On Tue, 2012-12-18 at 21:24 -1000, Paul Graydon wrote: > Aloha, > > It's looking like a fair chance that I'm going to have to migrate the > majority of our infrastructure to a cloud provider (probably a fair bet > it'll be Amazon's AWS). Given the network layer complexity it's going > to be a 'fun' transition but a good chance to wipe out huge amounts of > technical debt (and hopefully not add too much more new debt). > > Due to the complexities of layer 7 routing we need I'm going to have to > set up our own software LoadBalancers within the infrastructure. Not a > particularly long time ago we were running Apache / mod_proxy, but > replaced it with some F5s (which are doing a brilliant job), and we've > still got the configuration files kicking around for that (albeit now > out of date). Inside our infrastructure we also have a Web Application > Firewall appliance that helps to protect our applications from SQL > injection attempts and the like. > > It seems the obvious couple of solutions would be to either go back to > Apache and tack on mod_security, or nginx with either mod_security or > naxsi plugins running. In the past as a reverse proxy / load-balancer > Apache has proven to be very quirky over health checking and when it'll > mark a node as up or down which makes me reluctant to trust it. Nginx > doesn't offer health checking by default, you have to compile it in > manually and I've no particular experience worth noting beyond my VPS > for using Nginx in production environments, let alone as a reverse proxy. > > It seems to me the next most likely solution is to try to combine either > one with dedicated load-balancing software like haproxy or pound, so > that the traffic would go [internet]->[apache/nginx > WAF]->[haproxy/pound]->[web servers]; but part of me really dislikes the > fact that's adding two potentially significant failure points on each > load-balancer instead of one. Maybe I'm worrying too much there though. > > I'd love to hear some recommendations of software if people have them > that might fulfill either role (or in a dream world wrap both up in one > and do a good job?), and if you've any experiences (positive or > negative) about them. > > Paul
Full Disclaimer: I currently work for ProfitBricks, an IaaS provider. What *might* help you is the fact that I created a load balancer who sits underneath the virtual routing. The way the LB works is like this: You create one or more instances and switch on the loadbalancer between them. The nodes will have the same IP and are otherwise identical and the LB will route the traffic (session-sticky) to the nodes. Contact me off-list if you want to test this. Conrad _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
