Is it possible to duplicate network traffic from port to 2 different machines

haproxynetworking

In first I will try to describe the problem.
We use following network configuration:

machine1 with installed haproxy
machine2 with application(in this case we can assume that is only RabbitMq service)
machine3 as test server(copy of machine2)

All traffic goes to port(777 for example) of machine1. Haproxy redirect traffic to port(888 for example) of machine2. Application on machine2 listen port 888 and process requests.
Also we have machine3 as test server and when we prepare next release we want to test it with real load.

So question now: is posible to duplicate incoming network traffic from port 777 of machine1 to port 888 of machine2 and(somitemes, when we need that) to port 888 of machine3?

PS Sorry for my bad English

Best Answer

If your traffic uses TCP for communication, any Layer 2 traffic duplication won't work. This is because TCP handshake is a bi-directional process, where client needs to send back response packets to the client.

If such traffic duplication is done on a higher level, the issue is responses to clients. If two server's receive the same traffic, and both send responses back, which response should be sent?

You should be able to set traffic processing rules in HAProxy, which divides traffic between servers. This way you can get real traffic to the test server.

However, sending production users to test servers is not a good idea.

The only good solution is to set up proper load-testing using tools designed for it. With the tools, you can set up test scenarios for load testing, and the perform requests like real clients.

Related Solutions

Haproxy setup with subdomain setup

With TCP mode, HAProxy won't decode the HTTP request, so your acl lines won't do anything and the frontend will never be able to match a backend, as shown by the logs you entered: mytraffic/<NOSRV> means it wasn't able to pick a backend or server.

You'd have to split the 3 subdomains into 2 different frontends, each with their own IPs since they're all connecting on port 443. One for passthrough, the other for the SSL termination and content switching using mode http. The caveat here being that if you were to add a 4th subdomain (sub4.mydomain.com) that also required passthrough, you'd then need a 3rd frontend and IP.

You'd also need to create different CNAME or A records in DNS so that the right subdomains point to the right IPs.

Given this DNS config:

10.10.10.100        A         haproxy01-cs.mydomain.com
10.10.10.101        A         haproxy01-pt1.mydomain.com
10.10.10.102        A         haproxy01-pt2.mydomain.com
sub1.mydomain.com   CNAME     haproxy01-pt1.mydomain.com
sub2.mydomain.com   CNAME     haproxy01-cs.mydomain.com
sub3.mydomain.com   CNAME     haproxy01-cs.mydomain.com
sub4.mydomain.com   CNAME     haproxy01-pt2.mydomain.com

The HAproxy config would look something like this:

#Application Setup 
frontend ContentSwitching

  bind 10.10.10.100:443
  mode  http
  option httplog
  acl host_sub2 hdr(host) -i sub2.mydomain.com
  acl host_sub3 hdr(host) -i sub3.mydomain.com
  use_backend sub2_nodes if host_sub2
  use_backend sub3_nodes if host_sub3

frontend PassThrough1
  bind 10.10.10.101:443
  mode  tcp
  option tcplog
  use_backend sub1_nodes     

frontend PassThrough2
  bind 10.10.10.102:443
  mode  tcp
  option tcplog
  use_backend sub4_nodes

backend sub1_nodes
  mode tcp
  balance roundrobin
  stick-table type ip size 200k expire 30m
  stick on src
  server node1 10.10.10.101:8081 check
  server node2 10.10.10.102:8081 check 

backend sub2_nodes
  mode http
  balance roundrobin
  stick-table type ip size 200k expire 30m
  stick on src
  server node1 10.10.10.101:8082 check
  server node2 10.10.10.102:8082 check 

backend sub3_nodes
  mode http
  balance roundrobin
  stick-table type ip size 200k expire 30m
  stick on src
  server node1 10.10.10.101:8083 check
  server node2 10.10.10.102:8083 check

backend sub4_nodes
  mode tcp
  balance roundrobin
  stick-table type ip size 200k expire 30m
  stick on src
  server node1 10.10.10.101:8084 check
  server node2 10.10.10.102:8084 check

Web-server – Multiple Websites on Multiple Servers behind One Public IP

What is your public facing edge router?

Based on the port request you can forward to the proper server. You will need to detect host header to know which website to point to in the case of 80 and 443. URL rewrite I would only use on the same server and not to redirect to a separate server.

Under your desired approach you would forwarding to a windows server which adds another point of common failure and adds unnecessary load to the one windows server. You generally do not want to open any unnecessary ports on any computer. Run the web servers with just 80, 443 and generally nothing else [maybe RDP on a custom port for management - I would much rather VPN in to the network and use RDP on the local subnet only]

By using your edge router you eliminate one point of common failure. I am using a CISCO ASA series to do this. I have also used an ASUS 200.00 router to do this on a budget.

The email portion configure SMTP 25, POP3 110, IMAP 143, SMTP 587, also 993.

Email from the web servers - outbound responses can be processed by the exchange server so local SMTP 25 to the exchange server only.

This can be done a few ways either route or nat. You can place the servers in a DMZ and allow packets to be routed or you can NAT. Each has advantages and disadvantages to consider.

I would be more inclined to route the MS Exchange server and NAT the web servers. Review the hardening steps for running exchange server

Hope this helps

Best Answer

Related Solutions

Haproxy setup with subdomain setup

Web-server – Multiple Websites on Multiple Servers behind One Public IP

Related Topic