux Virtual Server (LVS) specifically. The basic idea behind load balancing is taking a group of requests and dividing them up over multiple servers. These requests could be HTTP, FTP, SMTP, or any other network service for that matter. This is where LVS comes in, LVS implements transport-layer load balancing inside the Linux kernel (layer-4 switching through packet forwarding). LVS has 3 types of packet forwarding:
1. Network Address Translation (LVS-NAT)
2. IP Tunneling (LVS-TUN)
3. Direct Routing (LVS-DIR)
We are going to focus on using LVS-NAT to load balance HTTP requests. We will have 2 physical machines (load1 and load2) in an active/backup configuration that will handle the load balancing for us.
When using LVS-NAT all inbound and outbound network traffic will pass through the active load balancer, so in addition to load balancing, the load balancer also acts as a gateway and a firewall. Security is a very high priority (see security sidebar) because the load balancer acts as a gateway and a firewall.
Security sidebar:
The load balancer will be the only public IP that can be attacked directly if secured properly. Take extra precautions as you see fit, but here are some suggestions.
Don’t use standard ports if possible, for example move SSH off of port 22.
Do not allow root access via password, if you allow it at all only allow it with ssh key exchange.
Add as few user accounts as possible and enforce very strong passwords through pam.
Do not install any unnecessary services on the load balancer like nfs, iscsi, cups, etc.
Install intrusion detection like rkhunter and tripwire.
Install brute force detection and blocking like fail2ban and pam_abl.
Monitor the server with Nagios, Zabbix or similar.
To complete our overview lets take a quick look at the network set-up. The load balancers sit between the internet and your private web servers. So the load balancer needs 2 logical network connections, the internet connection and the private connection. Here is where it gets a little tricky. Each of those networks will get 1 IP that is assigned to the physical hardware (i.e. load1’s IPs are only for load1 and will not switch over to load2 if load1 goes down) plus there will be 1 virtual IP (VIP) on each of those networks that will float between the load balancers if one goes down. This means you will need three IPs for each network. Internet IPs like xxx.xxx.xx1 for load1, xxx.xxx.xx2 for load2, and xxx.xxx.xx3 as the VIP (the VIP is where you will point your HTTP DNS) as well as three private IPs like: 192.168.20.1 for load1, 192.168.20.2 for load2, and 192.168.20.254 as a VIP for the internal gateway that your web servers will use for internet access.
The step by step how to is in the attached PDF.
|