Hey guys,

I have searched the forums and have been unable to find much info on how to implement redirection in a bridge based on HTTP URI.

We currently use a iptables to direct traffic based on IP address which allows us to do subdomain redirection, but we would really like to push the traffic from a subdirectory off to a different server.

For instance, it would be great to have all traffic go to a default server, but have the traffic for http://www.domain.com/subdir to go to a different server.

I am aware of squid, but it doesn't seem like it will perform very well on a high traffic site. I should mention that we are a high traffic site (couple millions hits / day) so performance is very important.

I also know that iptables can do string pattern matching inside the packet. Is this a good solution? Is this the fastest, performance wise, solution?

Any thoughts or contributions are greatly appreciated. I really would like to learn more about this topic.

- jason

Well the normal method would be mod_proxy under apache, but if, as it'd assume, you're using a dedicated tier for the front end, try nginx to redirect and loadbalance http requests. LQ.org uses nginx quite prolifically and works really well. Things do get uglier with https of course...

Cool, I'll look into nginx. It looks interesting, but not quite perfect.

We do have a dedicated tier, currently the server that all traffic comes in to is ONLY running iptables to do our load balancing. I'd like to run a service on that machine, preferably not a web server, that is capable of doing HTTP header inspection and redirection.

Perhaps I'm approaching this problem wrong and the solution is hard to find because there is a better way to do things. Here's our network layout:

Internet--> Dedicated iptables server (bridge) --> multiple HTTP servers

The iptables machine can load balance and route packets based on subdomains, but we'd like to have it route packets based on sub directory.

Any thoughts?

- jason

You're approaching it wrong. Every other device and product that performs this function does so as a proxy or a layer 3 (well, more like layer 5) router, not as a layer 2 bridge. If you want to do application inspection, you need to move further up the stack. Iptables is really not the right tool for this kind of task.

quite substantially seconded. This is not what one does...

Ok, I'll definitely take any advice that you guys can give me in this regard. What are the names of some proxies, or layer 5 routers that I can use in this configuration.

Any advice that you can give me as to products that would function in the role that I have defined, preferably running on the same machine that is using iptables, and able to route to multiple HTTP servers.

I'm also not opposed to adding a dedicated proxy machine between the bridge and the HTTP servers, but that seems like an unnecessary step.

Thanks for all the help.

- jason

well we already have. apache or nginx. if you've $80,000 to spare a pair of F5 6800 LTM's would be quite nice too.

Or Cisco Content Switch, or Citrix NetScaler, or stuff from RadWare, Alteon, etc...

Why do you have a dedicated bridge box any way? That is the part that seems unnecessary. You could simply have a front-end tier that is a reverse proxy. I do not understand the obsession with having a bridge.

Ah, I see. This is starting to make sense now.

I'm looking at the nginx docs, and it does look like it can do what I want it to do. I've also found a variety of reverse proxy examples online such as this one:

http://cognovis.de/developer/en/nginx-loadbalancing

I have not quite figured out how to setup my conf to do what I want. If any one has any experience with setting up nginx to load balance based on subdirectory name I'd sure appreciate some help.

- jason