So I managed to put together something in place:
<-----> [ balance <-----> Mongrel cluster ]
(ISAPI rewrite proxy) (backend server - Vmware m/c)
The IIS proxy takes of single-sign on and LDAP authentication. I used ISAPI rewrite proxy to rewrite requests to a virutal machine backend that hosts the actual rails cluster.
The rewrite rules look like:
ISAPI/httpd.ini:
RewriteCond URL (.*)
RewriteHeader X-Forwarded-URL: .* $1
RewriteCond Host: rails-backend(?:-dev)?(?:\.domain.com)?
RewriteProxy (.*) http\://rails-backend:8081$1 [I,U,A]
On the backend side, rails-backend is a VMware guest that runs a Mongrel cluster of three Rails apps behind a load balancer balance (see the update above though).
balance 8081 cadweb:8000 cadweb:8001 cadweb:8002 %
# for debug use following
# balance -d -f -p 8081 cadweb:8000 cadweb:8001 cadweb:8002 %
The % at the end means to use a hash based routing. So the same client gets routed back to the same server for every request. Update - see the top of the post
One thing I wished balance would do is filter incoming connections. In this case I would have like balance to restrict all incoming connections to the IIS proxy. I had to use iptables to do it.
iptables -A INPUT -p tcp -s iis-proxy --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j DROP
A big issue with this solution is getting the list of access lists a user has rights to. And then use that information in rails somehow to limit which page can be shown to the user.
No comments:
Post a Comment