DOKK / manpages / debian 12 / libperlbal-perl / Perlbal::Manual::ReverseProxy.3pm.en
Perlbal::Manual::ReverseProxy(3pm) User Contributed Perl Documentation Perlbal::Manual::ReverseProxy(3pm)

Perlbal::Manual::ReverseProxy - Configuring Perlbal as a Reverse Proxy

VERSION

Perlbal 1.78.

DESCRIPTION

How to configure a Perlbal Reverse Proxy service.

READ ME FIRST

Please read Perlbal::Manual::Configuration first for a better explanation on how to configure Perlbal. This document will make much more sense after reading that.

Configuration of Perlbal as a Reverse Proxy is similar to configuration as a Load Balancer.

Check Perlbal::Manual::LoadBalancer under "Using Perlbal as a Load Balancer" for a sample configuration file and for a brief explanation of the differences between a Load Balancer and a Reverse Proxy.

You can set parameters via commands of either forms:

    SET <service-name> <param> = <value>
    SET <param> = <value>
Whether to trust all incoming requests' X-Forwarded-For and related headers. Set to true only if you know that all incoming requests from your own proxy servers that clean/set those headers.

Default is false.

The number of backend connections to keep alive on reserve while there are no clients.

Default is 2.

Flag to disable any modification of X-Forwarded-For, X-Host, and X-Forwarded-Host headers.

Default is false.

How much content-body (POST/PUT/etc) data we read from a client before we start sending it to a backend web node. If "buffer_uploads" is enabled, this value is used to determine how many bytes are read before Perlbal makes a determination on whether or not to spool the upload to disk.

Default is 100k.

How much ahead of a client we'll get while copying from a backend to a client. If a client gets behind this much, we stop reading from the backend for a bit. Once all remaining data fits in the buffer, the backend is released and may be reused.

Default is 256k.

How much ahead of a client we'll get while copying from a reproxied URL to a client. If a client gets behind this much, we stop reading from the reproxied URL for a bit. The default is lower than the regular "buffer_size" (50k instead of 256k) because it's assumed that you're only reproxying to large files on event-based webservers, which are less sensitive to many open connections, whereas the 256k buffer size is good for keeping heavy process-based free of slow clients.

Default if 50k.

If an upload is coming in at a rate less than this value in bytes per second, it will be buffered to disk. A value of 0 means the rate will not be checked.

Default is 0.

If an upload is larger than this size in bytes, it will be buffered to disk. A value of 0 means the size will not be checked.

Default is 250k.

If an upload is estimated to take more than this number of seconds, it will be buffered to disk. A value of 0 means the time will not be estimated.

Default is 5.

Used to enable or disable the buffer uploads to disk system. If enabled, "buffer_backend_connect" bytes worth of the upload will be stored in memory. At that point, the buffer upload thresholds will be checked to see if we should just send this upload to the backend or if we should spool it to the disk.

Default if false.

Directory root for storing files used to buffer uploads.
How large to set the client's socket SNDBUF.

Default is 0.

How many extra backend connections we keep alive in addition to the current ones, in anticipation of new client connections.

Default is 0.

Whether Perlbal should transparently retry requests to backends if a backend returns a 500 server error.

Default is false.

Enable 'reproxying' (end-user-transparent internal redirects) to either local files or other URLs. When enabled, the backend servers in the pool that this service is configured for will have access to tell this Perlbal instance to serve any local readable file, or connect to any other URL that this Perlbal can connect to. Only enable this if you trust the backend web nodes.

Default is false.

See the section "Reproxying" in this document for more information.

String of comma-separated seconds (full or partial) to delay between retries. For example "0,2" would mean do at most two retries, the first zero seconds after the first failure, and the second 2 seconds after the second failure. You probably don't need to modify the default value.

Default it 0,0.25,0.50,1,1,1,1,1

Enable SSL to the client.

Default is false.

The cookie name to inspect to determine if the client goes onto the high-priority queue.

See Perlbal::Manual::HighPriority for more information.

A string that the "high_priority_cookie" must contain to go onto the high-priority queue.

See Perlbal::Manual::HighPriority for more information.

Timeout in seconds for idle connections to the end user. It's also the limit for how long a backend may take to respond or transfer data.

Default is 30.

The ip:port to listen on. For a service to work, you must either make it listen, or make another selector service map to a non-listening service.
The maximum number of requests to be made on a single persistent backend connection before releasing the connection.

A value of 0 means there is no limit and the connection will only be discarded once the backend asks it to be or when Perlbal is sufficiently idle.

Default is 0.

The maximum size that will be accepted for a chunked request (which is written to disk, buffered uploads must be on). A value of 0 means no limit.

Default is 209715200 (200MB).

Whether to enable HTTP keep-alives to the end user.

Default is false.

Whether to enable HTTP keep-alives to the backend webnodes.

Default is false, but setting it to true is highly recommended if Perlbal is the only client to your backends. If not, beware that Perlbal will hog the connections, starving other clients.

Timeout in seconds for HTTP persist_client_idle_timeout keep-alives to the end user.

Default is 30.

Set both the persist_client_timeout persist_client_idle_timeout and idle_timeout.

Deprecated.

Name of previously-created pool object containing the backend nodes that this reverse proxy sends requests to.
Chance (percentage) to take a standard priority request when we're in pressure relief mode.

Default is 0.

See Perlbal::Manual::HighPriority for more information.

Number of outstanding standard priority connections to activate pressure relief at.

A value of 0 disables the high priority queue system entirely.

Default is 0.

See Perlbal::Manual::HighPriority for more information.

Set the maximum number of cached reproxy results (X-REPROXY-CACHE-FOR) that may be kept in the service cache. These cached requests take up about 1.25KB of RAM each (on Linux x86), but will vary with usage. Perlbal still starts with 0 in the cache and will grow over time. Be careful when adjusting this and watch your RAM usage like a hawk.

Default is 0, which means cache is disabled.

What type of service. One of 'reverse_proxy' for a service that load balances to a pool of backend webserver nodes, 'web_server' for a typical webserver', 'management' for a Perlbal management interface (speaks both command-line or HTTP, auto-detected), or 'selector', for a virtual service that maps onto other services.
Executable which will be the HTTP server on stdin/stdout. (ALPHA, EXPERIMENTAL)
Path to certificate PEM file for SSL.

Default is "certs/server-cert.pem".

OpenSSL-style cipher list.

Default is "ALL:!LOW:!EXP".

Path to private key PEM file for SSL.

Default is "certs/server-key.pem".

A comma separated list of Net::Netmask filters (e.g. 10.0.0.0/24, see Net::Netmask) that determines whether upstream clients are trusted or not, where trusted means their X-Forwarded-For/etc headers are not munged.
Comma separated list of hosts in form 'a.b.c.d:port' which will receive UDP upload status packets no faster than once a second per HTTP request (PUT/POST) from clients that have requested an upload status bar, which they request by appending the URL get argument ?client_up_sess=[xxxxx] where xxxxx is 5-50 'word' characters (a-z, A-Z, 0-9, underscore).
Whether Perlbal should send a quick OPTIONS request to the backends before sending an actual client request to them. If your backend is Apache or some other process-based webserver, this is highly recommended. All too often a loaded backend box will reply to new TCP connections, but it's the kernel's TCP stack Perlbal is talking to, not and actual Apache process yet. Using this option reduces end-user latency a ton on loaded sites.

Default if false.

What path the OPTIONS request sent by "verify_backend" should use.

Default is "*".

Whether to provide a "Server" header.

Perlbal by default adds a header to all replies (such as the web_server role). By setting this default to "off", you can prevent Perlbal from identifying itself.

Default is "on".

backend_persist_cache vs. connect_ahead

The "backend_persist_cache" parameter refers to connections kept alive after being used, while "connect_ahead" refers to connections opened in anticipation.

For instance:

    SET backend_persist_cache = 2
    SET connect_ahead         = 1

Let's assume, for simplification purposes, that your service only has one server. Here's an example of what could happen:

  • Perlbal starts

    No connections open until the very first request comes in (this may change in the future).

  • one requests arrives

    This request starts being served on the open connection; Perlbal opens another connection because "connect_ahead"'s value tells it to always open one in anticipation.

  • a second request arrives

    (the first request hasn't concluded yet)

    The second connection is used, a third one is created so we still have one in anticipation.

  • the first request finishes

    The connection is kept open; this means we now have three open connections: two being used and one free (the first and the third one are free).

  • the second request finishes

    The connection is killed, as we already have two other open connections (the first and the third), and that's the number set by "backend_persist_cache" for the number of connections to be kept alive.

Reproxying

Perlbal supports the concept of reproxying. Basically, this gives it the ability to ask a backend node for a file and get back a specific header that says "this file is really over there, get it there." Perlbal will then load that file or URL and send it to the user transparently, without them ever knowing that they got reproxied to another location.

Add the following line to your perlbal.conf to enable reproxying on a per service basis ( reproxying is disabled by default in >= 1.38 ):

    SET enable_reproxy  = true

This can be useful for having URLs that get mapped to files on disk without giving users enough information to map out your directory structure. For example, you can create a file structure such as:

    /home/pics/$userid/$pic

Then you can have URLs such as:

    http://foo.com/mysite/users/$userid/picture/$pic

When this URL gets passed to the backend web node, it could return a simple response that includes this header:

    X-REPROXY-FILE: /home/pics/$userid/$pic

Perlbal will then use asynchronous IO to send the file to the user without slowing down Perlbal at all.

This support also extends to URLs that can be located anywhere Perlbal has access to. It's the same syntax, nearly:

    X-REPROXY-URL: http://foo.com:80/resource.html

You can also specify multiple URLs:

    X-REPROXY-URL: http://foo.com:80/resource.html http://baz.com:8080/res.htm

Just specify any number of space separated URLs. Perlbal will request them one by one until one returns a response code of 200. At that point Perlbal will proxy the response back to the user just like normal.

Note that the user's headers are NOT passed through to the web server. To the target server, it looks simply like Perlbal is requesting the resource for itself. This behavior may change at some point.

One final note: the server that returns the reproxy header can also return a "X-REPROXY-EXPECTED-SIZE" header. If present, Perlbal will consider a reproxy a failure if the file returned by the target system is of a different size than what the expected size header says. On failure, Perlbal tries the next URI in the list. If it's a file being reproxied, a 404 is returned if the file size is different.

SEE ALSO

Perlbal::Manual::Configuration, Perlbal::Manual::FailOver, Perlbal::Manual::LoadBalancer, Perlbal::Manual::Management.

2022-06-28 perl v5.34.0