[openstack][octavia] transparent

Jeremy Stanley fungi at yuggoth.org
Fri Jul 17 17:32:20 UTC 2020


On 2020-07-17 18:55:01 +0200 (+0200), Ignazio Cassano wrote:
> Hello all, I have some end users who want to receive on their load
> balanced web servers the client ip address for acl. They also want
> the https connection is terminated on web servers and not on load
> balancer. Can I solve with octavia ? I read haproxy can act as
> transparent only when it is the default router of backends. In our
> use case the default router is not the load balancer. Any help,
> please?

You'll be hard pressed to find any network load balancer which can
satisfy this combination of requirements without also requiring some
cooperation from the gateway. The ways you typically get the client
IP addresses to your servers are one of:

1. Use the load balancer as the default router for the servers so
that it doesn't need to alter the IP addresses of the packets (layer
3 forwarding).

2. Terminate SSL/TLS on the load balancer so that it can insert
X-Forwarded-For headers into the HTTP requests, and then optionally
re-encrypt when sending along to the servers (layer 7 forwarding).

3. A "direct server return" configuration where the load balancer
masquerades as the clients and only handles the inbound packets to
the servers, while the outbound replies from the servers go directly
to the Internet through their default gateway (asymmetric layer 3
forwarding with destination NAT). This is the only option which
meets the list of requirements you posed and it's exceptionally
messy to implement, since you can't rely on state tracking either on
the load balancer or the default gateway (each of them only sees
half of the connection). This can also thoroughly confuse your
packet filtering depending on where in your network it's applied.

A bit of quick searching doesn't turn up any available amphorae for
Octavia which support DSR, but even if there were I expect you'd
face challenges adapting Neutron and security groups to handle it.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200717/a466b720/attachment.sig>


More information about the openstack-discuss mailing list