Domain: apsis.ch
Stories and comments across the archive that link to apsis.ch.
Comments · 14
-
Re:Correct
We use Pound for load balancing which makes requests to the cache servers, works great, very configurable, supports sessions, etc.
-
Re:1000+ a day is trivial have you thought of amazThere are a number of nice load balancers out there which are opensource. I'm partial to HAproxy, but you could try:
HAproxy (which is the one I use) has the ability to define "backup" servers which can be used in the event of a complete failure of all servers in the pool, even if there is only one server in the main pool. If you're trying to do this on the cheap, that may help. It also has embedded builds for things like the NSLU2, so it may be easy to run on an embedded device you already have.
-
Re:Use Clound ready load balancer
I thought of this problem myself for a while, when playing around with the idea to try out the "cloud". You could use pound, a lot of its use for cloud computing has been discussed in the interwebs already. Biggest point of concern will be if the load balancer keeps your ssl data encrypted.
-
Re:ssh scan
Sorry, but as someone who designs enterprise-edge security, rarely, if ever, is SSH allowed from the internet to enterprise web servers. If it is, that's a mistake. Also, for improved security, it doesn't cost much to do basic http inspects on the firewall, install a reverse HTTP proxy in a DMZ, and then deploy the web server in an enclave. You can even do it using open source software. For a good reverse proxy, take a look at pound.
-
Re:It works both ways, but it's worse for MS
- Run the services chrooted
- Run pound in front of your web server / web services
- Use a file integrity checker
-
Re:Depends on budget and requirementsIf you need High Availability (ie: almost, but not quite, 100% uptime) then you want two or more boxes which you can either load-balance between (dropping crashed servers from the list)
And using software such as Pound that can be setup fairly easily. Of course if you're running a massive site like
/. you might be better off with a hardware load balancer.But Pound can be used to easily pool a collection of back-end hosts, and avoid forwarding connections if one of them dies. It will even take care of maintaining state if you need that.
-
What about transparancy?
With any load balancing solution, if a server goes down with an active connection, that connection gets reset. It doesn't matter if you are using LVS, pen or pound, the level of transparancy isn't quite there yet.
Personally, I am an advocate of pound for http/s load balancing, because its simple, has central logging, and handles ssl authentication itself (thereby keeping the back end servers simple)
Check it out:
http://www.apsis.ch/pound
-
Pound
-
Re:Proxy other than apache
Out of curiousity, could you be more specific about the "bloat" in Apache?
The reverse proxy for my zope is running on a old AMD K6/200 with 64 MB RAM- almost everything is bloat for that machine. Anyway in the next weeks the old machine will be gone and I plan to put the proxy on the machine where zope is running on. Still I dont want too much additional load on that machine. So much for the footprint.
Apart from that: apache is huge and administration and configuration is not trivial and a small and simple proxy might be easier to configure (and thus safer too, since often security issues are just bad configuration ...)
I will give http://www.apsis.ch/pound/ a try as suggested by bavarian ... -
Re:Proxy other than apache
pound (http://www.apsis.ch/pound) is a good and very secure choice. It was developed with Zope in mind, but can be used with any other http server.
pound sanitizes http requests, does load balancing and logging, and can SSL-enable your Zope site.
-
Re:Honest question
Obviously a complete block is not going to work, but there's plenty of systems that filter traffic smartly. Leaving an IIS server open like that is just asking for trouble. I reckon I get more hits from IIS exploits than genuine web hits. You need a firewall of some kind - take a look at something like Smoothwall with it's Sort IDS, or if you're hardcore, OpenBSD plus httpf or Pound (along with Snort or Port Sentry and co.).
-
Re:Cookies? Sheesh...
1. Session based on incoming IP address.
2. Session based on URL- or POST-embedded token.
3. Session based on a session cookie *not* generated by the load balancer, but instead by the app(s) running behind it.
[Pound, a very simple, elegant open-source load balancer, can handle these top three.]
4. Session based on Authorization/Authentication information send with each browser request.
5. Session based on browser-stored certificate. (This is sorta cheating; very similar to item 4.)
Well, damn. I can only come up with 5. -
Security issues?Use Pound.
Reverse Proxy/load balancer, Http/Https, very small, tight code, minimises security risks. No matter what web server you're using, this should solve most of your security problems.
-
Pound
Pound is a simple http/https load balancer that's been announced fairly frequently on the Zope mailing list. It appears to be very small, runs diskless and chrooted, and handles back-end servers dropping off and coming back.