1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
|
<?xml version="1.0" encoding="UTF-8">
<configuration>
<!-- General system configuration section -->
<system>
<!-- Path where the "xr" binary is searched, and zippers as "gzip"
and "bzip2", and the "ps" command. Default is that xrctl
uses $PATH. -->
<path>/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/local/bin:/opt/local/sbin</path>
<!-- "ps" command that shows the PID and command. On Solaris, use
/usr/bin/ps -ef "pid comm" and on Linux/MacOSX use
/bin/ps -ax -o pid,command. Default is that xrctl guesses
the right command. Example:
<pscmd>/bin/ps ax -o pid,command</pscmd> -->
<!-- Use "logger" to add output to syslog or not? Logger will be
used if the binary can be found, and if uselogger is true. -->
<uselogger>true</uselogger>
<!-- The default logger is the program "logger". Redefine here if
you like, for example to a piping logrotate program. Example:
<logger>clpipe /var/log/xr.clog</logger>
The default <logger> command is: logger -t xr.{service} -->
<!-- If logger is NOT used, xrctl will manage log output. In that
case, specify the following:
- Where do logs get written?
<logdir>/var/log</logdir>
- How big may the logs become? Manipulated during "xrctl rotate".
<maxlogsize>100000</maxlogsize>
- How many history logs to keep?
<loghistory>10</loghistory> -->
</system>
<!-- Service descriptions: This section defines all balancing
services that you want to start. Each service will lead to one
invocation of "xr". -->
<!-- Very simple TCP service that dispatches SSH connections on
port 20.000 to three back ends. Most options are left to
their defaults. -->
<service>
<!-- Service name, must be unique -->
<name>ssh</name>
<server>
<!-- Type (tcp/http, here: tcp), and IP-address/port to bind
to. Use "0" for IP-address to bind to all interfaces. The
web interface will listen to localhost, port 20.001. -->
<type>tcp</type>
<address>0:20000</address>
<webinterface>0:20001</webinterface>
<!-- Clients may be idle for 30 minutes, then they are logged
out. -->
<clienttimeout>1800</clienttimeout>
</server>
<!-- Back ends for the service. -->
<backend>
<!-- IP:port to dispatch to. -->
<address>server1:22</address>
</backend>
<backend>
<address>server2:22</address>
</backend>
<backend>
<address>server2:22</address>
</backend>
</service>
<!-- Here is an HTTP service for web balancing. It shows more
advanced features. -->
<service>
<name>webone</name>
<!-- Balancer server description -->
<server>
<!-- Server binding. XR will listen to any IP interface, on port
20.010. It'll be an HTTP balancer. The web interface will
be on port 20.011. -->
<address>0:20010</address>
<type>http</type>
<webinterface>127.0.0.1:20011</webinterface>
<!-- A non-default dispatch mode, here: by client IP.-->
<dispatchmode>lax-hashed-ip</dispatchmode>
<!-- Checks. Dead back ends are checked each 3 seconds. There is
no checking of dead and live back ends (checkupinterval 0). -->
<checks>
<wakeupinterval>3</wakeupinterval>
<checkupinterval>0</checkupinterval>
</checks>
<debugging>
<!-- Let's go with full messaging: verbose, debug, and logging
of transmitted messages. -->
<verbose>yes</verbose>
<debug>yes</debug>
<logtrafficdir>/tmp</logtrafficdir>
</debugging>
<!-- If the balancer runs out of sockets because too many
closing connections are in TIME_WAIT state, use: -->
<closesocketsfast>yes</closesocketsfast>
<!-- Access restrictions: we allow from two IP ranges, and deny
from one IP address. The overall results:will be:
- Access will be allowed from 10.*.*.*
- And allowed from 192.168.1.*, but not from 192.168.1.100 -->
<acl>
<allowfrom>10.255.255.255</allowfrom>
<allowfrom>192.168.1.255</allowfrom>
<denyfrom>192.168.1.100</denyfrom>
</acl>
<dosprotection>
<!-- Here is some basic DOS protection. Connections from IP's
are counted over timeinterval seconds (here: 2 sec). When a
client exceeds the hard limit hardmaxconnrate (here: 200),
then it is denied access. When it exceeds the soft limit
softmaxconnrate (here: 150), then each connection is
delayed for defertime microsecs (here: 1.000.000, one
sec).
Finally, the entire balancer will be allowed to serve up
to 400 simultaneous connections.
-->
<timeinterval>2</timeinterval>
<hardmaxconnrate>200</hardmaxconnrate>
<softmaxconnrate>150</softmaxconnrate>
<defertime>1000000</defertime>
<maxconnections>400</maxconnections>
<!-- Let's add some more protection. When a user exceeds their
hard maxconn rate, "/path/to/program" will be invoked
with the IP as argument. That program may eg. call
iptables to block the client. There is also a tag
softmaxconnexcess (not shown here). -->
<hardmaxconnexcess>/path/to/program</hardmaxconnexcess>
</dosprotection>
<http>
<!-- Since this is an HTTP balancer, let's add some goodies:
no header for the XR version,
a header X-Forwarded-For: client-ip
no sticky http sessions
modification of the Host: header to the back end server name
two serverheaders to insert -->
<addxrversion>off</addxrversion>
<addxforwardedfor>on</addxforwardedfor>
<stickyhttp>off</stickyhttp>
<replacehostheader>on</replacehostheader>
<serverheaders>
<header>MyFirstHeader: Whatever</header>
<header>MySecondHeader: WhateverElse</header>
</serverheaders>
</http>
</server>
<!-- Back end definitions -->
<backend>
<!-- Backend lives on server1:80 and is very big (weight 2).
XR will forward up to 300 connections to it. The back end
checking is left to the default, which is: connect to the
IP and port of the back end. Requests for host
www.mysite.org will be serviced here. -->
<address>server1:80</address>
<weight>2</weight>
<maxconnections>300</maxconnections>
<hostmatch>www.mysite.org</hostmatch>
</backend>
<backend>
<!-- Backend lives on server2:80, has the default weight 1.
XR will forward up to 100 connections to it. The back end
checking is done by connecting to an alternative port 81.
This back end will be eligible for requests for the site
www.myothersite.org. -->
<address>server2:80</address>
<maxconnections>100</maxconnections>
<backendcheck>connect::81</backendcheck>
<hostmatch>www.myothersite.org</hostmatch>
</backend>
<backend>
<!-- Backend lives on server3:80, has the standard weight and no
limitations for the max nr. of connections. Back end
checking is done by retrieving /healthcheck.cgi from the
server. The back end is eligible for www.myothersite.org. -->
<address>server3:80</address>
<backendcheck>get:server3:80/healthcheck.cgi</backendcheck>
<hostmatch>www.myothersite.org</hostmatch>
</backend>
</service>
</configuration>
|
