views:

1216

answers:

2

I am trying to reduce the load on my webservers by adding an "Image server" (a dedicated server for handling image requests), and redirecting all requests for .gif,.jpg,.png etc., to it.

My question is, what is the best way to handle the redirection?

  • At the firewall level? (can I do this using iptables?)
  • At the load balancer level? (can ldirectord handle this?)
  • At the apache level - using rewrite rules?

Thanks for any suggestions on the best way to do this.

--Update--

One thing I would add is that these are domains that are hosted for 3rd parties, so I can't expect all the developers to modify their code and point their images to another server.

+2  A: 

The further up the chain you can do it, the better.

Ideally, do it at the DNS level by using a different domain for your images (eg imgs.example.com)

If you can afford it, get someone else to do it by using a CDN (Content delivery network).

-Update-

There are also 2 featuers of apache's mod_rewrite that you might want to look at. They are all described well at http://httpd.apache.org/docs/1.3/misc/rewriteguide.html.

The first is under the heading "Dynamic Miror" in the above document, that uses the mod_rewrite Proxy flag [p]. This lets your server silently fetch files from another domain and return them.

The second is to just redirect the request to the new domain. This second option puts less strain on your server, but requests still need to come in and it slows down the final rendering of the page, as each request needs to make an essentially redundant request to your server first.

rikh
Is CoralCache still around? Does it work? It saved me from a Slashdotting once.
Paul Tomblin
I agree that the further up the chain, the better. DNS is a little high for me to make this work, but doing it at the firewall NATting level seems to hold more promise.But all the specifics so far have been at the apache level.
Brent
Firewall level isn't really practical. Think about it: the firewall would have to dig all the way into the packets, interpret the results, and the selectively create appropriate return packets. That describes a webserver like Apache, not a firewall
Eli
+1  A: 

i agree with rikh. If you want images to be served from a different webserver, then serve them on a different web-server. For example:

<IMG src="images/Brett.jpg">

becomes

<IMG src="http://brettnesbitt.akamia-technologies.com/images/Brett.jpg"&gt;

Any kind of load balancer will still feed the image from the web-server's pipe, which is what you're trying to avoid.


i, of course, know what you really want. What you really want is for any request like:

GET images/Brett.jpg HTTP/1.1

to automatically get converted into:

HTTP/1.1 307 Temporary Redirect
Location: http://brettnesbitt.akamia-technologies.com/images/Brett.jpg

this way you don't have to do any work, except copy the images to the other web-server.

That i really don't know how to do.


By using the phrase "NAT", it implies that the firewall/router receives HTTP requests, and you want to forward the request to a different internal server if the HTTP request was for image files.

This then begs the question about what you're actually trying to save. No matter which internal web-server services the HTTP request, the data is still going to have to flow through the firewall/router's pipe.

The reason i bring it up is because the common scenario when someone wants to serve images from a different server is because they want to split up high-bandwidth, mostly static, low-CPU cost content from their actual logic.

Only using NAT to re-write the packet and send it to a different server will not work towards that common issue.

The other reason might be because images are not static content on your system, and a request to

GET images/Brett.jpg HTTP/1.1

actually builds an image on the fly, with a high-CPU cost, or only using with data available (i.e. SQL Server database) to ServerB.

If this is the case then i would still use a different server name on the image request:

GET http://www.brettsoft.com/default.aspx HTTP/1.1
GET http://imageserver.brettsoft.com/images/Brett.jpg HTTP/1.1


i understand what you're hoping for, with network packet inspection to override the NAT rule and send it to another server - i've never seen any such thing that can do that.

It sounds more "proxy-ish", where the web-proxy does this. (i.e. pfSense and m0n0wall can't do it)

Which then leads to a kind of solution we used once: a custom web-server that analyzes the request, makes the appropriate request off some internal server, and binary writes the response to the client.

That pain in the ass solution was insisted upon by a "security consultant", who apparently believes in security through obscurity.

i know IIS cannot do such things for you itself - i don't know about other web-server products.


i just asked around, and apparently if you wanted to write a custom kernel module for you linux based router, you could have it inspect packets and take appropriate action. Such a module might exist. There are, apparently, plenty of other open-sourced modules to use as a starting point.

But i'd rather shoot myself in the head.

Ian Boyd
What I would REALLY like is to have a separate box (firewall / load balancer) recognize the extension in the HTTP request, and NAT/redirect accordingly.
Brent