Jump to: navigation, search

Neutron/LBaaS/l7

< Neutron‎ | LBaaS
Revision as of 17:42, 12 February 2014 by Stephen Balukoff (talk | contribs) (API Changes: Typo fix)

L7 Switching

Background

Layer 7 switching takes its name from the OSI model, indicating that the device switches requests based on layer 7 (application) data. Layer 7 switching is also known as "request switching", "application switching", and "content based routing". A layer 7 switch presents to the outside world a "virtual server" that accepts requests on behalf of a number of servers and distributes those requests based on policies that use application data to determine which server should service which request. This allows for the application infrastructure to be specifically tuned/optimized to serve specific types of content. For example, one server can be tuned to serve only images, another for execution of server-side scripting languages like PHP and ASP, and another for static content such as HTML , CSS , and JavaScript. Unlike load balancing, layer 7 switching does not require that all servers in the pool (farm/cluster) have the same content. In fact, layer 7 switching expects that servers will have different content, thus the need to more deeply inspect requests before determining where they should be directed. Layer 7 switches are capable of directing requests based on URI, host, HTTP headers, and anything in the application message.

API Changes

  • CRUD operations for L7Policy
  • CRUD operations for L7Rule
  • CRUD operations for L7VipPolicyAssociation

CLI Example

  • neutron --policy policy1 lb-create-l7policy (Create l7 policy named 'policy1' )

 

  • neutron lb-create-l7rule rule1 --attribute-type header --attribute-name "myheader" --attribute-value "transaction[1-9]{1,4}" --policy policy1 (Create l7 rule named 'rule1' and associate it with the policy 'policy1' )

 

  • neutron lb-create-l7rule rule2 --attribute-type path --attribute-value "/shopping/.*" --policy p1 (Create l7 rule named 'rule2' and associate it with the policy 'policy1' )

 

  • neutron lb-create-pool pool1 ..... ( Create pool)

 

  • neutron lb-create-vip .vip1 ...... ( Create vip )

 

  • neutron lb-associate-vip-pool --vip vip1 --pool pool1 --action SELECT-POOL --l7policy policy1 ( Associate the vip and the pool to 'policy1.If policy1 will return True, the traffic of vip1 will be directed to pool1 ' )

Model

   class L7Rule {
      string l7policyID
      enum Type [Hostname, Path, File Type, Header, Cookie], // need to decide: enum or string
      enum Compare Type [regext],
      String Value,
      int  position // L7Rules are held by L7Policy as a list, one can set the position of the rule in the list
   }
   class L7Policy {
      String name
      collection of L7Rule 
   }
   class L7VipPolicyAssociation { // holds the association between a vip and l7policy
      String vipID
      String l7policyID
      String action // Nedd to decide if we want to have enaum here {REDIRECT,REJECT,MODIFY_CONTENT}
      String pooID // optional. mandatory if action is REDIRECT
   }

DB Migration

Implementation Plan

  • neutron-server change
  • db models and logic change
  • lbaas plugin change
  • lbaas driver change
  • python-neutronclient
  • horizon

HAProxy L7 Switching

HAProxy L7 Switching is based on HAProxy ACL engine. Example 1 (blocking):

# ... some HTTP content smugling and other various things
       acl forbidden_hdrs hdr_cnt(host) gt 1
       acl forbidden_hdrs hdr_cnt(content-length) gt 1
       acl forbidden_hdrs hdr_val(content-length) lt 0
       acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0
       block if forbidden_hdrs

Example 2 (switching - switch to the pool(backend) named 'www2' if 'host_www2' is true ):

      acl host_www2  hdr_beg(host) -i www2.
      use_backend   www2   if host_www2

Using ACL
Matching at Layer 7
Examples