Redundant cloud hosting guide wrap-up

NOTE: This is a sub-page off the main redundant cloud hosting configuration guide. If you've arrived at this page first, I recommend reviewing the parent page first.

Security

One of the quickest ways to tighten up security in this configuration is to institute some iptables rules for the private IP addresses of your nodes. You can make a quick iptables ruleset to limit traffic on the private interfaces. I like to create a new chain and feed all of the rules through it. Here's an iptables save file that I'm using with my hosting configuration:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2541:402574]
:SNET - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth1 -j MYSERVERS 
-A MYSERVERS -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A MYSERVERS -s 10.1.100.2/32 -i eth1 -m comment --comment "lb1" -j ACCEPT 
-A MYSERVERS -s 10.1.100.3/32 -i eth1 -m comment --comment "lb2" -j ACCEPT 
-A MYSERVERS -s 10.1.100.40/32 -i eth1 -m comment --comment "web1" -j ACCEPT 
-A MYSERVERS -s 10.1.100.50/32 -i eth1 -m comment --comment "web2" -j ACCEPT 
-A MYSERVERS -s 10.1.100.10/32 -i eth1 -m comment --comment "db1" -j ACCEPT 
-A MYSERVERS -s 10.1.100.15/32 -i eth1 -m comment --comment "db2" -j ACCEPT 
-A MYSERVERS -i eth1 -j DROP 
COMMIT

You can configure MySQL on your database servers to listen only on the private IP address via the bind-address configuration option. Also, memcached accepts the -l argument to listen on a particular IP address. That will allow those daemons to evade port scans from other machines on the same network.

Adding SSL

If you only need SSL encryption for one site, you can do it with only a minor addition to ldirectord's configuration file:

virtual=11.22.33.44:443
	real=10.1.100.40:443 ipip
	real=10.1.100.50:443 ipip
        service=https
        request="healthcheck.html"
        receive="OK"
        scheduler=rr
        protocol=tcp
        checktype=negotiate

You don't need to adjust the tunneling configuration on the web nodes, but you will need to configure your web server to handle SSL requests on port 443.

Shared apache configuration

It can be easier to configure multiple web nodes if you put the configuration files for your apache virtual hosts on the GlusterFS volume itself. If you followed the tutorial and you use apache, you could do something like this:

mkdir -p /mnt/glusterfs/vhosts/
ln -s /mnt/glusterfs/vhosts /etc/httpd/conf.d/vhosts

Then, add the following line to your httpd.conf:

Include conf.d/vhosts/*.conf

You can place your virtual host files within /etc/httpd/conf.d/vhosts/ and they'll appear on all of your web nodes.

Printed from: http://rackerhacker.com/redundant-cloud-hosting-configuration-guide/redundant-cloud-hosting-guide-wrap-up/ .
© Major Hayden 2012.

1 Comment »

Patrick says:

15.12.11 at 22:30

I think you may have an error in the firewall rules. Shouldn't the "MYSERVERS" be changed to "SNET" in order to work as expected?

RSS feed for comments on this post , TrackBack URI

Welcome! I started this blog as a way to give back to all of the other system administrators who have taught me something in the past. Writing these posts brings me a lot of enjoyment and I hope you find the information useful. If you spot something that's incorrect or confusing, please write a comment and let me know. Drop me a line if there's something you want to know more about and I'll do my best to write a post on the topic.

-- Major Hayden

Navigation

Blogs I Read

My Sites
- MySQLTuner
- PleskHacker

Social Media
- Flickr
- LinkedIn
- Twitter

Recent Comments

Random Posts

Tags
apache blog centos cloud command line database development emergency fedora filesystem ftp fun general advice glusterfs iowait iptables kernel kernel panics linux mac mail mod_rewrite mysql mysqltuner network networking performance perl php plesk python qmail rackspace red hat rpm ruby security ssh ssl sysadmin virtualization web wordpress xen yum

Racker Hacker