Aloha,
It's looking like a fair chance that I'm going to have to migrate the
majority of our infrastructure to a cloud provider (probably a fair bet
it'll be Amazon's AWS). Given the network layer complexity it's going
to be a 'fun' transition but a good chance to wipe out huge amounts of
technical debt (and hopefully not add too much more new debt).
Due to the complexities of layer 7 routing we need I'm going to have to
set up our own software LoadBalancers within the infrastructure. Not a
particularly long time ago we were running Apache / mod_proxy, but
replaced it with some F5s (which are doing a brilliant job), and we've
still got the configuration files kicking around for that (albeit now
out of date). Inside our infrastructure we also have a Web Application
Firewall appliance that helps to protect our applications from SQL
injection attempts and the like.
It seems the obvious couple of solutions would be to either go back to
Apache and tack on mod_security, or nginx with either mod_security or
naxsi plugins running. In the past as a reverse proxy / load-balancer
Apache has proven to be very quirky over health checking and when it'll
mark a node as up or down which makes me reluctant to trust it. Nginx
doesn't offer health checking by default, you have to compile it in
manually and I've no particular experience worth noting beyond my VPS
for using Nginx in production environments, let alone as a reverse proxy.
It seems to me the next most likely solution is to try to combine either
one with dedicated load-balancing software like haproxy or pound, so
that the traffic would go [internet]->[apache/nginx
WAF]->[haproxy/pound]->[web servers]; but part of me really dislikes the
fact that's adding two potentially significant failure points on each
load-balancer instead of one. Maybe I'm worrying too much there though.
I'd love to hear some recommendations of software if people have them
that might fulfill either role (or in a dream world wrap both up in one
and do a good job?), and if you've any experiences (positive or
negative) about them.
Paul
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
