1. The background of SLB
SLB (Server Load Balancing): In the case of multiple servers providing the same service, the load balancing device has a virtual service address. When a large number of clients access the virtual service IP address from the outside, the load balancing device requests these packets according to the load The balancing algorithm distributes traffic to the backend servers in a balanced manner to balance the load pressure of each server, avoiding slow or downtime when other services reach the critical point of performance when the server pressure is small, thereby improving service efficiency and quality.
Therefore, for the client, the IP address of the RS (real server) is the VIP (virtual service address IP) address of the load balancing device, and the real RS server IP address is invisible to the client.
2. Three transmission modes of SLB
The difference between seven-layer SLB and four-layer SLB:
Layer 4 SLB: Configure the service type on the load balancing device as tcp/udp, the load balancing device will only resolve to layer 4. The load balancing device will establish a connection with the RS after three handshake with the client;
Layer 7 SLB: Configure the service type of the load balancing device to http/ftp/https, etc. The load balancing device will parse the message to layer 7. After the load balancing device and the client have a three-way handshake, it will only receive the corresponding layer 7 message Establish a connection with RS.
In load balancing equipment, SLB mainly works in the following three transmission modes:
Reverse proxy mode
Transparent transmission mode
Triangle pattern
According to different modes, the working mode of the load balancing device is different, but no matter in which mode, the request message initiated by the client always needs to reach the load balancing device for processing first, which is the normal operation of the load balancing device premise. Simulate network topology environment:
Client:10.8.21.40
Load balancing equipment: 172.16.75.83
VIP:172.16.75.84
RS1IP:172.16.75.82
RS2IP:172.16.75.85
In the entire message interaction process, Tcpdump and Wireshark are used to capture packets at RS and Client respectively, and then Wireshark is used for message analysis.
3. Reverse proxy mode
Reverse proxy: Ordinary proxy equipment is used by internal network users to access the external network through the proxy equipment, while the load balancing equipment working in this mode is for external network users to access the internal network through the proxy equipment, so it is called reverse proxy.
In reverse proxy mode:
When the load balancing device receives the client request, it will record the message (source IP address, destination IP address, protocol number, source port, destination port, service type and interface index), and change the destination address of the message to the preferred After the IP address of the RS device, the destination port number remains unchanged, the source address is modified to the IP address of the downstream interface between the load balancing device and the corresponding RS device, and the source port number is randomly sent to the RS;
When RS receives the message, it will use the source as the RS interface IP address and the destination IP device address to reply to the load balancing device. The load balancing device will modify the source to VIP, the destination port number to the client's source port number, and the destination IP to modify Reply to the client's source IP.
View the result of packet analysis:
After the configuration is complete, the Client accesses the RS server and returns success. The entire message interaction process is as follows:
Message interaction process between Client and load balancing device
Message exchange process between RS and load balancing device
Result analysis
Analyze the entire message interaction process:
TCP handshake process: First, the client sends a TCP SYN message to the load balancing device to request to establish a connection, the source IP is the client's IP 10.8.21.40, the source port number is 50894, the destination IP is the VIP address 172.16.75.84, and the destination port number is 80;
After receiving the request message, the load balancing device will respond to the SYN ACK message with the source IP as the VIP address 172.16.75.84, port number 80, destination IP 10.8.21.40, and destination port number 50894;
After receiving the message, the Client replies to an ACK message, and the TCP three-way handshake is successful.
HTTP message interaction process:
When the load balancing device completes the three-way handshake with the client, because of the configured seven-layer SLB, if an HTTP request is received, the corresponding RS will be selected based on the load balancing algorithm and server health status (the RS device selected in this process is 172.16.75.82), and then establish a TCP connection with RS:
The load balancing device sends a TCP SYN packet to request connection. The source IP is the IP 172.16.75.83 of the interface connecting the load balancing device and RS, the source port number is random 4574, the destination IP is RS IP 172.16.75.82, and the destination port number is 80;
After RS receives the message, it replies to a SYN ACK message with source IP 172.16.75.82, port number 80, destination IP 172.16.75.83, and destination port number 4574, and the load balancing device replies with an ACK message to establish a three-way handshake;
After that, the load balancing device modifies the source IP of the received HTTP message to the IP address of the downstream interface connected to the RS, 172.16.75.83, and the source port number is a random port number, and sends the message to the RS; when the RS receives the message , The source is the local IP 172.16.75.82, and the destination IP is 172.16.75.83 for reply, so the message is directly returned to the load balancing device;
When the load balancing device receives the RS response message, it changes the source of the message to the VIP address 172.16.75.84 and the destination IP to 10.8.21.40 and sends it back to the Client, and then changes the destination port number to the source in the HTTP request message Port number, server access is successful.
It can be seen from the above process that on the RS side, the client's real IP address is modified by the load device to the IP address of the interface connected to the RS, so the RS cannot record the client's access record. To solve this problem, you can use HTTP The X-Forwarded-For field is added to the message header. This article will not go into details and you can query by yourself.
Four, transparent transmission mode
When the load balancing device works in the transparent transmission mode, the RS cannot perceive the existence of the load balancing device. For the Client, the IP address of the RS is the VIP address of the load balancing device.
In this mode, when the load balancing device receives a message whose source is the Client IP and the destination IP is the local VIP address, it will send the message to the optimal RS device according to the load balancing strategy and health status, and then The RS device will receive a request message whose destination is the local IP and the source is the client's actual IP;
Then the RS will respond directly to this request, and the destination IP address of the message is the IP address of the Client. When the load balancing device receives this message, it will modify the source IP address to a VIP address and then send the message to the Client.
Message analysis result:
Also grab interactive messages on the RS side and the Client side:
Message interaction process between Client and load balancing device
Message interaction process between RS and load balancing device
Result analysis:
TCP handshake process: interaction process with reverse proxy mode
HTTP message interaction process:
Client sends an HTTP request to the VIP address of the load balancing device 172.16.75.84 with the source IP 10.8.21.40. When the load balancing device receives the message, it performs a TCP three-way handshake with the optimized RS. The process is the same as the reverse proxy mode, and then The received HTTP message does not change the source IP address and source/destination port number of the message, only the destination IP is modified to the optimized RS address 172.16.75.82;
When RS receives the message from IP 10.8.21.40, it will reply the message to the IP address 10.8.21.40. At this time, it should be noted that the reply message must be configured on the RS to pass the load balancing device, and the load balancing device will send the source IP Modify it to the VIP address 172.16.75.84 and forward it to the Client. Otherwise, the Client will receive an HTTP message with a source IP of 172.16.75.82, and the server access fails.
Five, triangle mode
In the triangle mode, when the client sends a request to the load device, the load balancing device will calculate the optimal RS, and then directly forward the message to the RS according to the MAC address, and configure the source IP of the message to the VIP address on the RS ( Generally configured on the loopback port), in this case, the RS will directly send the message to the Client, even if the reply message passes through the load balancing device, the device does not do any processing. Since the message transmission path is similar to a triangle in the whole process, it is called the triangle mode.
Message analysis result
Capture packets on the Client side and RS side respectively, the content is as follows:
Message interaction process between Client and load balancing device
Message interaction process between RS and load balancing device
Result analysis
TCP handshake process:
Due to the adoption of 4-layer SLB, the TCP handshake process is somewhat different from the above-mentioned 7-layer SLB. When the client and RS complete the three-way handshake, the load balancing device will directly select RS, and then establish a TCP three-way handshake with RS;
In the triangle mode environment, because the VIP address 172.16.75.84 exists on both the loopback port of RS and the load balancing device, when the load balancing device selects the corresponding RS through the load balancing algorithm, it will correspond to the IP address of the RS actually configured Set the TCP connection with the destination mac as RS and destination IP as VIP.
HTTP message interaction process:
First, the Client sends an HTTP request to the VIP of the load balancing device, the source is 10.8.2.40. When the load balancing device receives the message, it forwards the message directly to the RS. When the RS receives the source IP 10.8.2.40 and the destination IP After the local Loopback port IP address 172.16.75.84 message, the message is directly returned to 10.8.2.40, the same source is the IP address 172.16.75.84, thus the access to the server is successful.
In the triangle mode, since the reply message load balancing device does not do any processing, it is very suitable for networking environments where the traffic from the RS to the Client is large or the number of connections is large.
When using the triangle mode, it must be noted that the RS has a route to reach the Client, and there must be the VIP address of the load balancing device on the Loopback interface of the RS. Otherwise, even if the RS device receives the client's request packet, it will directly discard the packet without responding. .
Six, summary
In reverse proxy mode, only packets whose source is the IP address of the load balancing device can be received on the RS side, so a firewall can be used to increase security. Only packets whose source IP is the IP address of the load balancing device are allowed to pass, and X is added. The -Forwarded-For field can also allow the RS to only allow access to messages with this field, so the security is relatively high.
