On 2020-07-17 18:55:01 +0200 (+0200), Ignazio Cassano wrote:
Hello all, I have some end users who want to receive on their load balanced web servers the client ip address for acl. They also want the https connection is terminated on web servers and not on load balancer. Can I solve with octavia ? I read haproxy can act as transparent only when it is the default router of backends. In our use case the default router is not the load balancer. Any help, please?
You'll be hard pressed to find any network load balancer which can satisfy this combination of requirements without also requiring some cooperation from the gateway. The ways you typically get the client IP addresses to your servers are one of: 1. Use the load balancer as the default router for the servers so that it doesn't need to alter the IP addresses of the packets (layer 3 forwarding). 2. Terminate SSL/TLS on the load balancer so that it can insert X-Forwarded-For headers into the HTTP requests, and then optionally re-encrypt when sending along to the servers (layer 7 forwarding). 3. A "direct server return" configuration where the load balancer masquerades as the clients and only handles the inbound packets to the servers, while the outbound replies from the servers go directly to the Internet through their default gateway (asymmetric layer 3 forwarding with destination NAT). This is the only option which meets the list of requirements you posed and it's exceptionally messy to implement, since you can't rely on state tracking either on the load balancer or the default gateway (each of them only sees half of the connection). This can also thoroughly confuse your packet filtering depending on where in your network it's applied. A bit of quick searching doesn't turn up any available amphorae for Octavia which support DSR, but even if there were I expect you'd face challenges adapting Neutron and security groups to handle it. -- Jeremy Stanley