Load Balancing

[bshields]

Hi All (Bruce),

I'm setting up our Load Balancer again now we've updated to NT10.

The Load Balanacer passes the Client IP to my NetTalk Worker EXEs via the X-Forwarded-Proto header. I can see you are reading it from the header (but not sure what you do with it after that).

My question is, don't I really want it to become the defacto IP, and therefore the SessionIP?

Since any client changing its IP while on an active session should get an error 403, but behind my Load Balancer all clients come from the Load Balancer IP.

Also, we use the IP in logs and other areas within our actual application, I can of course edit the code to utilise the Forwarded IP (if present).

But I was curious what your thoughts were?

Regards
Bill

[Bruce]

>> I can see you are reading it from the header (but not sure what you do with it after that).

I do nothing with it. It's parsed out as a convenience for folk using load balancers <g>.

>> My question is, don't I really want it to become the defacto IP, and therefore the SessionIP?

may...be....
I'm not really sure.

I think there's a couple places the FromIP comes into view - most notably for logging - and I guess you are just seeing the load-balancer in the logs. I could tweak that so the logged IP is the Forwarded IP. That sounds like a reasonable thing to do.

Banning though would be almost useless to you - you could high-level ban the forwarded IP, but that's not the same as the low-level NetBan - and it couldn't be.

Then there's the issue of returning packets via the connection to the load balancer - there the From IP should remain correct. (It uses socket number as well, so I expect it's actually working at the moment - that's the bit we don't want to break.)

There is a GetSessionIP() method, and _maybe_ that could return the x-Forwarded value, and the logs could get that value,... let me chew on this a bit and let you know.

Cheers
Bruce

[bshields]

Ok Cool.

We can ban via Load Balancer so banning should be of no concern.

Thanks