Zarafa SummerCamp 2012 - Peter Ganten - Keynote: The future is hybrid and needs to be open
Zarafa SummerCamp 2012 - Zarafa Cluster using a reverse proxy
10
Zarafa multiserver reverse proxy Steve Hardy
-
Upload
zarafa -
Category
Technology
-
view
511 -
download
2
description
Transcript of Zarafa SummerCamp 2012 - Zarafa Cluster using a reverse proxy
Zarafa multiserver reverse proxySteve Hardy
• General idea– Parts of the system
• HTTP(s) proxy• Zarafa server
– Some details• Session IP locking• Internal vs external connections
• Network layouts– SSL offload
– Loadbalancer
• Configuration– Configuring
– Testing (stats)
Cluster node proxy
• Single exposed ‘host’ to clients for cloud solutions• Host may be:
– Single hostname, single IP
– Single hostname, round-robin IP
• Advantages:– Easier firewalling
– Use off-the-shelf proxy / loadbalance hardware
Goal
Old situation
New situation
Why it doesn’t work
Client
What a nice day, let’s connect to my fav server revproxy.zarafa.com
“Hi, please give me john’s store”
Dagnabbit, ok, I’ll connect to node2.internal.local and retry
CONNECTION REFUSED
Server (Node 1)
“Uh, sorry, I don’t have that, you have to ask Node2, he’s at http://node2.internal.local:237/zarafa”
Server (Node 2)
*snore*
Why it does work with reverse proxy support
Client
What a nice day, let’s connect to my fav server revproxy.zarafa.com
“Hi, please give me john’s store”
Dagnabbit, ok, I’ll connect to revproxy.zarafa.com/node2 and retry
Server (Node 1)
“Uh, sorry, I don’t have that, you have to ask Node2, he’s at http://node2.internal.local, but I see you connected through a proxy, in that case you should use http://revproxy.zarafa.com/node2”
Server (Node 2)
Here’s john’s store for you. Have fun.
• Node1– ipHost: node1.local
– zarafaPort: 236
– zarafaHttpsPort: 237
– zarafaProxy: http://proxy.domain.com/node1
• Node2– ipHost: node2.local
– zarafaPort: 236
– zarafaHttpsPort: 237
– zarafaProxy: http://proxy.domain.com/node2
Configuration of nodes
• In some cases using the proxy is unnecessary– Local connects between nodes
– Not very frequent
– One case:• Spooler uses ‘copy to delegated sent-items after send’ feature• After sending message, spooler must copy item to sent items folder, which is
possible on other host• Spooler connects to other host• Proxy not needed
• Strategy is:– Only return node’s proxy address if the originating request was itself
proxied
– Detected by looking at header, uses setting ‘proxy_header’
To revproxy or not to revproxy
• X-Forwarded-For header– Used as originating IP address
– Used for session <-> IP locking
– Used in zarafa-stats (including –top)
Proxy headers
