[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SAGE] Limiting outbound connections with a reverse proxy?
- To: Brad Knowles <brad@xxxxxxxxxxxxxxxxx>
- Subject: Re: [SAGE] Limiting outbound connections with a reverse proxy?
- From: Marco Marongiu <brontolinux@xxxxxxxxx>
- Date: Wed, 02 Jan 2008 20:06:31 +0100
- Cc: SAGE mailing list <sage-members@xxxxxxxx>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; bh=U1dTdigt2HpKDDFR7BMGVzGZBmk3h5IuRyCzsUwDTPI=; b=EKQGGsfJNe4slHedTDWxSfHphNDPwti8t/LD5XAIy/wt6RR7pYcoPEwQifY6nwEtpYb68yTaKkW0DEA+A5w7tinkQf2XS69lTl7ho3d528Zl8mBOOFdoC/RlIo7ljBTKr/mBpg6+qOq5jFrN386WsPCLUxpJ0Z+o33T5/xu8u3k=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=ibvFFyPYwwh+Z/3nhg8iq9hIFJpRhrV1bY2UGLB8MTs7piuaDuqC1RlB/3TJc9Ag+uVxTDfkU13XmVm/cFHN5Qv9jrycMzxGBdapqBhhWWduNKQpzz7xHgDl0hqpT+BIn9WXHw1PlRUO0Ukl5iy/FvPywh+fT7HpIbJx3znSyQQ=
- In-reply-to: <p06240800c3a17070a90f@[192.168.1.101]>
- References: <477B6A11.1030700@xxxxxxxxx> <p06240800c3a17070a90f@[192.168.1.101]>
- Sender: owner-sage-members@xxxxxxxxxx
- User-agent: Thunderbird 2.0.0.6 (X11/20071022)
Hello Brad & *
Brad Knowles wrote:
> You don't tell us what kind of service you're talking about, but from
> your mention of Pound, I'm assuming that this is a web problem?
Right, sorry.
We are talking of a web service (SOAP) sitting on a Solaris host, and a
consumer running on Linux.
Therefore, iptables could be an option on the source machine, but on the
target it wouldn´t. Nor ipfw would be on both.
> Certainly, setting up a proxy of some sort that can take advantage of
> connection caching, etc... would seem to be a way to improve your
> performance, and depending on the nature of the application, I would
> think that even squid, apache, or other web servers could be set up in
> this kind of role.
Actually it´s not performance what we are looking for at the moment:
it´s to feed the web service with nothing more that it can handle, that
is: 10 connections per second at maximum.
Therefore, the proxy (or whatever it will be) needs to accept N
connections per second, and dispatch them at a maximum rate of 10
conn/sec, enqueing the exceeding ones until they can be dispatched,
possibly using a FIFO policy.
> And squid apparently does have a way to limit the number of simultaneous
> connections from a client, see
> <http://www.cyberciti.biz/tips/howto-limit-squid-proxy-number-web-connections.html>.
That´s not the case unfortunately. What we want to limit are the
outbound connections from the proxy to the service, and enqueue the
exceeding ones. Returning a `connection refused´ error would disrupt the
service.
> But with just five minutes of Googling, I'm not finding anything else
> that would appear to be obviously related to what it seems like you're
> talking about.
Is it clearer now?
Thanks a lot to everybody
--Marco
--
Marco Marongiu
System Administrator - Technical Writer - Perl Programmer