Load Balancing in Reverse Proxy  Mode

Similar Messages

• Load Balancing with Reverse Proxy Plug-in in SunOne 6.1

  Hello
  we are configuring our reverse proxy web server SunOn 6.1 for load balancing and we have some conflicting information that we have found on the internet. The options we have found are the following:
  1- In one case, it seems that all we need to do is add the destination servers to the servers parameter (quoted, space-delimited). We have read that the proxy server will simply round-robin requests.
  2- In another case, we have seen that we have to use an loadbalancer.xml file with the server names and reference the file from both magnus.conf and obj.conf.
  I have doubts about the second option because I really think this is configuration in 7.0 not 6.1.
  Also, I also need to configure session stickiness but it is not clear how this works. There is an option for sticky cookies that defaults to JSESSIONID if not configured. Does this mean that I will have session stickiness but simply without the use of cookies?
  ANY HELP? We need to solve this in the next day.

  HI,
  This may work for you.
  obj.conf
  <Object name="passthrough1">
  Service fn="service-passthrough" servers="http://localhost:8080"
  </Object>
  <Object name="default">
  AuthTrans fn="match-browser" browser="MSIE" ssl-unclean-shutdown="true"
  NameTrans fn="assign-name" from="/idm(|/*)" name="passthrough1"
  NameTrans fn="ntrans-j2ee" name="j2ee"
  NameTrans fn="pfx2dir" from="/mc-icons" dir="D:/Sun/WebServer6.1/ns-icons" name="es-internal"
  NameTrans fn="document-root" root="$docroot"
  PathCheck fn="nt-uri-clean"
  PathCheck fn="check-acl" acl="default"
  PathCheck fn="find-pathinfo"
  PathCheck fn="find-index" index-names="intro.htm,index.html,home.html,index.jsp"
  ObjectType fn="type-by-extension"
  ObjectType fn="force-type" type="text/plain"
  Service method="(GET|HEAD)" type="magnus-internal/imagemap" fn="imagemap"
  Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
  Service method="(GET|HEAD|POST)" type="~magnus-internal/" fn="send-file"
  Service method="TRACE" fn="service-trace"
  Error fn="error-j2ee"
  AddLog fn="flex-log" name="access"
  </Object>
  <Object name="j2ee">
  Service fn="service-j2ee" method="*"
  </Object>
  <Object name="cgi">
  ObjectType fn="force-type" type="magnus-internal/cgi"
  Service fn="send-cgi"
  </Object>
  <Object name="es-internal">
  PathCheck fn="check-acl" acl="es-internal"
  </Object>
  ============================================
  magnus.conf
  # The NetsiteRoot, ServerName, and ServerID directives are DEPRECATED.
  # They will not be supported in future releases of the Web Server.
  NetsiteRoot D:/Sun/WebServer6.1
  ServerName abc
  ServerID https-www.abc.com
  RqThrottle 128
  DNS off
  Security off
  ExtraPath D:/Sun/WebServer6.1/bin/https/bin
  Init fn=flex-init access="$accesslog" format.access="%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] \"%Req->reqpb.clf-request%\" %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length%"
  Init fn="load-modules" shlib="D:/Sun/WebServer6.1/bin/https/bin/j2eeplugin.dll" shlib_flags="(global|now)"
  Init fn="load-modules" shlib="D:/Sun/WebServer6.1/plugins/passthrough/passthrough.dll"

• Load balancing by the proxy plugin

  Has anyone encountered this before:
  I have a cluster of two WLS 5.1 servers, hosting servlets that serve web
  requests. The requests are proxied through a web server ( I have tried
  Weblogic, Apache as well as IIS). I also have a tool that simulates
  concurrent web requests and fires them to the proxy server.
  As per documentation, as the load balancing while proxying requests to
  servlets is round robin, I expect that the requests are uniformly
  distributed across the two weblogic servers. But what I see is a bit
  different. In one case I fired 15 requests and found that 11 went to first
  server and 4 went to the other.
  Second time when I fired again 2 of them went to the first server and 13 to
  the second one. I would expect that around half of the total requests
  should be routed to each server everytime so that there is a proper load
  balancing done by the proxy. I have not changed any configuration related
  to the default load balancing algorithm. So I expect it is round-robin.
  Has anyone encountered this before ? This happens to me irrespective of
  which proxy server I use (i.e which proxy plugin I use). Is there some
  other configuration required and I am missing something or is there some
  inherent problem with the load balancing of the proxy plugins. Any info
  would be highly appreciated.
  Thanks
  Mainak

  Could you post this in weblogic.developer.interest.plug-in? This group is for
  ejb related questions. Thanks.
  Bill
  Mainak Datta wrote:
  Has anyone encountered this before:
  I have a cluster of two WLS 5.1 servers, hosting servlets that serve web
  requests. The requests are proxied through a web server ( I have tried
  Weblogic, Apache as well as IIS). I also have a tool that simulates
  concurrent web requests and fires them to the proxy server.
  As per documentation, as the load balancing while proxying requests to
  servlets is round robin, I expect that the requests are uniformly
  distributed across the two weblogic servers. But what I see is a bit
  different. In one case I fired 15 requests and found that 11 went to first
  server and 4 went to the other.
  Second time when I fired again 2 of them went to the first server and 13 to
  the second one. I would expect that around half of the total requests
  should be routed to each server everytime so that there is a proper load
  balancing done by the proxy. I have not changed any configuration related
  to the default load balancing algorithm. So I expect it is round-robin.
  Has anyone encountered this before ? This happens to me irrespective of
  which proxy server I use (i.e which proxy plugin I use). Is there some
  other configuration required and I am missing something or is there some
  inherent problem with the load balancing of the proxy plugins. Any info
  would be highly appreciated.
  Thanks
  Mainak

• Need help with load balancing and DNS proxy

  Hi,
  I need help on how to configure my router so it will work with my DNS proxy and load balancing.
  I have a Linksys LRT224 router. I have two broadband connections from two separate ISPs,500Mbps each (WAN1 & WAN2). WAN1 has a static IP and WAN2 is dynamic assigned. I use Unlocator (www.unlocator.com) so I can access geographically restricted sites (Pandora, Netflix, etc.).
  The problem I have is that unlocator registers only one IP address (WAN1 address) and since I am doing load balancing I have no way of knowing if the DNS request will go through the registered IP (WAN1) or through the other (WAN2). I am not an expert in routing or networking but I'm guessing I have a way of configuring the router so all the DNS requests go out through WAN1, right?
  In the router's Dual WAN config page there is a section for Protocol Binding. I tried to configure but only managed to screw up the internet at home. I used:
  DNS[UDP/53-53]->192.168.1.1-192.168.1.254(0.0.0.0-0.0.0.0)WAN2
  Any help or suggestions are appreciated.
  Alex

  Good solution though. That's probably the only way you could do true Load Balancing anyway.
  Please remember to Kudo those that help you.
  Linksys
  Communities Technical Support

• Need help with load balancing and DNS proxy -Repost

  Hi,
  I need help on how to configure my router so it will work with my DNS proxy and load balancing.
  I have a Linksys LRT224 router. I have two broadband connections from two separate ISPs,500Mbps each (WAN1 & WAN2). WAN1 has a static IP and WAN2 is dynamic assigned. I use Unlocator (www.unlocator.com) so I can access geographically restricted sites (Pandora, Netflix, etc.).
  The problem I have is that unlocator registers only one IP address (WAN1 address) and since I am doing load balancing I have no way of knowing if the DNS request will go through the registered IP (WAN1) or through the other (WAN2). I am not an expert in routing or networking but I'm guessing I have a way of configuring the router so all the DNS requests go out through WAN1, right?
  In the router's Dual WAN config page there is a section for Protocol Binding. I tried to configure but only managed to screw up the internet at home. I used:
  DNS[UDP/53-53]->192.168.1.1-192.168.1.254(0.0.0.0-​0.0.0.0)WAN2
  Any help or suggestions are appreciated.
  Alex

  Good solution though. That's probably the only way you could do true Load Balancing anyway.
  Please remember to Kudo those that help you.
  Linksys
  Communities Technical Support

• Load Balance method for proxy - ISA or BlueCoat

  Hi,
  I would like to know that which load balance method such as src-ip, cookie or etc is most suitable for load balancing proxy servers such as ISA or Bluecoat. The Proxy will listen to many services - http, https, ftp, and etc. Thanks for the help.

  The methods you mentioned are not loadbalancing technics, but stickyness features.
  Stickyness is not always necessary.
  Now, for caching devices, it is good to always send users requesting a same object to a single proxy, so that the same object is not cached in all the proxies.
  Therefore, the solution in this case is loadbalancing with url hashing.
  For HTTPs, if you terminate SSL on the loadbalancer, you can use the same solution.
  For all the other traffic, I would suggest to start with roundrobin and see after a while if it requires some adjustments or not.
  Gilles.

• Load balancing MS Winsock Proxy Server on WebNS 5.0

  Does anyone know what needs to be done on the service/content rule configuration to support Winsock Proxy requests from client to VIP for load balancing to work?

  Here is a link that may be helpful in configuring the CSS:
  http://www.cisco.com/warp/public/117/CSS_CEreverseproxy.html

• Web Proxy Server Load Balancing

  I deployed Sun Jave Web Proxy Server 4.0 as a Reverse Proxy. I would also like to use it as a load balancer. As per the instructions, I configured the obj.conf file as shown below
  Route fn="set-origin-server" server="https://xx.xx.xx.xx" server="https:yy.yy.yy.yy" sticky-cookie="JSESSIONID" sticky-param="jsessionid" route-hdr="Proxy-jroute" route-cookie="JROUTE" rewrite-host="true" rewrite-location="true" rewrite-content-location="true"
  But, it is not doing load balancing. It always sends to the first server (xx.xx.xx.xx). I guess that is because I used mapping as follows:
  NameTrans fn="reverse-map" from="https:xx.xx.xx.xx" to="https://server.net" rewrite-location="true" rewrite-content-location="true"
  NameTrans fn="redirect" from="http://server" url="https://xx.xx.xx.xx"
  NameTrans fn="map" from="https://server" to="https://xx.xx.xx.xx" rewrite-host="true" name="pa-server-farm1" NameTrans fn="map" from="/" to="https://xx.xx.xx.xx" rewrite-host="true" name="pa-server-farm1"PathCheck fn="url-check"ObjectType fn="block-ip"
  ObjectType fn="cache-enable" cache-auth="1" cache-https="1" query-maxlen="0" min-size="0" Service fn="proxy-retrieve"
  I don't understand how routing and mapping work togother. Any help in this regard is appreciated.

  Motor,
  the following is from the Web Proxy Sever Administration guide. Please, check the last paragraph for the explanation. Any how, the problem is simple. I am using the Proxy Server as the Reverse proxy. And at the same time, I would like to use two origin servers (for load balancing) instead of one. How do I make both load balancing and reverse proxy functions work together?
  Thanks
  To Create Regular or Reverse Mapping
  Access the Server Manager, and click the URLs tab.
  Click the Create Mapping link.
  The Create Mapping page is displayed.
  In the page that appears, provide the source prefix and source destination for the regular mapping,
  for example,
  Source prefix: http://proxy.site.com
  Source destination: http://http.site.com/
  Click OK.
  Return to the page and create the reverse mapping, for example,
  Reverse mapping:
  Source prefix: http://http.site.com/
  Source destination: http://proxy.site.com/
  To make the change, click OK.
  Once you click the OK button, the proxy server adds one or more additional mappings. To see the mappings, click the lView/Edit Mappings link. Additional mappings would be in the following format:
  from: /
  to: http://http.site.com/
  These additional automatic mappings are for users who connect to the reverse proxy as a normal server. The first mapping is to catch users connecting to the reverse proxy as a regular proxy. The �/� mapping is added only if the user doesn't change the contents of the Map Source Prefix text box provided automatically by the Administration GUI. Depending on the setup, usually the second mapping is the only one required, but the extra mapping does not cause problems in the proxy.

• Cisco ACE20 Load balancing issues

  Dear All,
  I have a problem with the ACE 20 load balance
  To start with following is our architectural request flow:
  Load Balancer --> Webseal /(reverse proxy) --> HTTP Server --> Portal Server
  We have Hardware Load Balancer Cisco ACE20.
  When we access our portal from Webseal server it works totally fine without any issue, but when we access the same application using ACE we face the following issues:
  1) Some of the links on do not work. For eg: We have a link "subscribe" which points to https://intranet/abc/wps/portal/subscription , whenever we click on this link, the request is directed to https://intranet/abc/wps/portal i.e homepage
  2) URL redirection does not work We have some links which have a url forwarding or redirection for example when we open https://intranet/ef/quickplace it forwards the requests to https://intranet/ef/quickplace/Main.nsf?opendocument....., but this redirection fails and again the request is thrown to homepage i.e https://intranet/abc/wps/portal
  3) The response of the request and the overall portal when accessed via ACE is very sluggish and it takes 20 seconds for homepage to load, whereas the homepage loads in 4 secs when accessed via webseal.
  below is the ACE details. Kindly provide the your inputs to resolve this issue. will rate all the suggestions
  Hardware Product Number: ACE20-MOD-K9
    Card Index:     207
    Hardware Rev:   2.3
    Feature Bits:   0000 0002
    Slot No. :      7
    Type:           ACE
  Software
    loader:    Version 12.2[120]
    system:    Version A2(1.4) [build 3.0(0)A2(1.4) adbuild_11:54:12-2009/03/05_/a
  uto/adbu-rel2/rel_a2_1_4_throttle/REL_3_0_0_A2_1_4]
    system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_4.bin
    installed license: ACE-SEC-LIC-K9

  Dear all,
  Please suggest on this issue.
  BS

• Load Balance Configuration for OCS 10g

  Hi guys,
  A few question on the load balancer requirement and setup for a OCS 10g cluster.
  1. Can Pound be used as the load balancer for the OCS cluster. (pound is an application for load balancer and reverse proxy).
  2. Basically the load balancer will have two network interface, the first nic is connected to the
  user network, and the second interface is connected at the backend network where the ocs cluster is located. My question is at which network interface the virtual server name (ldap, sso and http ) for the ocs cluster should be created ? at the user network interface or the ocs network interface ?. Do the virtual name need an ip addresses ?
  Thanks for any info.
  Regards
  lanang

  Which articles & documentation have you read already? I don't want to duplicate what they've covered.
  http://catb.org/~esr/faqs/smart-questions.html#beprecise

• Cert auth with a SWS7 reverse-proxy in the way

  We are planning to try authenticating Access Manager 7.1 (Portal, Messaging Server) users with a certificate module so they don't have to enter usernames and passwords all the time.
  By architecture of the project, there are internal servers (actual AM, Portal, etc hosts in cluster config) in the internal LAN, and a Sun Web Server 7 in the DMZ acting as a load-balancer and reverse proxy which can filter some HTTP code if we need it to. This works okay for usual HTTP sessions.
  I have vague ideas how would this NOT break HTTPS sessions concerning the user cert auth module, but I have little to no practice with it.
  I would like to know whether we can offload SSL decoding to the Sun Web Server acting as a reverse proxy (with i.e. Niagara hardware for SSL acceleration) and pass/use the user's certificate information to an internal Access Manager host for user authentication, or are we stuck with TCP port-forwarding from internet straight to the internal hosts on the firewall or some hardware LB?
  Port-forwarding is not good because of security concerns, and in this case it seems we'd have to make several listening ports, one for each backend application, instead of publishing one standard 443 port on the rev-proxy...
  Perhaps there are ways to allow the Web Server to decode HTTPS handshake, determine the destination backend host, and pass the original HTTPS packets to it? Which server certificates would be in effect in such case, or should they be the same on front and backend hosts?
  Perhaps we should set up some AM component for the frontend hosts (I've seen keywords about Distributed Access Manager, but didn't research it yet)?
  Any other good ideas? :)

  Got the rever proxy to work.  Below are the field values in the reverse proxy setting that has worked:
  Reverse proxy name: <any name>
  Incoming http header host name: server1.domain..company.com (get it from the end-point in WSDL) 
  Incoming ICM port: port (get it from the end-point in WSDL)
  Substitute host name: server2.domain..company.com (has to be FQDN)
  Substitute http port: 80 (in my case)
  Substitute https port: (blank)
  Additional path prefix: (blank)
  Meta data protocol subsitution: http
  Endpoint protocol subsitution: http
  Status: active

• CSS Load Balancing for MS Winsock Proxy Client

  Has anyone load balanced Microsoft Winsock Proxy client? I am trying to load balance internal users using the Winsock client to two MS ISA Servers running Winsock proxy for application access to the internet.

  Thanks for the post, I got this from Microsoft:
  I wanted to update you on the information I investigated on the firewall client. I found the the actual port connection used to control the connection thru ISA is by default UDP. This UDP session is over 1745 to the ISA server. This intial connection then allows for a connection over an ephemeral port to the ISA server for the actual data transfer. The data transfer is done via a TCP connection. The connection control is UDP based by default. This can be changed in the Wspcfg.ini file. By adding the ControlChannel value to the WSP_client_app section of this file, you can use WSP.TCP to allow the connections to be based with TCP. In your situation, this may be the best scenario due to the connections being load balanced.
  TCP is used by default when checking the Firewall configuration. This is why the traces showed the connection with TCP.
  Information on this can be found in the ISA help files. In the search panel of the ISA help, type in "ControlChannel" without the quotes and it will show information on this feature.
  I will re-test with TCP only setup, and see if this helps. I also have some sniffer traces I need to review to see if maybe NAT is killing me, not UDP traffic.
  I'll post back my findings next week.

• OAM Webgate Ip validation problem caused by load balancer...

  Hi all,
  In my topology, i have 5 webgates on 5 OHS web servers running in reverse proxy mode . Those web servers are behind load balancer. Since load balancer is working in proxy mode, all requests seems to be coming from load balancer vip and this prevents ip validation at webgate side . Does anybody think that it is possible to solve this issue without changing load balancer configuration..
  Regards,

  Hi,
  Randat, how can i reconfigure ip validation against x-forwarded-for? A custom authz plugin, or only a configuration change ? I'll keep on searching on this solution, but if you can share your solution , it'll be appriciated..
  Ambarishmitra, i want to use ip validation but since all requests are coming from single ip i can't distinguish client ip's, that's my problem..
  Thank you both,
  Regards..

• How to set up load balancing with overload server on css

  can anyone tell me how to set up a load balancing config on css that will enable me to LB proxy caches and when they have too many connections then LB against an overload proxy-cache.
  Such that when the normal proxy-cache farm is under the ceiling of max connections then the overload server is not used ?
  I don't think redirect or sorry server will do this ?

  see the below configuration,any question,just tell me.
  service proxy-1
  ! below is the real ip of server
  ip address 10.1.1.1
  keepalive type icmp
  active
  service proxy-2
  ip address 10.1.1.2
  keepalive type icmp
  active
  ! enter owner config-mode
  owner proxy
  ! define a content rule,match what you want to load balancing
  content rule-proxy
  ! below is virtual ip,it can be another ip segment
  vip address 10.1.1.50
  add service proxy-1
  add service proxy-2
  protocol any
  advanced-balance sticky-srcip
  active

• Any concern on persistent search through a load balancer?

  We have access manager 7 installed which make use of persistent search. My understanding is that persistent search required to maintain a connection so that the server can refresh/update the client whenever entry in the result set changed. If we configure the system to connect to ldap through load balancer, will that cause any problem? What will happen if the load balancer refresh connection after a period of time? Or , if the original ldap server failed and the load balancer try load balance the client to another ldap server, will the persistent search still works?
  Also, if the ldap server that the persistent search initially established connection with crashed, will the client get error message and in that case, is it the client's responsibility to re-run/retry the persistent search with other failover ldap server?
  Thanks,

  Your best bet, even when using a hardware load balancer, is to front your DS instances with a pair of load-balanced Directory Proxy Servers. This way, you have physical redundancy at the load balancer level, and intelligent LDAP-aware load balancing at the proxy server level. DPS 6 is very nice in that you can split binds, searches, and updates amongst several backend DS instances, and the connection state is maintained by the proxy, not the DS instance (i.e. if an instance fails, you really shouldn't be forced to rebind, the proxy fails-over to another DS for searching).
  We have our Directory Servers on a pair of Solaris 10 systems, each with a zone for a replicated Master DS, and another zone each for a DPS instance. The DPS instances are configured to round-robin binds/searches/updates/etc. among the DS master zones. This works out very well for us.