Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Direct Server Return
Clone this wiki locally
Direct server return means that traffic from the client to the server goes through Pen, but the traffic from the server to the client does not. There are a number of advantages to doing it this way, especially when it comes to performance – the load balancer never has to touch the return traffic. There are disadvantages as well, for example the load balancer cannot do SSL termination and the servers need special configuration.
To activate direct server return, specify an interface with the dsr_if option, e.g:
sudo ./pen -df -O poll -O "dsr_if eth1" -S 2 -r 192.168.100.1:0 192.168.100.3 192.168.100.4
This means that Pen will listen for traffic on interface eth1 destined for the "virtual ip" 192.168.100.1 and forward it to two backend servers with the addresses 192.168.100.3 and 192.168.100.4. The port :0 is special and means that all TCP traffic should be forwarded. To forward a single port, specify that instead, e.g. :80 for http.
The interface must be dedicated, i.e. it cannot have a configured IP address and it cannot be used for management. On Debian, such an interface might be configured like this in /etc/network/interfaces:
auto eth1 iface eth1 inet manual pre-up ifconfig $IFACE up post-down ifconfig $IFACE down
Configuring Backend Servers
The backend servers also need a bit of special configuration. In addition to the network interface that is connected to the network, they also need a loopback interface with the virtual ip. But they can't tell the world about it! Only Pen must know. The following commands accomplish this:
ifconfig lo:1 192.168.100.1/32 echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
Now we have load balancing set up: Pen will distribute traffic among the two backend server more or less evenly. But what happens when one of the backends goes away? Normally Pen would detect that and blacklist the server temporarily, but with the return traffic bypassing Pen, there is no way to do that.
What we can do, however, is use a separate script to test the backends. Here's an old example of that: