High Availability Linux Web Servers
The router should be set up so that it has an interface on the same subnet as the web servers. In our example, we'll assign one interface on the route to IP address 192.168.1.1. This will be the default route for our web servers.
Now, suppose you've secured your first contract with Widgetco, Inc. and they'd like you to set up their web site at http://www.widgetco.com/. Registration for this domain, which is outside the scope of this article, should already be completed. The first thing to do is configure the addresses on the loopbacks of the web servers. On our Red Hat machines, we configure them using /etc/sysconfig/network-scripts/ifcfg-lo:[1-655536]. We want each of our hosts to be capable of serving traffic for any of the other hosts at any given time, so each web server will have the other web servers' loopback IP addresses bound to its loopback. Remember that we used our first subnet for the Ethernet interfaces of our web servers, so starting with the second subnet, we'll pick one address out of each of four subnets. We'll take 192.168.1.33, 192.168.1.65, 192.168.1.97, and 192.168.1.129 and bind them to loopbacks on all of the web servers. This is where redundancy comes in. As an example, /etc/sysconfig/network-scripts/ifcfg-lo:1 should look something like this:
DEVICE=lo:1 IPADDR=192.168.1.33 NETMASK=255.255.255.224 NETWORK=192.168.1.32 BROADCAST=192.168.1.63 ONBOOT=yes
Our /etc/sysconfig/network-scripts/ifcfg-lo:2 should look like this:
DEVICE=lo:2 IPADDR=192.168.1.65 NETMASK=255.255.255.224 NETWORK=192.168.1.64 BROADCAST=192.168.1.95 ONBOOT=yesand so on for all four loopbacks. Again, do this on each web server using the same configuration files. Having multiple hosts which use the same IP addresses won't be an issue, since they are on loopbacks.
You should be able to run the following command to bring up your newly created interfaces on each host:
To make sure your loopback interfaces have been configured, run:
/sbin/ifconfigIf everything has been done correctly, your output will look something like Listing 1.
At this point, you should be able to ping the four addresses bound to the loopbacks from the host they were configured on. The next step is to set up the routing table on the router so that it knows how to get to these loopback interfaces. We'll set up a route for each of the four subnets, pointing to each of the four hosts.
An example for a Cisco router might look like this:
ip route 192.168.1.32 255.255.255.224 192.168.1.2 ip route 192.168.1.64 255.255.255.224 192.168.1.3 ip route 192.168.1.96 255.255.255.224 192.168.1.4 ip route 192.168.1.128 255.255.255.224 192.168.1.5
If you're using Linux as your router, it will look like this:
/sbin/route add -net 192.168.1.32 netmask\ 255.255.255.224 192.168.1.2 /sbin/route add -net 192.168.1.64 netmask\ 255.255.255.224 192.168.1.3 /sbin/route add -net 192.168.1.96 netmask\ 255.255.255.224 192.168.1.4 /sbin/route add -net 192.168.1.128 netmask\ 255.255.255.224 192.168.1.5Basically, this information tells the router that the next hop for a packet bound for any host on the 192.168.1.32 subnet is the Ethernet interface of our first host, 192.168.1.2. The next hop for a packet bound for any host on the 192.168.1.64 subnet is the Ethernet interface of our second host, 192.168.1.3. Routing table entries are also set up for our third and fourth subnets, which point to the third and fourth hosts, respectively. Setting up these entries will differ depending on which hardware you've chosen to act as your router. It's a good idea to become familiar with the process of adding and removing routes on your hardware. At this point, you should be able to ping the loopback interfaces on your web servers from the router. Other machines utilizing this router should be able to access the loopback interfaces as well. Using TELNET to get to 192.168.1.33 should get you a login prompt on the first host, while 192.168.1.65 should get you to the second and so on.
Now, we'll set up DNS so that www.widgetco.com is served by our web server rotation. For Red Hat Linux, we place the following in /var/named/widgetco.com:
@ IN SOA ns1.widgetco.com. hostmaster.widgetco.com. ( 1998020100 ; serial (yyyymmddnn) 86400 ; refresh (every day) 3600 ; retry (every hour) 1209600 ; expire (2 weeks) 86400 ) ; minimum TTL (half day) IN NS ns.foo.com. www IN A 192.168.1.33 IN A 192.168.1.65 IN A 192.168.1.97 IN A 192.168.1.129
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- May 2016 Issue of Linux Journal
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The Humble Hacker?
- The US Government and Open-Source Software
- BitTorrent Inc.'s Sync
- The Death of RoboVM
- Open-Source Project Secretly Funded by CIA
- New Container Image Standard Promises More Portable Apps
- ACI Worldwide's UP Retail Payments
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide