Chuck is a genius at turning a crazy idea into a great product pitch - I honestly couldn't tell if he was being serious or not for the first 10 minutes :-).
Kemp is one of our best competitors and has a great product supported by a great team. The video is clearly pitched at tech enthusiasts who like to play with so-called ‘FREE’ stuff. The real pitch however, is at the end of the video where Kemp is suggesting that you can use their product to make secure pin-holes to specific applications inside the corporate firewall.
So it’s great PR and well worth watching, but two things really bug me about it:
So if you were enough of a GEEK to put a load balancer in your home, how should you really do it?
Chuck raises some brilliant points and solves a problem that could be common with home networks. BUT, It's also crazy (which is why it's funny).
Netflix needs load balancers, But it’s highly unlikely that your family and pets will require scaling out servers for your private song/video/photo collections!
In Chuck's example, you could have a Website, NAS and plex server on your home network and only have one public IP available to access them all. You could put these behind a virtual service with your public IP as the virtual service address all on port 443 and have your Website, NAS and plex server as your backend real servers and use funky ACL rules for your ‘content switching’ and DNS settings to access the correct server you want when you access the VIP.
Now, that’s reasonable, right? Well, not really...
That's extreme overkill. Why would you want to use proprietary enterprise software to do something in your home network?
So how could we improve our skills by doing this with open source software?
Let’s use a free open source alternative with a huge community and extensive help forums with decades of data already in them.
The same tasks can be achieved by running a reverse proxy on our favourite open source software, HAProxy, which is built into pfsense which you could already be running. This offers a free open source load balancing solution, and uses it exactly the same way as I described above. The HAProxy configuration would be used to create the Virtual service and the ACL rules to then create a cloudflare account for the DNS settings for the nameservers that would be required.
If you are looking to do this, you could….
Create a Virtual service on HAProxy, on port 443, using a free address in your home network that you wish to access the servers.
Add your real servers as the back end and this is where the traffic will be redirected to.
Set up a domain (you can get a free one at freenom.com) and a nameserver on a service such as cloudflare, as this helps enhance security using SSL. On cloudflare, change your DNS records to point your new nameserver to the IP address of your house.
Ping the new nameserver to ensure that it has been set up correctly.
Next, you can optionally add an SSL certificate to the URL (this can be a SAN certificate or a wildcard certificate).
Port forward port 443
Set up content redirection on your HAProxy configuration.
Your HAProxy configuration may look something like this...
bind 192.168.90.10:443 transparent
stick on src
stick-table type ip size 10240K expire 30m peers loadbalancer_replication
server backup 127.0.0.1:9081 backup non-stick
timeout http-request 5s
timeout tunnel 1h
server Plex_Server 192.168.90.6:8006 id 623843618 weight 100 check inter 4000 rise 2 fall 2 slowstart 8000 minconn 0 maxconn 0 on-marked-down shutdown sessions
server Web_Server 192.168.90.7:80 id 459236736 weight 10 check inter 4000 rise 2 fall 2 slowstart 8000 minconn 0 maxconn 0 on-marked-down shutdown sessions
server NAS_Server 192.168.94.13:5001 id 267373704 weight 100 check inter 4000 rise 2 fall 2 slowstart 8000 minconn 0 maxconn 0 on-marked-down shutdown sessions
acl rule_1 path_beg,url_dec -m beg -i /plex
use-server Plex_server if rule_1
acl rule_2 path_beg,url_dec -m beg -i /NAS
use-server NAS_server if rule_2
acl rule_3 path_beg,url_dec -m beg -i /web
use-server Web_server if rule_3
I have my home VIP on port 443, my backend servers on the port they are being load balanced on and I have configured some content redirection rules to send traffic to the correct server based on the start of the path (this can be done in different ways, such as to send it to the relevant IP address of each server).
It is important to bear in mind a lot of households don’t have a static public IP so you would need to watch out for these changes. There is also another way to resolve this issue by simply using different ports, but if you are stuck to only port 443 then this would be the best option.