haproxy backend selection depending on connection location

[Grant Byers <Gr...@aarnet.edu.au>]

Hi all,

We've recently implemented Guacamole for a VDI proof of concept. This 
went extremely well and we're now looking to scale out.

We started with a guacd instance servicing RDP instances within a single 
data centre. We have anycasted haproxy servers in front of guacd. We've 
now built 2 other data centres and have deployed guacd instances within 
each of those DCs. We'd like haproxy to be able to select a backend 
guacd instance that's closest to the users RDP instance, but I'm yet to 
find a nice way to do that. This would need to occur post login to 
guacamole, but on selection of the connection.

Any ideas?

Thanks,
Grant


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: haproxy backend selection depending on connection location

[Nick Couchman <vn...@apache.org>]

On Sun, Oct 16, 2022 at 10:18 PM Grant Byers <Gr...@aarnet.edu.au> wrote:
>
> Hi all,
>
> We've recently implemented Guacamole for a VDI proof of concept. This
> went extremely well and we're now looking to scale out.

This sounds very cool - I've long wanted to build a VDI solution on
top of Guacamole - I'd be very interested to see what you have done.

>
> We started with a guacd instance servicing RDP instances within a single
> data centre. We have anycasted haproxy servers in front of guacd. We've
> now built 2 other data centres and have deployed guacd instances within
> each of those DCs. We'd like haproxy to be able to select a backend
> guacd instance that's closest to the users RDP instance, but I'm yet to
> find a nice way to do that. This would need to occur post login to
> guacamole, but on selection of the connection.
>
> Any ideas?

I'm no expert on HAProxy, but it seems like what you're asking for is
HAProxy to be able to "examine" the Guacamole protocol connection -
specifically, the "connect" instruction, figure out where that
connection is going, and then make a routing decision to the back-end
server based on some knowledge HAProxy also has of the network
topology. The second part of this - decision tree based on network
topology - is probably fairly routine and doable. The first part is
going to be the challenge - figuring out how to configure HAProxy to
inspect the Guacamole protocol packets and find the information it
needs to make that decision.

I found this page:
https://discourse.haproxy.org/t/choosing-backend-based-on-tcp-payload/1600

It seems like HAProxy has the extensibility to be able to do some very
customized packet inspection, which isn't terribly surprising, but
I've no idea how much effort it would take to figure out what part of
the Guacamole packet contains the information you need, and how much
it may vary from connection-to-connection, and then extract that
information and make the routing decision.

You may also want to try posting to the HAProxy list and see if they
can help out over there. The Guacamole protocol is fairly
well-documented, so it should be pretty easy to examine the TCP
packets at a network/proxy level, just a matter of nailing down all of
the details within the HAProxy config.

-Nick

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org