Mailing List Archive: Cherokee: users

IPHash life time?

Index | Next | Previous | View Threaded

pubcrawler.com at gmail

Sep 17, 2009, 11:35 AM

Post #1 of 15 (637 views)
Permalink

IPHash life time?

In Cherokee under Reverse Proxy we have the choice of Round Robin or IPHash.

I am interested in utilizing IPHash for some projects to keep users
logged into servers - since their session information resides on a
single server (shortcoming of 3rd party software we are using).

How long does IPHash keep user information to get user back to same
server? What configuration option if any in Cherokee allows us to
adjust the length of time IPHash exists?

Thanks!
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

stefan at konink

Sep 17, 2009, 11:37 AM

Post #2 of 15 (614 views)
Permalink

Re: IPHash life time? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

pub crawler schreef:
> How long does IPHash keep user information to get user back to same
> server? What configuration option if any in Cherokee allows us to
> adjust the length of time IPHash exists?

It doesn't do what you think it does. It uses a modulo function on the
source ip address :)

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkqygeEACgkQYH1+F2Rqwn0kJwCcD2Qvf0Bx+b6Xp4SoeiSEvEwh
G8EAn1gS5J51Dai+5sccDmlP7RCwJgIV
=wfXB
-----END PGP SIGNATURE-----
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

pubcrawler.com at gmail

Sep 17, 2009, 11:42 AM

Post #3 of 15 (618 views)
Permalink

Re: IPHash life time? [In reply to]

Hmmm so does that mean IPHash binds incoming IP addresses to servers
per se then? That would suffice as well.

What's the usefulness/utility of IPHash as intended?

Thanks!

On 9/17/09, Stefan de Konink <stefan [at] konink> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> pub crawler schreef:
>
> > How long does IPHash keep user information to get user back to same
> > server? What configuration option if any in Cherokee allows us to
> > adjust the length of time IPHash exists?
>
>
> It doesn't do what you think it does. It uses a modulo function on the
> source ip address :)
>
>
> Stefan
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEAREKAAYFAkqygeEACgkQYH1+F2Rqwn0kJwCcD2Qvf0Bx+b6Xp4SoeiSEvEwh
> G8EAn1gS5J51Dai+5sccDmlP7RCwJgIV
> =wfXB
> -----END PGP SIGNATURE-----
>
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

stefan at konink

Sep 17, 2009, 11:57 AM

Post #4 of 15 (614 views)
Permalink

Re: IPHash life time? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

pub crawler schreef:
> Hmmm so does that mean IPHash binds incoming IP addresses to servers
> per se then? That would suffice as well.

No. It uses the ip address where the user comes from.

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkqyhpcACgkQYH1+F2Rqwn3apgCfZm+oDdtgpdWvSLurtztEcGmF
KEAAnjA4sw21Wckz+BZGlGfEPZrgLg52
=w18b
-----END PGP SIGNATURE-----
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

xiong.chiamiov at gmail

Sep 17, 2009, 12:11 PM

Post #5 of 15 (628 views)
Permalink

Re: IPHash life time? [In reply to]

On Thu, Sep 17, 2009 at 11:57 AM, Stefan de Konink <stefan [at] konink> wrote:

> pub crawler schreef:
> > Hmmm so does that mean IPHash binds incoming IP addresses to servers
> > per se then? That would suffice as well.
>
> No. It uses the ip address where the user comes from.
>

Yes, but it takes the user's IP (the incoming IP) and creates some sort of
rule that always sends requests from that IP to a specific server, right?
Or rather, I suppose, it recalculates which server to send to on each
request, but, unless you're adding new servers in the middle of things, that
has the same effect. I think that you two are saying the same thing, but
not realizing it. Correct me if I'm completely misunderstanding.

--
James Pearson
--
The best way to predict the future is to invent it.
- Alan Kay

pubcrawler.com at gmail

Sep 17, 2009, 12:25 PM

Post #6 of 15 (607 views)
Permalink

Re: IPHash life time? [In reply to]

We use other application software - although moving more towards PHP.
Have a need for Wordpress and SugarCRM and nice people added Cherokee
Cookbook recipes for these :)

If I read correct PHP tracks sessions on disk - that's awesome - much
better approach in some instances. I can understand the NFS locking
situation that *could* occur from time to time.

IPHash sounds like it does what I thought. Now I am off to test if it
remedies some of the problems with our 3rd party applications.

Question still remains about how long IPHash keeps track of the IP/user...

Thanks James and Stefan!

On Thu, Sep 17, 2009 at 3:11 PM, James Pearson <xiong.chiamiov [at] gmail> wrote:
> On Thu, Sep 17, 2009 at 11:57 AM, Stefan de Konink <stefan [at] konink> wrote:
>>
>> pub crawler schreef:
>> > Hmmm so does that mean IPHash binds incoming IP addresses to servers
>> > per se then? �That would suffice as well.
>>
>> No. It uses the ip address where the user comes from.
>
> Yes, but it takes the user's IP (the incoming IP) and creates some sort of
> rule that always sends requests from that IP to a specific server, right?
> Or rather, I suppose, it recalculates which server to send to on each
> request, but, unless you're adding new servers in the middle of things, that
> has the same effect.� I think that you two are saying the same thing, but
> not realizing it.� Correct me if I'm completely misunderstanding.
>
> --
> James Pearson
> --
> The best way to predict the future is to invent it.
> �- Alan Kay
>
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

stefan at konink

Sep 17, 2009, 12:45 PM

Post #7 of 15 (608 views)
Permalink

Re: IPHash life time? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

James Pearson schreef:
> Yes, but it takes the user's IP (the incoming IP) and creates some sort
> of rule that always sends requests from that IP to a specific server,
> right?

It just does a modulo nothing more nothing less so rules, mapping
whatever. Just plain simple Cherokee like.

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkqykc8ACgkQYH1+F2Rqwn2i3wCfcUehb+BcIW7Rfn07N47lEKh/
EnYAoIUd8mJp4N5kcjyFPXxCrNDrLHrY
=w6yE
-----END PGP SIGNATURE-----
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

pubcrawler.com at gmail

Sep 17, 2009, 12:57 PM

Post #8 of 15 (607 views)
Permalink

Re: IPHash life time? [In reply to]

Well whatever IP Hash does, it's keeping logged in users where they
belong - on the server where their session info is.

Just tested with a logged in admin section that was unusable in Round
Robin - works fine since enabling IP Hash.

Wonderful!

On Thu, Sep 17, 2009 at 3:45 PM, Stefan de Konink <stefan [at] konink> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> James Pearson schreef:
>> Yes, but it takes the user's IP (the incoming IP) and creates some sort
>> of rule that always sends requests from that IP to a specific server,
>> right?
>
> It just does a modulo nothing more nothing less so rules, mapping
> whatever. Just plain simple Cherokee like.
>
>
> Stefan
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEAREKAAYFAkqykc8ACgkQYH1+F2Rqwn2i3wCfcUehb+BcIW7Rfn07N47lEKh/
> EnYAoIUd8mJp4N5kcjyFPXxCrNDrLHrY
> =w6yE
> -----END PGP SIGNATURE-----
>
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

pubcrawler.com at gmail

Sep 17, 2009, 1:05 PM

Post #9 of 15 (607 views)
Permalink

Re: IPHash life time? [In reply to]

Just dawned on me originally Stefan you said it does modulo math to IP address.

So if the backends stay the same for eternity a user from an IP will
ALWAYS end up on the same backend - even 5 years later.

That's awesome no overhead solution if so.

On Thu, Sep 17, 2009 at 3:57 PM, pub crawler <pubcrawler.com [at] gmail> wrote:
> Well whatever IP Hash does, it's keeping logged in users where they
> belong - on the server where their session info is.
>
> Just tested with a logged in admin section that was unusable in Round
> Robin - works fine since enabling IP Hash.
>
> Wonderful!
>
> On Thu, Sep 17, 2009 at 3:45 PM, Stefan de Konink <stefan [at] konink> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> James Pearson schreef:
>>> Yes, but it takes the user's IP (the incoming IP) and creates some sort
>>> of rule that always sends requests from that IP to a specific server,
>>> right?
>>
>> It just does a modulo nothing more nothing less so rules, mapping
>> whatever. Just plain simple Cherokee like.
>>
>>
>> Stefan
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.11 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iEYEAREKAAYFAkqykc8ACgkQYH1+F2Rqwn2i3wCfcUehb+BcIW7Rfn07N47lEKh/
>> EnYAoIUd8mJp4N5kcjyFPXxCrNDrLHrY
>> =w6yE
>> -----END PGP SIGNATURE-----
>>
>
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

stefan at konink

Sep 17, 2009, 1:34 PM

Post #10 of 15 (607 views)
Permalink

Re: IPHash life time? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

pub crawler schreef:
> That's awesome no overhead solution if so.

When will you say that Alvaro is a smart guy?

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkqynWEACgkQYH1+F2Rqwn2+lQCfa/Ti7PFlcY9TlrY7TlXjBhl9
lXIAoJJeWjdolTctVRUMXNFfwzHYU8FW
=IbP1
-----END PGP SIGNATURE-----
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

pubcrawler.com at gmail

Sep 17, 2009, 1:51 PM

Post #11 of 15 (607 views)
Permalink

Re: IPHash life time? [In reply to]

Alvaro is a genius and a very nice person also.

On Thu, Sep 17, 2009 at 4:34 PM, Stefan de Konink <stefan [at] konink> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> pub crawler schreef:
>> That's awesome no overhead solution if so.
>
> When will you say that Alvaro is a smart guy?
>
>
> Stefan
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEAREKAAYFAkqynWEACgkQYH1+F2Rqwn2+lQCfa/Ti7PFlcY9TlrY7TlXjBhl9
> lXIAoJJeWjdolTctVRUMXNFfwzHYU8FW
> =IbP1
> -----END PGP SIGNATURE-----
>
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

urko.masse at gmail

Sep 17, 2009, 6:12 PM

Post #12 of 15 (607 views)
Permalink

Re: IPHash life time? [In reply to]

Hi,

I thought I'd chip in.

In our environment, we run a Juniper firewall that has a DMZ area, where we
place our public servers. These servers are regularly used both from outside
("Untrusted" area) and inside ("Trusted" area) of our network.

An interesting detail is that, at least in the Apache logs (haven't looked
at Cherokee), all the internal users, that is, in the "Trusted" area, show
up as being in the IP address of the firewall. So... ALL of those users
(more than 100 at a time) use the same IP address.

If I were to use IPHash, they would all hit the same server, and so it would
give me no advantage at all, because all my other servers would sit there
doing nothing.

It's not a big deal, as I don't have the volume of usage that would make me
look at using multiple servers yet, but something for you to think about.

That said, perhaps I can change some setting in the Firewall that would fix
that.

Cheers.
--
Urko Masse
+84-90-9088876

Marie von Ebner-Eschenbach<http://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenbac.html>
- "Even a stopped clock is right twice a day."

On Fri, Sep 18, 2009 at 03:51, pub crawler <pubcrawler.com [at] gmail> wrote:

> Alvaro is a genius and a very nice person also.
>
>
> On Thu, Sep 17, 2009 at 4:34 PM, Stefan de Konink <stefan [at] konink>
> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > pub crawler schreef:
> >> That's awesome no overhead solution if so.
> >
> > When will you say that Alvaro is a smart guy?
> >
> >
> > Stefan
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.11 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iEYEAREKAAYFAkqynWEACgkQYH1+F2Rqwn2+lQCfa/Ti7PFlcY9TlrY7TlXjBhl9
> > lXIAoJJeWjdolTctVRUMXNFfwzHYU8FW
> > =IbP1
> > -----END PGP SIGNATURE-----
> >
> _______________________________________________
> Cherokee mailing list
> Cherokee [at] lists
> http://lists.octality.com/listinfo/cherokee
>

stefan at konink

Sep 17, 2009, 6:26 PM

Post #13 of 15 (605 views)
Permalink

Re: IPHash life time? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Urko Masse schreef:
> It's not a big deal, as I don't have the volume of usage that would make
> me look at using multiple servers yet, but something for you to think about.
>
> That said, perhaps I can change some setting in the Firewall that would
> fix that.

Your firewall is doing NAT it shouldn't do that.

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkqy4b0ACgkQYH1+F2Rqwn0h1QCaA4jQFlz+4MSemdvI29OZwtPu
2e4AnRypJNOrxBzYqN6tzeramHqBIVoS
=1u2x
-----END PGP SIGNATURE-----
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

urko.masse at gmail

Sep 17, 2009, 6:49 PM

Post #14 of 15 (605 views)
Permalink

Re: IPHash life time? [In reply to]

Ok, so it's me, then. I'll look around for anything that might be doing that
:)
--
Urko Masse
+84-90-9088876

Mike Ditka <http://www.brainyquote.com/quotes/authors/m/mike_ditka.html> -
"If God had wanted man to play soccer, he wouldn't have given us arms."

On Fri, Sep 18, 2009 at 08:26, Stefan de Konink <stefan [at] konink> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Urko Masse schreef:
> > It's not a big deal, as I don't have the volume of usage that would make
> > me look at using multiple servers yet, but something for you to think
> about.
> >
> > That said, perhaps I can change some setting in the Firewall that would
> > fix that.
>
> Your firewall is doing NAT it shouldn't do that.
>
>
> Stefan
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEAREKAAYFAkqy4b0ACgkQYH1+F2Rqwn0h1QCaA4jQFlz+4MSemdvI29OZwtPu
> 2e4AnRypJNOrxBzYqN6tzeramHqBIVoS
> =1u2x
> -----END PGP SIGNATURE-----
>

gwolf at gwolf

Sep 19, 2009, 5:47 PM

Post #15 of 15 (594 views)
Permalink

Re: IPHash life time? [In reply to]

Urko Masse dijo [Fri, Sep 18, 2009 at 08:12:01AM +0700]:
> (…)
> In our environment, we run a Juniper firewall that has a DMZ area, where we
> place our public servers. These servers are regularly used both from outside
> ("Untrusted" area) and inside ("Trusted" area) of our network.
>
> An interesting detail is that, at least in the Apache logs (haven't looked
> at Cherokee), all the internal users, that is, in the "Trusted" area, show
> up as being in the IP address of the firewall. So... ALL of those users
> (more than 100 at a time) use the same IP address.
>
> If I were to use IPHash, they would all hit the same server, and so it would
> give me no advantage at all, because all my other servers would sit there
> doing nothing.
>
> It's not a big deal, as I don't have the volume of usage that would make me
> look at using multiple servers yet, but something for you to think about.
>
> That said, perhaps I can change some setting in the Firewall that would fix
> that.

As others have said, having them go through NAT will undoubtely have
this effect. Of course, I assume it is a stable NAT (i.e. SNAT with a
single outgoing IP). And you _do_ want that, as otherwise some systems
might get confused about the requests for a single IP coming from
seemingly from different IPs.

Of course, if you have a couple tens of machines in your trusted area,
this will be no problem. If you are NATting a B-class or something
like that, well, the short answer is don't do it ;-)

As you describe your configuration, I do not feel that _most_ systems
will suffer from it.

Greetings,

--
Gunnar Wolf • gwolf [at] gwolf • (+52-55)5623-0154 / 1451-2244
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads