search

SKUDONET / skdlb

This is the repository of SKUDONET Load Balancer (next generation of Zen Load Balancer)
Other
12 stars 1 forks source link

l4xnat no x-forwarder-for #6

Closed drsbaitso closed 4 months ago

drsbaitso commented 6 months ago

I don't know if I'm missing a configuration step but there doesn't seem to be an x-forwarder-for that's being sent along with requests. I have a simple https l4xnat farm in front of a couple IIS sites and it is darned hard to troubleshoot connection issues when I cannot connect the dots. As far as I can tell all I see in IIS is the LBs IP.

Thanks

emiliocamposmartin commented 6 months ago

HI, l4xnat farm works as a TCP load balancer (layer4) and the load balancer doesn't know any information about other Layers, in your case HTTP (layer7) I would recommend you to move to HTTP(S) profile, this profile by default modifies all the request adding or modifying (if exist) the X-forwarded-for header.

Please can you verify it works for you?

Thanks!

drsbaitso commented 6 months ago

Originally I had this as a L7 in front of a pair of IIS/Exchange servers but had to switch to l4xnat (this is in a personal dev/test environment). I made the change back when it was still Zevenet and had issues with authentication in some instances after an upgrade. l4xnat worked fine in the interim. I'd like to do L7 however I'm not sure if this is still an issue. I'll do some testing to see if L7 works again for this.

This ticket seems similar to what happened to me, authentication broke after upgrade... same version of Zevenet for me when it broke : https://github.com/zevenet/zlb/issues/125

emiliocamposmartin commented 6 months ago

Hi @drsbaitso , the issue you describe in the zevenet#125 is related to the binary implementing the HTTP profile in the previous ZEVENET version, it was called zproxy, once we moved to SKUDONET we discarded the usage of zproxy because of inestability, so the issue you are experiencing now is not related to the previous issue you mentioned.

L7 profile HTTP(S) will include X-forwarded-for header as required, you can see this in the code:

https://github.com/SKUDONET/pound/blob/master/http.c code: if (!h_xfwf[0]) BIO_printf(be, "X-Forwarded-For: %s\r\n", caddr); else BIO_printf(be, "X-Forwarded-For: %s, %s\r\n", h_xfwf, caddr);

Please refer to backend documentation in order to enable saving X-forwarded-for header on logs.

Please take into account that maybe you will require to enable some persistence session, have a look to Persisntece session based in IP, Read more about persistence sessions here: https://www.skudonet.com/blog/sticky-sessions-load-balancer/

And know more about how to configure HTTP profile here: https://www.skudonet.com/knowledge-base/community-edition-v7-0-administration-guide/lslb-farms-update-http-profile/#Persistence

For further help please let us know.

Regards!

drsbaitso commented 5 months ago

Unfortunately, a L7 profile doesn't work still with Outlook clients.

Would the logs on the Zevenet server show the errors or is there a debug mode I need to enable?

dev-team-skudonet commented 5 months ago

We have customers working with HTTP(S) profiles and Outlook clients without concern, take into account that the Outlook or Exchange server in that case implements communication using HTTP protocol, please ensure the field "HTTP verbs accepted" is configured in +MS RPC Extension verbs. Also, confirm persistence session is configured based on IP and there are no other services taking control.

If you want to enable logs, in this community version that must be done manually (we are working in the new community that will allow doing this on the web panel)

Open the farm config file in /usr/local/zevenet/config/<farmname_proxy.cfg

Search the directive Loglevel (by default 0) and change the 0 by 5, save changes and restart the farm from the web GUI.

It should save all the traffic in /var/log/syslog

Take into account that even when loglevel is configured in 0 any error is saved in the syslog file as well.

If you want to share the experienced error we can help you further.

On the other hand, the topic of this issue is based on the x-forwarded-for header if you want to manage another topic I encourage you to don't mix issues and open a new issue instead.

What happened with the x-forwarded-for header? did you enable logs in the backend? HTTP(S) header always includes an x-forwarded-for header in any request.

Regards!

dev-team-skudonet commented 4 months ago

Any update on this issue?

Thanks in advance

drsbaitso commented 4 months ago

Any update on this issue?

Thanks in advance

I will dig into this in the next few days. I did a quick switch to L7 a couple weeks back and it had the same issues as before but I also have Extended Protection enabled on Exchange now and I know that requires the same cert the entire way thru and I did not have that. So that may have been the issue, I didn't have time to investigate at that time but I will set a block of time to test.

Thanks.

dev-team-skudonet commented 4 months ago

Hi @drsbaitso, thanks for the update, l4 should fix the issue if the problem is the certificates as the l4 farm works with TCP protocol.

Thanks!

dev-team-skudonet commented 4 months ago

closed after a while without any update