[openstack][octavia] transparent

Ignazio Cassano ignaziocassano at gmail.com
Fri Jul 17 18:22:06 UTC 2020


Many thanks, Jeremy

Il Ven 17 Lug 2020, 19:42 Jeremy Stanley <fungi at yuggoth.org> ha scritto:

> On 2020-07-17 18:55:01 +0200 (+0200), Ignazio Cassano wrote:
> > Hello all, I have some end users who want to receive on their load
> > balanced web servers the client ip address for acl. They also want
> > the https connection is terminated on web servers and not on load
> > balancer. Can I solve with octavia ? I read haproxy can act as
> > transparent only when it is the default router of backends. In our
> > use case the default router is not the load balancer. Any help,
> > please?
>
> You'll be hard pressed to find any network load balancer which can
> satisfy this combination of requirements without also requiring some
> cooperation from the gateway. The ways you typically get the client
> IP addresses to your servers are one of:
>
> 1. Use the load balancer as the default router for the servers so
> that it doesn't need to alter the IP addresses of the packets (layer
> 3 forwarding).
>
> 2. Terminate SSL/TLS on the load balancer so that it can insert
> X-Forwarded-For headers into the HTTP requests, and then optionally
> re-encrypt when sending along to the servers (layer 7 forwarding).
>
> 3. A "direct server return" configuration where the load balancer
> masquerades as the clients and only handles the inbound packets to
> the servers, while the outbound replies from the servers go directly
> to the Internet through their default gateway (asymmetric layer 3
> forwarding with destination NAT). This is the only option which
> meets the list of requirements you posed and it's exceptionally
> messy to implement, since you can't rely on state tracking either on
> the load balancer or the default gateway (each of them only sees
> half of the connection). This can also thoroughly confuse your
> packet filtering depending on where in your network it's applied.
>
> A bit of quick searching doesn't turn up any available amphorae for
> Octavia which support DSR, but even if there were I expect you'd
> face challenges adapting Neutron and security groups to handle it.
> --
> Jeremy Stanley
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200717/8d7793ee/attachment.html>


More information about the openstack-discuss mailing list