Web Proxy / Filter

Deployment Guide

Copyright © 2011 Loadbalancer.org, Inc.

1
Table of Contents

About this Guide............................................................................................................................................... 3

Web Proxies / Filters......................................................................................................................................... 3
Load Balancing & Resilience............................................................................................................................ 3
Load balancer Configuration Options............................................................................................................... 3
Layer 4......................................................................................................................................................... 3
Direct Server Return (DR Mode)............................................................................................................. 3
Network Address Translation (NAT Mode)..............................................................................................4
Layer 7......................................................................................................................................................... 4
Source Network Address Translation (SNAT / Haproxy).........................................................................4
Persistence.................................................................................................................................................. 4
Source IP Address.................................................................................................................................. 4
Destination Hash.................................................................................................................................... 4
Loadbalancer.org Recommended Method................................................................................................... 4
Web Proxy Deployment Modes........................................................................................................................ 5
Proxy Mode.................................................................................................................................................. 5
Transparent (Routed) Proxy Mode............................................................................................................... 5
Loadbalancer.org Web User Interface.............................................................................................................. 6
Accessing the WUI...................................................................................................................................... 6
Setting Up Proxy Mode..................................................................................................................................... 7
Deployment Architecture.............................................................................................................................. 7
Web Proxy Appliance Configuration............................................................................................................ 8
Modify the Web Proxies to accept traffic for the VIP...............................................................................8
Web Proxy Operating Mode.................................................................................................................... 8
Load Balancer Configuration....................................................................................................................... 9
Creating the Virtual Server (VIP)............................................................................................................ 9
Client Configuration................................................................................................................................... 10
Setting Up Transparent Proxy Mode............................................................................................................... 11
Deployment Architecture............................................................................................................................ 11
Web Proxy Appliance Configuration.......................................................................................................... 12
Web Proxy Operating Mode.................................................................................................................. 12
Load Balancer Configuration..................................................................................................................... 13
Creating the Virtual Server (VIP).......................................................................................................... 13
Configure the load balancer to accept all http & https traffic on ports 80 & 443....................................14
Router / Default Gateway Configuration.................................................................................................... 15
Client Configuration................................................................................................................................... 15
Testing............................................................................................................................................................ 15
Conclusion...................................................................................................................................................... 16

2
About this Guide
This guide is intended to provide details on using loadbalancer.org appliances with Web Proxies / Filters. For
an introduction to setting up the appliance as well as more detailed technical information, please refer to our
quick-start guide and full administration manual available at:
http://loadbalancer.org/pdf/quickstartguideLBVM.pdf
http://loadbalancer.org/pdffiles/loadbalanceradministration.pdf

Web Proxies / Filters

Web Proxies / Filters provide a number of functions to permit organizations to control they way their staff
access the Internet. These products are often appliance based and provide functionality including:

• Web Security & Control

• URL Filtering

• Content Caching

• Anti SPAM / Anti Malware / Anti Virus

• User Authentication

• High Availability

Load Balancing & Resilience

Since secure, reliable and available Internet access is essential and not just a luxury, steps must be taken to
ensure 100% up time. Loadbalancer.org appliances provide the perfect solution by allowing multiple Web
Proxy devices to be deployed in a load balanced and highly available cluster.

Load balancer Configuration Options

The following sections describe the various load balancer configuration methods that are possible with web
proxies.

Layer 4

Direct Server Return (DR Mode)

In this mode, traffic from the client to the Web Proxy passes via the load balancer, return traffic passes
directly back to the client which maximizes performance. Direct routing works by changing the destination
MAC address of the incoming packet on the fly which is very fast. This mode is transparent by default
meaning that the proxy sees the real client IP address and not the IP address of the load balancer.

3
Network Address Translation (NAT Mode)
This modes requires the implementation of a two-arm infrastructure with an internal and external subnet to
carry out the translation (the same way a firewall works). The real servers (i.e. the web proxies) must have
their default gateway configured to point at the load balancer. It offers fairly high performance and like DR
mode is transparent by default.

Layer 7

Source Network Address Translation (SNAT / Haproxy)

Using Haproxy in SNAT mode means that the load balancer is acting as a full proxy and therefore it doesn't
have the same raw throughput as the layer 4 methods. Also, this method is not transparent by default so the
real servers will see the source address of each request as the load balancers IP address. This is generally
not desirable although this can be resolved in two ways; either by reading the X-Forwarded-For header that's
included by default when using HAproxy, or by enabling TPROXY on the load balancer. The issues with
using TPROXY are that the default gateway on the real servers (i.e. the web proxies) must be changed to
point as the load balancer and also it requires a two-arm infrastructure with two subnets which complicates
the deployment.

Persistence
Persistence may or may not be required and depends on the specific web proxy being used.

Source IP Address
Source IP persistence is the standard method and is appropriate for most requirements. When set, clients
connecting from the same source IP address within the persistence timeout period (the default is 5 mins) will
always be sent to the same web proxy.

Destination Hash
Another option is to change the load balancing algorithm (i.e. the “scheduler”) to destination hash (DH). This
causes the load balancer to select the proxy based on a hash of the destination IP address. This causes
session requests to be directed at the same server based solely on the destination IP address of a packet
which therefore makes client connections persistent for a particular Internet host.
Since this setting is a scheduler, the way connections are load balanced will also change. However it should
still provide a well balanced distribution of client sessions between web proxy servers.

Loadbalancer.org Recommended Method

Due to its speed, overall simplicity and effectiveness, Direct Routing (DR) mode with source IP persistence is
our recommended method and can be used in both proxy mode & transparent (routed) proxy mode.

4
Web Proxy Deployment Modes
There are two implementation methods that are typically used – proxy mode & transparent (routed) proxy
mode.

Proxy Mode
This mode requires a web proxy address to be defined in users browsers. This allows specific traffic
(typically HTTP & HTTPS) to be handled by the proxy on behalf of the client PC.

Transparent (Routed) Proxy Mode

With this mode, no changes are required to the clients browser configuration. Instead, the default gateway is
configured to redirect traffic that matches specific rules to the web proxy which then handles the client
requests. Rules are typically configured for HTTP & HTTPS traffic on ports 80 and 443.

In transparent mode, web proxies are unable to filter HTTPS traffic. This is because SSL cannot be
proxied transparently. SSL authenticates both sides of the connection and if a proxy is in the middle,
then both sides try to authenticate to the proxy which is incorrect and therefore the connection fails. NTLM
authentication also fails for similar reasons. For HTTPS & NTLM, either the proxy server must be explicitly
configured or traffic should pass directly from the client to the server.

5
Loadbalancer.org Web User Interface

Accessing the WUI

The WUI can be accessed from a browser at: http://192.168.2.21:9080/lbadmin

(replace 192.168.2.21 with the IP address of your load balancer)

Username: loadbalancer
Password: loadbalancer

Once you have entered the logon credentials the Loadbalancer.org Web User Interface will be displayed.

6
Setting Up Proxy Mode

Deployment Architecture

Client
PC

Client Default
Firewall Internet
PC Gateway

Load balancer 1

Load balancer 2

Web Proxy 1

Web Proxy 2

Notes

• Browser settings on client PC's must be changed to point at the Virtual Service (VIP) on the load
balancer

• The load balancer is configured in DR mode

• The Web Proxies must be configured to accept traffic for the VIP

• Typically, two loadbalancer.org appliances are deployed for resilience – this is our recommended
configuration

7
Web Proxy Appliance Configuration

Modify the Web Proxies to accept traffic for the VIP

As mentioned previously, DR mode is our recommended load balancer operating mode. To use this mode,
changes are required to the real servers, i.e. the web proxies. The real servers must accept traffic for the VIP,
but they must not respond to any ARP requests for that IP, only the VIP should do this. To configure a Linux
based web proxy appliance to accept traffic for the VIP the following line must be added to the rc.local
startup script:

iptables -t nat -A PREROUTING -p tcp -d <VIP address> -j REDIRECT

e.g.
iptables -t nat -A PREROUTING -p tcp -d 192.168.2.202 -j REDIRECT

i.e. Redirect any incoming packets destined for the VIP to the local address

Many vendors such as Bloxx, Clearswift and Smoothwall have options in their Web Interface that
allow this to be easily configured, so command line entries are not required. Please consult your
specific vendor or loadbalancer.org for more information.

Web Proxy Operating Mode

Typically there is setting on the web proxy to allow the selection of either client configured proxy or routed /
transparent proxy. In this case, this should be set to Client Configured Proxy. Please note the exact
terminology does vary between vendors so please check your specific appliance.

8
Load Balancer Configuration

Creating the Virtual Server (VIP)

• Go to Edit Configuration > Virtual Servers

• Click [Add a new Virtual Server]

• Type an appropriate name for the Virtual Server, e.g. PROXY

• Enter an IP address for the VIP followed by :your-proxies-port-number (e.g. 192.168.2.202:8080)

• Change the persistence setting to Yes (i.e. use source IP persistence)

• Click the Update button

• Now click [Modify] next to the newly created Virtual Server

• Set the Scheduler setting according to your needs (recommended: 'wlc' – weighted least connection)

• Ensure forwarding method is set to DR (Direct Return)

• Click the Update button

9
Client Configuration
Client browser settings must be set so that browsers connect via the VIP. This is typically achieved using AD
group policy.

10
Setting Up Transparent Proxy Mode

Deployment Architecture

Client
PC

Client Router / Firewall /

PC Internet
Default Gateway Default Gateway

Load balancer 1

Load balancer 2

Web Proxy 1

Web Proxy 2

Notes

• No changes are required to client PC settings

• As with non-transparent mode, the load balancer is configured in DR mode

• Rules must be added to the router / default gateway so that http traffic is sent to the load balancer /
web proxise listening port

• The Web Proxies must be configured to accept traffic for the VIP

• Typically, two loadbalancer.org appliances are deployed for resilience – this is our recommended
configuration

11
Web Proxy Appliance Configuration

Web Proxy Operating Mode

Typically there is setting on the web proxy to allow the selection of either client configured proxy or routed /
transparent proxy. In this case, this should be set to Routed / Transparent Proxy. Please note the exact
terminology does vary between vendors so please check your specific appliance.

12
Load Balancer Configuration

Creating the Virtual Server (VIP)

• Go to Edit Configuration > Virtual Servers

• Click [Add a new Virtual Server]

• Type an appropriate name for the Virtual Server, e.g. PROXY

• Enter an IP address for the VIP followed by :your-proxies-port-number (e.g. 192.168.2.202:8080)

• Change the persistence setting to Yes (i.e. use source IP persistence)

• Click the Update button

• Now click [Modify] next to the newly created Virtual Server

• Set the Scheduler setting according to your needs (recommended: 'wlc' – weighted least connection)

• Ensure forwarding method is set to DR (Direct Return)

• Click the Update button

13
Configure the load balancer to accept all http & https traffic on ports 80 & 443

To do this, add the following rules under Maintenance > Firewall Script

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 1
ip rule add prio 100 fwmark 1 table 100
ip route add local 0/0 dev lo table 100

then click Update

this modifies the load balancers rc.firewall script stored in /etc/rc.d/

Now modify the VIP settings to relate to the particular Firewall Mark used (in this case '1')
i.e. change:

to:

14
Router / Default Gateway Configuration
Depending on your network configurtation, rules must be added to the router or default gateway so that all
http traffic is sent to the VIP on the load balancer. The load balancer then load balances this traffic between
the web proxy servers.

Example iptables rules:

CLIENT="192.168.2.0/24"
FWMARK="10"
TABLE="10"
PROXY="192.168.2.204"
iptables -t mangle -A PREROUTING -s $CLIENT -p tcp -m tcp --dport 80 -j MARK --set-mark $FWMARK
ip route flush table $TABLE
ip route add default via $PROXY dev eth3 table $TABLE
ip rule add fwmark $FWMARK table $TABLE
ip route flush cache
ip route show table $TABLE
route add default gw 192.168.2.1

This example uses policy routing via firewall marks. This works by first selecting and marking the packets we
want to be sent to the proxy, i.e .all packets on port 80. Then, when the kernel goes to make a routing
decision, the marked packets aren't routed using the normal routing table, intstead via table 10 in this case.
Table 10 has only one entry: route packets to the web proxy.

Client Configuration
No changes are required to the client for transparent mode and no proxy settings should be be defined. As
long as the default gateway is set correctly, or a suitable static route is configured and rules have been setup
on the gateway, this should be all that's needed.

Testing
To verify that the traffic is passing through the load balancer correctly the following reporting options can be
used:

View Configuration > System Overview

Reports > Status

Reports > Current Connections

Several reporting and dashboard options are also available on the web proxies, for this please refer to your
specific vendors documentation.

15
Conclusion
Loadbalancer.org appliances provide a very cost effective solution for highly available load balanced Web
Proxy/Filter environments.

If you have further questions please don't hesitate to contact us at support@loadbalancer.org

16