Best practices for Railgun and a Load Balancer

 

If you are using Cloudflare Railgun and a load balancer, here are some things to note:

We strongly encourage the installation of Railgun before a Load Balancer/Firewall/NAT so the setup would look like:

Visitor <--> Cloudflare <--> Railgun(s) <--> Load Balancer/Firewall/NAT <--> Webserver(s)

The reason for this setup is that Railgun, by design, keeps a persistent and encrypted connection open on port 2408. Placing the Railgun in front of other network equipment:

  • Allows Load Balancers to correctly distribute web requests to the web servers in the same way as it would without Railgun being used for the domain.
  • Allows a firewall to analyze the traffic for threats in the same way as it would without Railgun being used for the domain.
  • Allows a NAT device to handle web requests in the same way as it would without Railgun being used for the domain.

It is also possible to put Railgun after the load balancer and have Railgun accelerate dynamic content:

Visitor <--> Cloudflare <--> Load Balancer/Firewall/NAT <--> Railgun(s) <--> Webserver(s)

However, we advise experienced systems administrators and engineers to use this setup only when absolutely necessary as using Railgun behind a Load Balancer/Firewall/NAT could:

  • Prevent a Load Balancer from distributing requests correctly as all requests would be routed from the Load Balancer to the Railgun before reaching the web servers. [It is important to note that while Railgun can do some load-balancing, it will do so in a round-robin fashion.]
  • Prevent the firewall from analyzing incoming traffic as all inbound traffic from the Railgun is encrypted with Railgun's certificate.
  • In a NAT environment, create routing complexity and more points for failure without proper configuration.

To load-balance, you should set the origins/loadbalancers in railgun-nat.conf like so:

default=1.2.3.4 5.6.7.8

or

example.com=1.2.3.4 5.6.7.8

(separate the entries with a space)

If you need additional help in setting up Railgun with a Load Balancer/Firewall/NAT, please contact our Support by opening up a ticket.

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk