Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 26th June 2006, 15:32
geek.de.nz geek.de.nz is offline
Member
 
Join Date: Feb 2006
Posts: 65
Thanks: 0
Thanked 2 Times in 2 Posts
Send a message via ICQ to geek.de.nz Send a message via MSN to geek.de.nz
Default High Availability (Load Balancing) behind a firewall

My boss wants me to setup a load balanced system with a firewall filtering the traffic out and making this whole thing scalable for adding new machines into the cluster.

How would I go about this?

There would be a pyramid-like structure in his proposed system, where the firewall host would route traffic arriving to its internal servers (load balancers), which would in turn distribute it among the web and file servers in the inner network.

Is this a good solution? I would think that having (at least) 2 load balancers directly connected to the Internet would be desirable. Otherwise one has the single point of failure firewall. I would even go further and include the load balancers in the 2 firewalls, which are directly connected to the Internet and share a common virtual wan ip address.

So, I would have the following (simplest) setup:

2 Firewall hosts with the load balancers sharing 1 virtual ip
2 Web servers behind these firewalls which are to be load balanced by the firewalls

Does this sound like a better solution or do you think I should go with the pyramid approach? Does load balancing even justify then? Isn't the connection speed (10-100Mbit) a bottleneck rather than the server power (having very new hardware). Wouldn't the firewall, which needs to handle ALL connections be the bottleneck when it comes to using resources?

Might we even install webservers on the firewalls/load balancers as well to make use of their resources more efficiently or does that defeat the purpouse of a firewall?

With todays technology virtualisation (aka Xen, VirtualLinux) could be used as well to make use of all the resources of the firewall hosts while still completely separating the firewall from the load balancer and the maybe even installed web server on that system.

What would be the best solution? Is there a best solution? What does it depend on: Connection speed to the network/Internet of the various hosts, their processing power? How can one approximate the number of connections a host (firewall) can handle?

Is there a formula to calculate the number of firewall, load balancing and web server hosts which is optimal?

Can we measure the speeds of various tasks fulfilled by the hosts to approximate an optimal solution?

Any ideas would be greatly appreciated.

As I go on the load balancing howto I'm writing a script to automate this for loadb1 and loadb2, so that one can interactively enter the various bits of information necessary btw. If I get some good feedback on this and the system goes into production with the script working, I think I will post it somewhere in this forum.
__________________
Always mention at least your distribution/version! You can add it in your signature if you don't want to always type it. ;-)

Distributions:
Ubuntu 5.10 with custom kernel (2.6.16-suspend2),
Debian Sarge 3.1 and Etch

Please submit your ISP or Webhost to (free)
http://www.ihostnz.com
Reply With Quote
Sponsored Links
  #2  
Old 27th June 2006, 11:33
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
Default

Did you have a look at these tutorials?
http://www.howtoforge.com/high_avail...apache_cluster
http://www.howtoforge.com/loadbalanc...cluster_debian
http://www.howtoforge.com/high_avail...drbd_heartbeat
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 27th June 2006, 14:57
geek.de.nz geek.de.nz is offline
Member
 
Join Date: Feb 2006
Posts: 65
Thanks: 0
Thanked 2 Times in 2 Posts
Send a message via ICQ to geek.de.nz Send a message via MSN to geek.de.nz
Default

Yeah I did actually have a look at those, except the last one.

My question was more about firewalls. I know there are tutorials how to set them up on this site as well. But I'm trying to figure out what kind of setup is optimal with what hardware. In theory I know all the possibilities because I've been browsing this forum. What I'm trying to figure out is the optimal solution. So, should we separate firewall from web server completely, by hardware hosts or just by virtual hosts or is it OK to put web server and firewall on the same machine. Things like that, more general. You know what I mean? I'm sure this is of interest to many who are setting up networks.

To study this kind of stuff, do you know of any good tools to monitor performance on Linux systems which are preferably open source?

A problem that I came across:
When I followed the howto http://www.howtoforge.com/high_avail...apache_cluster
I made a mistake and put two different load balancers into the file /etc/ha.d/haresources (i.e. loadb1's `uname -n` in loadb1 and loadb2's `uname -n` output in loadb2.
I tried reversing the step by putting loadb1's output into the file of loadb2 and restarting the services, but the output of `ipvsadm -L -n` still gave the same on loadb1 and loadb2:
Code:
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.0.105:80 rr
  -> 192.168.0.101:80             Route   0      0          0
  -> 192.168.0.102:80             Route   0      0          0
  -> 127.0.0.1:80                 Local   1      0          0
it would be if it was exactly the same setup as the one in the howto.

Do you know what I'm missing? Is there another service I need to restart that I might have forgotten?


Thanks for all the good and easily understandable howtos and all the technical support. The howtos are greatly appreciated by (probably) many. :-)
__________________
Always mention at least your distribution/version! You can add it in your signature if you don't want to always type it. ;-)

Distributions:
Ubuntu 5.10 with custom kernel (2.6.16-suspend2),
Debian Sarge 3.1 and Etch

Please submit your ISP or Webhost to (free)
http://www.ihostnz.com
Reply With Quote
  #4  
Old 28th June 2006, 10:29
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
Default

Quote:
Originally Posted by geek.de.nz
Yeah I did actually have a look at those, except the last one.

My question was more about firewalls. I know there are tutorials how to set them up on this site as well. But I'm trying to figure out what kind of setup is optimal with what hardware. In theory I know all the possibilities because I've been browsing this forum. What I'm trying to figure out is the optimal solution. So, should we separate firewall from web server completely, by hardware hosts or just by virtual hosts or is it OK to put web server and firewall on the same machine. Things like that, more general. You know what I mean? I'm sure this is of interest to many who are setting up networks.
I'd most likely put the firewalls on the Apache nodes.

Quote:
Originally Posted by geek.de.nz
To study this kind of stuff, do you know of any good tools to monitor performance on Linux systems which are preferably open source?
http://www.howtoforge.com/server_monitoring_monit_munin

Quote:
Originally Posted by geek.de.nz
A problem that I came across:
When I followed the howto http://www.howtoforge.com/high_avail...apache_cluster
I made a mistake and put two different load balancers into the file /etc/ha.d/haresources (i.e. loadb1's `uname -n` in loadb1 and loadb2's `uname -n` output in loadb2.
I tried reversing the step by putting loadb1's output into the file of loadb2 and restarting the services, but the output of `ipvsadm -L -n` still gave the same on loadb1 and loadb2:
Code:
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.0.105:80 rr
  -> 192.168.0.101:80             Route   0      0          0
  -> 192.168.0.102:80             Route   0      0          0
  -> 127.0.0.1:80                 Local   1      0          0
it would be if it was exactly the same setup as the one in the howto.

Do you know what I'm missing? Is there another service I need to restart that I might have forgotten?
Looks ok to me.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 29th December 2010, 20:43
z33k3r z33k3r is offline
Member
 
Join Date: Jan 2007
Posts: 37
Thanks: 0
Thanked 0 Times in 0 Posts
Question Modern Updates?

Falko, first thanks for all you do on these boards... I've used your advice many times.

Are there any modern updates to the first link with the High Availability and Load Balanced Clusters using redundant LB's and LAMP stacks? I am having trouble finding current equivalents using current gen software stacks (ie: Ubuntu Server 10.04, HAProxy, Linux-HA etc.)...

EDIT: Also using SSL persistence with use of shopping carts etc... I've posted in the Uby-forums about what I am going to embark on:
http://ubuntuforums.org/showthread.php?t=1655188

Last edited by z33k3r; 29th December 2010 at 20:45. Reason: Added SSL comment & url
Reply With Quote
  #6  
Old 30th December 2010, 17:35
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
Default

AFAIK, Ultramonkey is not being developed anymore...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 3rd January 2011, 16:02
z33k3r z33k3r is offline
Member
 
Join Date: Jan 2007
Posts: 37
Thanks: 0
Thanked 0 Times in 0 Posts
Default

By saying Ultramonkey, are you referring to Linux-HA and HAProxy as well?
Reply With Quote
  #8  
Old 4th January 2011, 13:58
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
 
Default

No, just to Ultramonkey. Linux-HA and HAProxy are still being maintained/developed.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
High Availability NFS Server Help - DRBD technick HOWTO-Related Questions 2 3rd November 2008 19:48
Howto suggestion suse PhP ver 4 + Ver 5 wwparrish Suggest HOWTO 11 7th August 2006 13:29
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 21:42
High Availability questions sharms HOWTO-Related Questions 3 15th May 2006 16:13
Load balancing on Fedora Care 4 luxpops HOWTO-Related Questions 1 4th April 2006 18:14


All times are GMT +2. The time now is 16:17.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.