Network device hard core technology insider firewall and security gateway (VIII) virtualization artifact (middle)

Linghuchong deployed virtualization servers in batches , The website of Huashan school has been expanded on a large scale , Sure enough , Foreign visits have been much smoother . However , Everything comes from an evil bat …

Because of the need to fight the epidemic , Huashan school also launched online live teaching , Teach martial arts to disciples all over the world through the Internet . Because the martial arts of Huashan sect have certain confidentiality , Yue buqun asked , Only members can watch the live broadcast .

The disciples in charge of Internet business development soon developed the internet live broadcast business , In three days, it went online in a hurry .

little does one think , Soon, the customer service email of Huashan sect was stuffed with user complaints —— Basically, they are all reporting , After logging into the official website of Huashan sect , Click the live broadcast page to find , Prompt no login , You need to log in again , It may not succeed yet .

original , This is related to the mechanism of load balancing equipment developed by linghuchong .

Pictured , When users access the live video service , Will report to the server (VM) Initiate multiple connections . Because based on NAT Of LB The device cannot perceive the user information , It will forward the access from the same user to multiple VM On .

Suppose the user in the figure IP yes 123.118.110.85, adopt TCP towards 73.81.6.112 Of 80 Port initiation HTTP Connect . The first connected source port is 41318, And here HTTP Login on connection .LB Distribute this connection to the virtual machine 10.152.13.16.

immediately , The user clicks the link to play the video , Browser pass TCP towards 73.81.6.112 Of 80 The port initiates another connection , This connection uses 41320 As a source port ,LB Release this connection to the virtual machine 10.152.13.17.

Because virtual machines 10.152.13.17 I don't know the login status of this user , It determines that the user login information is invalid , Refuse to send video stream .

therefore , be based on NAT Load balancing of , For stateful Services , There are natural defects ——

Linghuchong decided to LB Develop another load balancing working mode on —— Reverse proxy mode .

What is the reverse proxy pattern ？

We know ,NAT Working on the fourth floor , It does not care about TCP/UDP Contents of internal packaging , Simply put the intranet IP/ Port and extranet IP/ Port mapping . That's the basis NAT The fundamental reason why it is difficult to properly handle stateful services in load balancing .

The reverse proxy works on the seventh floor .

It ends in itself HTTP request , distinguish HTTP user , And build a new HTTP The request is sent to the server /VM colony , As shown in the figure below ：

In the picture LB The device works in reverse proxy mode . From the Internet User A Access to the LB Virtual publishing IP (Virtual IP, Abbreviation for VIP) 73.81.6.112,LB The equipment is right HTTP Request to parse , Get user information , take User A Assign to virtual machine 10.152.13.16, And launch to this virtual machine HTTP request . that , When another user is right 73.81.6.112 When making a request ,LB The device will also send this user's HTTP After the parsing , Assign users to another virtual machine in the virtual machine pool .

such , You can implement stateful Services .

Realize stateful Services LB, It has crossed from firewall to a new level —— Application security gateway . It's a whole new field , Let's talk about it later .

After the reverse proxy mode is launched , The live broadcast business of Huashan school really shines , Once again won the reputation of the Jianghu .

little does one think , A storm of home broadband gateway , It brings new challenges ——

Please look forward to the next issue .