/usr/share/perl5/Perlbal/Manual/ReverseProxy.pod is in libperlbal-perl 1.80-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 | =head1 NAME
Perlbal::Manual::ReverseProxy - Configuring Perlbal as a Reverse Proxy
=head2 VERSION
Perlbal 1.78.
=head2 DESCRIPTION
How to configure a Perlbal Reverse Proxy service.
=head2 READ ME FIRST
Please read L<Perlbal::Manual::Configuration> first for a better explanation on how to configure Perlbal. This document will make much more sense after reading that.
=head2 Configuring Perlbal as a Reverse Proxy
Configuration of Perlbal as a Reverse Proxy is similar to configuration as a Load Balancer.
Check L<Perlbal::Manual::LoadBalancer> under C<Using Perlbal as a Load Balancer> for a sample configuration file and for a brief explanation of the differences between a Load Balancer and a Reverse Proxy.
=head2 Parameters
You can set parameters via commands of either forms:
SET <service-name> <param> = <value>
SET <param> = <value>
=over 8
=item B<always_trusted> = bool
Whether to trust all incoming requests' X-Forwarded-For and related headers. Set to true only if you know that all incoming requests from your own proxy servers that clean/set those headers.
Default is false.
=item B<backend_persist_cache> = int
The number of backend connections to keep alive on reserve while there are no clients.
Default is 2.
=item B<blind_proxy> = bool
Flag to disable any modification of X-Forwarded-For, X-Host, and X-Forwarded-Host headers.
Default is false.
=item B<buffer_backend_connect> = size
How much content-body (POST/PUT/etc) data we read from a client before we start sending it to a backend web node. If C<buffer_uploads> is enabled, this value is used to determine how many bytes are read before Perlbal makes a determination on whether or not to spool the upload to disk.
Default is 100k.
=item B<buffer_size> = size
How much ahead of a client we'll get while copying from a backend to a client. If a client gets behind this much, we stop reading from the backend for a bit. Once all remaining data fits in the buffer, the backend is released and may be reused.
Default is 256k.
=item B<buffer_size_reproxy_url> = size
How much ahead of a client we'll get while copying from a reproxied URL to a client. If a client gets behind this much, we stop reading from the reproxied URL for a bit. The default is lower than the regular C<buffer_size> (50k instead of 256k) because it's assumed that you're only reproxying to large files on event-based webservers, which are less sensitive to many open connections, whereas the 256k buffer size is good for keeping heavy process-based free of slow clients.
Default if 50k.
=item B<buffer_upload_threshold_rate> = int
If an upload is coming in at a rate less than this value in bytes per second, it will be buffered to disk. A value of 0 means the rate will not be checked.
Default is 0.
=item B<buffer_upload_threshold_size> = size
If an upload is larger than this size in bytes, it will be buffered to disk. A value of 0 means the size will not be checked.
Default is 250k.
=item B<buffer_upload_threshold_time> = int
If an upload is estimated to take more than this number of seconds, it will be buffered to disk. A value of 0 means the time will not be estimated.
Default is 5.
=item B<buffer_uploads> = bool
Used to enable or disable the buffer uploads to disk system. If enabled, C<buffer_backend_connect> bytes worth of the upload will be stored in memory. At that point, the buffer upload thresholds will be checked to see if we should just send this upload to the backend or if we should spool it to the disk.
Default if false.
=item B<buffer_uploads_path> = path/to/directory
Directory root for storing files used to buffer uploads.
=item B<client_sndbuf_size> = I<size>
How large to set the client's socket SNDBUF.
Default is 0.
=item B<connect_ahead> = int
How many extra backend connections we keep alive in addition to the current ones, in anticipation of new client connections.
Default is 0.
=item B<enable_error_retries> = bool
Whether Perlbal should transparently retry requests to backends if a backend returns a 500 server error.
Default is false.
=item B<enable_reproxy> = bool
Enable 'reproxying' (end-user-transparent internal redirects) to either local files or other URLs. When enabled, the backend servers in the pool that this service is configured for will have access to tell this Perlbal instance to serve any local readable file, or connect to any other URL that this Perlbal can connect to. Only enable this if you trust the backend web nodes.
Default is false.
See the section C<Reproxying> in this document for more information.
=item B<error_retry_schedule> = string of comma-separated seconds (full or partial)
String of comma-separated seconds (full or partial) to delay between retries. For example "0,2" would mean do at most two retries, the first zero seconds after the first failure, and the second 2 seconds after the second failure. You probably don't need to modify the default value.
Default it 0,0.25,0.50,1,1,1,1,1
=item B<enable_ssl> = bool
Enable SSL to the client.
Default is false.
=item B<high_priority_cookie> = cookie_name
The cookie name to inspect to determine if the client goes onto the high-priority queue.
See L<Perlbal::Manual::HighPriority> for more information.
=item B<high_priority_cookie_contents> = string
A string that the C<high_priority_cookie> must contain to go onto the high-priority queue.
See L<Perlbal::Manual::HighPriority> for more information.
=item B<idle_timeout> = int
Timeout in seconds for idle connections to the end user. It's also the limit for how long a backend may take to respond or transfer data.
Default is 30.
=item B<listen> = ip:port
The ip:port to listen on. For a service to work, you must either make it listen, or make another selector service map to a non-listening service.
=item B<max_backend_uses> = int
The maximum number of requests to be made on a single persistent backend connection before releasing the connection.
A value of 0 means there is no limit and the connection will only be discarded once the backend asks it to be or when Perlbal is sufficiently idle.
Default is 0.
=item B<max_chunked_request_size> = size
The maximum size that will be accepted for a chunked request (which is written to disk, buffered uploads must be on). A value of 0 means no limit.
Default is 209715200 (200MB).
=item B<persist_client> = bool
Whether to enable HTTP keep-alives to the end user.
Default is false.
=item B<persist_backend> = bool
Whether to enable HTTP keep-alives to the backend webnodes.
Default is false, but setting it to true is highly recommended if Perlbal is the only client to your backends. If not, beware that Perlbal will hog the connections, starving other clients.
=item B<persist_client_idle_timeout> = int
Timeout in seconds for HTTP persist_client_idle_timeout keep-alives to the end user.
Default is 30.
=item B<persist_client_timeout> = int (B<DEPRECATED>)
Set both the persist_client_timeout persist_client_idle_timeout and idle_timeout.
Deprecated.
=item B<pool>
Name of previously-created pool object containing the backend nodes that this reverse proxy sends requests to.
=item B<queue_relief_chance> = int:0-100
Chance (percentage) to take a standard priority request when we're in pressure relief mode.
Default is 0.
See L<Perlbal::Manual::HighPriority> for more information.
=item B<queue_relief_size> = int
Number of outstanding standard priority connections to activate pressure relief at.
A value of 0 disables the high priority queue system entirely.
Default is 0.
See L<Perlbal::Manual::HighPriority> for more information.
=item B<reproxy_cache_maxsize> = int
Set the maximum number of cached reproxy results (X-REPROXY-CACHE-FOR) that may be kept in the service cache. These cached requests take up about 1.25KB of RAM each (on Linux x86), but will vary with usage. Perlbal still starts with 0 in the cache and will grow over time. Be careful when adjusting this and watch your RAM usage like a hawk.
Default is 0, which means cache is disabled.
=item B<role> = reverse_proxy|web_server|management|selector
What type of service. One of 'reverse_proxy' for a service that load balances to a pool of backend webserver nodes, 'web_server' for a typical webserver', 'management' for a Perlbal management interface (speaks both command-line or HTTP, auto-detected), or 'selector', for a virtual service that maps onto other services.
=item B<server_process>
Executable which will be the HTTP server on stdin/stdout. (B<ALPHA>, B<EXPERIMENTAL>)
=item B<ssl_cert_file> = path/to/file
Path to certificate PEM file for SSL.
Default is C<certs/server-cert.pem>.
=item B<ssl_cipher_list> = cipher list
OpenSSL-style cipher list.
Default is C<ALL:!LOW:!EXP>.
=item B<ssl_key_file> = path/to/file
Path to private key PEM file for SSL.
Default is C<certs/server-key.pem>.
=item B<trusted_upstream_proxies> = Net::Netmask filter
A comma separated list of L<Net::Netmask> filters (e.g. 10.0.0.0/24, see L<Net::Netmask>) that determines whether upstream clients are trusted or not, where trusted means their X-Forwarded-For/etc headers are not munged.
=item B<upload_status_listeners> = comma separated list of hosts
Comma separated list of hosts in form 'a.b.c.d:port' which will receive UDP upload status packets no faster than once a second per HTTP request (PUT/POST) from clients that have requested an upload status bar, which they request by appending the URL get argument ?client_up_sess=[xxxxx] where xxxxx is 5-50 'word' characters (a-z, A-Z, 0-9, underscore).
=item B<verify_backend> = bool
Whether Perlbal should send a quick OPTIONS request to the backends before sending an actual client request to them. If your backend is Apache or some other process-based webserver, this is highly recommended. All too often a loaded backend box will reply to new TCP connections, but it's the kernel's TCP stack Perlbal is talking to, not and actual Apache process yet. Using this option reduces end-user latency a ton on loaded sites.
Default if false.
=item B<verify_backend_path> = path
What path the OPTIONS request sent by C<verify_backend> should use.
Default is C<*>.
=item B<server_tokens> = bool
Whether to provide a "Server" header.
Perlbal by default adds a header to all replies (such as the web_server role). By setting this default to "off", you can prevent Perlbal from identifying itself.
Default is C<on>.
=back
=head2 More on Parameters
=head3 backend_persist_cache vs. connect_ahead
The C<backend_persist_cache> parameter refers to connections kept alive after being used, while C<connect_ahead> refers to connections opened in anticipation.
For instance:
SET backend_persist_cache = 2
SET connect_ahead = 1
Let's assume, for simplification purposes, that your service only has one server. Here's an example of what could happen:
=over 4
=item * Perlbal starts
No connections open until the very first request comes in (this may change in the future).
=item * one requests arrives
This request starts being served on the open connection; Perlbal opens another connection because C<connect_ahead>'s value tells it to always open one in anticipation.
=item * a second request arrives
(the first request hasn't concluded yet)
The second connection is used, a third one is created so we still have one in anticipation.
=item * the first request finishes
The connection is kept open; this means we now have three open connections: two being used and one free (the first and the third one are free).
=item * the second request finishes
The connection is killed, as we already have two other open connections (the first and the third), and that's the number set by C<backend_persist_cache> for the number of connections to be kept alive.
=back
=head3 Reproxying
Perlbal supports the concept of reproxying. Basically, this gives it the ability to ask a backend node for a file and get back a specific header that says "this file is really over there, get it there." Perlbal will then load that file or URL and send it to the user transparently, without them ever knowing that they got reproxied to another location.
Add the following line to your F<perlbal.conf> to enable reproxying on a per service basis ( reproxying is disabled by default in >= 1.38 ):
SET enable_reproxy = true
This can be useful for having URLs that get mapped to files on disk without giving users enough information to map out your directory structure. For example, you can create a file structure such as:
/home/pics/$userid/$pic
Then you can have URLs such as:
http://foo.com/mysite/users/$userid/picture/$pic
When this URL gets passed to the backend web node, it could return a simple response that includes this header:
X-REPROXY-FILE: /home/pics/$userid/$pic
Perlbal will then use asynchronous IO to send the file to the user without slowing down Perlbal at all.
This support also extends to URLs that can be located anywhere Perlbal has access to. It's the same syntax, nearly:
X-REPROXY-URL: http://foo.com:80/resource.html
You can also specify multiple URLs:
X-REPROXY-URL: http://foo.com:80/resource.html http://baz.com:8080/res.htm
Just specify any number of space separated URLs. Perlbal will request them one by one until one returns a response code of 200. At that point Perlbal will proxy the response back to the user just like normal.
Note that the user's headers are NOT passed through to the web server. To the target server, it looks simply like Perlbal is requesting the resource for itself. This behavior may change at some point.
One final note: the server that returns the reproxy header can also return a C<X-REPROXY-EXPECTED-SIZE> header. If present, Perlbal will consider a reproxy a failure if the file returned by the target system is of a different size than what the expected size header says. On failure, Perlbal tries the next URI in the list. If it's a file being reproxied, a 404 is returned if the file size is different.
=head2 SEE ALSO
L<Perlbal::Manual::Configuration>,
L<Perlbal::Manual::FailOver>,
L<Perlbal::Manual::LoadBalancer>,
L<Perlbal::Manual::Management>.
|