I'm trying to set up a FreeBSD load balancer using PF and Relayd. I'm trying to use Relayd as a service redirector, so the load balancer itself isn't looking at Layer 7 and only at Layer 3. The load balancer has a public IP and interface that listens for web traffic, and an internal interface that sends the traffic on to the web servers behind it.
That's all working quite well.
The problem I'm having is when I need to take a webserver offline for maintenance. What happnes is once a host is connected via HTTP to one of the web servers, the load balancer has a state table entry for that host. Subsequent requests over the HTTP connection are checked in the state table before the rule set. A matching state table entry keeps existing traffic going to the host that the client is already connected to, even if that host is disabled in relayd.
I've tried clearing the state table for all connections going to the target host. This ia an improvement as subsequent requests will only go to one of the enabled hosts, but there is still a race condition where a request can come in and the client browser sometimes hangs indefinitely awaiting a response from the server.
How can I gracefully move (or reset) existing HTTP connections from the disabled server to one of the enabled servers?
Thanks,
Glenn
That's all working quite well.
The problem I'm having is when I need to take a webserver offline for maintenance. What happnes is once a host is connected via HTTP to one of the web servers, the load balancer has a state table entry for that host. Subsequent requests over the HTTP connection are checked in the state table before the rule set. A matching state table entry keeps existing traffic going to the host that the client is already connected to, even if that host is disabled in relayd.
I've tried clearing the state table for all connections going to the target host. This ia an improvement as subsequent requests will only go to one of the enabled hosts, but there is still a race condition where a request can come in and the client browser sometimes hangs indefinitely awaiting a response from the server.
How can I gracefully move (or reset) existing HTTP connections from the disabled server to one of the enabled servers?
Thanks,
Glenn