Tuesday, October 22, 2013

HTTP Trace Proxy Routing

  • reverse proxy

 a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers.
 These resources are then returned to the client as though they originated from the server itself (or servers themselves)
 While a forward proxy acts as an intermediary for its (usually nearby) associated client(s) and returns to them resources accessible on the Internet, a reverse proxy acts as an intermediary
 for its (usually nearby) associated server(s) and only returns resources provided by those associated server


Uses of reverse proxies
Reverse proxies can hide the existence and characteristics of an origin server or servers.
Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult.
In the case of secure websites, a web server may not perform SSL encryption itself, but instead offloads the task to a reverse proxy that may be equipped with SSL acceleration hardware.
A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource.
A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content - also known as web acceleration. Proxy caches of this sort can often satisfy a considerable number of website requests, greatly reducing the load on the origin server(s).
A reverse proxy can optimize content by compressing it in order to speed up loading times.
Reverse proxies can operate whenever multiple web-servers must be accessible via a single public IP address. The web servers listen on different ports in the same machine, with the same local IP address or, possibly, on different machines and different local IP addresses altogether. The reverse proxy analyzes each incoming request and delivers it to the right server within the local area network.
http://en.wikipedia.org/wiki/Reverse_proxy


Proxy vs. Reverse Proxy (Explained by Example)

  • gateway proxy

HTTP gateway proxy is a server-side Java (Java EE) -based non-transparent intercepting web proxy. The main function of the proxy is to act as a controlled proxy between the client and a web service (gateway) based on the hypertext transfer protocol (HTTP). The non-transparency hides the real gateway that is used as the back-end.  The intercepting function works as a security guard to only allow specific requests to pass by.
http://www.slotteconsulting.com/en/solutions-and-utilities/HTTP_gateway_proxy/

  • Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages
http://www.squid-cache.org/
  • Varnish Cache is a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configures it to cache the contents. Varnish Cache is really, really fast.
https://varnish-cache.org/intro/index.html#intro
  • NGINX accelerates content and application delivery, improves security, facilitates availability and scalability for the busiest websites on the Internet
https://www.nginx.com/

  •  HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer7 processing

 http://haproxy.1wt.eu/

  • HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications
http://www.haproxy.org/

  • How Keep-Alive works:
When a TCP connection is opened on it will be sent only one HTTP request /response pair. Keep-Alive is build with the idea of sending multiple HTTP requests/responses via one TCP connection thus significantly reducing the time needed for the web browser to load files from the web server.

Keep-alive provides the following Advantages:
Reducing latency in subsequent requests.
Faster data retrieval as the TCP connection stays open after the first request has been handled.
Minimising the chance of queueing  delay, packet loss or blocking new connections due to a network congestion.
Errors being reported without the need of closing the TCP connection.
No need for additional handshakes after the first request has been handled.
https://www.fastcomet.com/tutorials/gtmetrix/enable-keep-alive


  • Create the Keepalived Configuration File
The service looks for its configuration files in the /etc/keepalived directory. Create that directory now on both of your servers:
on your primary server, create the main keepalived configuration file. The daemon looks for a file called keepalived.conf inside of the /etc/keepalived directory:

we will open a block called vrrp_instance. This is the main configuration section that defines the way that keepalived will implement high availability.
We will start off by telling keepalived to communicate with its peers over eth1, our private interface.
Since we are configuring our primary server, we will set the state configuration to "MASTER".

https://www.digitalocean.com/community/tutorials/how-to-set-up-highly-available-web-servers-with-keepalived-and-floating-ips-on-ubuntu-14-04

  • usefull if you use virtual ips.
Imagine you are using keepalived + haproxy on your loadbalancers in active/active mode.
2 virtual IPs one is on the first load balancer and the other is on the second
haproxy.cfg you have to bind these IPs, the probem is that one of the virtual IPs is not on the current loadbalancer, so haproxy will refuse to start

The common solution is to listen on 0.0.0.0
it not always practical on wanted, especially if you want to have another server using the same port but on another ip, or if you only want to listen on internal interfaces.
The solution is a sysctl that will allow any software to bind an IP even if it’s not up yet:

sysctl -w net.ipv4.ip_nonlocal_bind=1
put this in /etc/sysctl.conf to make this change permanent.
https://sebest.github.io/post/linux-how-to-bind-ip-that-doesn-t-exist-yet/

  • Keepalived is used for IP failover between two servers. Its facilities for load balancing and high-availability to Linux-based infrastructures. It worked on VRRP (Virtual Router Redundancy Protocol) protocol.
1. Priority value will be higher on Master server, It doesn’t matter what you used in state. If your state is MASTER but your priority is lower than the router with BACKUP, you will lose the MASTER state.
2. virtual_router_id should be same on both LB1 and LB2 servers.
3. By default single vrrp_instance support up to 20 virtual_ipaddress. In order to add more addresses you need to add more vrrp_instance
https://tecadmin.net/setup-ip-failover-on-ubuntu-with-keepalived/

  • The active (master) router informs the backup routers of its active status using the Virtual Router Redundancy Protocol (VRRP)
Each LVS router has two network interfaces, one interface on the Internet and one on the private network,enabling them to regulate traffic between the two networks
the active router is using Network Address Translation or NAT to direct traffic from the Internet to a variable number of real servers on the second layer, which in turn provide the necessary services

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/load_balancer_administration/ch-keepalived-overview-vsa


  • In order for the Keepalived service to forward network packets properly to the real servers, each router node must have IP forwarding turned on in the kernel
Load balancing in HAProxy and Keepalived at the same time also requires the ability to bind to an IP address that are nonlocal, meaning that it is not assigned to a device on the local system.This allows a running load balancer instance to bind to an IP that is not local for failover.

 The changes take effect when you reboot the system.
To check if IP forwarding is turned on, issue the following command as root:
/usr/sbin/sysctl net.ipv4.ip_forward
To check if nonlocal binding is turned on, issue the following command as root:
/usr/sbin/sysctl net.ipv4.ip_nonlocal_bind
If both the above commands return a 1, then the respective settings are enabled.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/load_balancer_administration/s1-initial-setup-forwarding-vsa

  • vrrp_script
    Defines a tracking script that Keepalived can run at regular intervals to perform monitoring actions from a vrrp_instance or vrrp_sync_group section.
virtual_server_group
    Defines a virtual server group, which allows a real server to be a member of several virtual server groups.
virtual_server
    Defines a virtual server for load balancing, which is composed of several real servers.
https://docs.oracle.com/cd/E37670_01/E41138/html/section_wv3_hjn_pr.html

  • Configuring Simple Virtual IP Address Failover Using Keepalived
A typical Keepalived high-availability configuration consists of one master server and one or more backup servers. One or more virtual IP addresses, defined as VRRP instances, are assigned to the master server's network interfaces so that it can service network clients. The backup servers listen for multicast VRRP advertisement packets that the master server transmits at regular intervals.
The default advertisement interval is one second. If the backup nodes fail to receive three consecutive VRRP advertisements, the backup server with the highest assigned priority takes over as the master server and assigns the virtual IP addresses to its own network interfaces.
If several backup servers have the same priority, the backup server with the highest IP address value becomes the master server.

Only one server should be active as the master at any time. If more than one server is configured as the master, it is likely that there is a problem with VRRP communication between the servers. Check the network settings for each interface on each server and check that the firewall allows both incoming and outgoing VRRP packets
https://docs.oracle.com/cd/E37670_01/E41138/html/section_uxg_lzh_nr.html



  • High availability refers to a system or component that is continuously operational for a desirably long length of time
In this guide, we will show you to use keepalived to set up a highly available web service on Ubuntu 16.04 by using a floating IP address that can be moved between two capable web servers.
The keepalived daemon can be used to monitor services or systems and to automatically failover to a standby if their’s any problems occur. If the primary server goes down, the floating IP will be moved to the second server automatically
https://vexxhost.com/resources/tutorials/highly-available-web-servers-keepalived-floating-ips-ubuntu-16-04/

  • Keepalived is a routing software written in C. The main goal of this project is to provide simple and robust facilities for loadbalancing and high-availability to Linux system and Linux based infrastructures. Loadbalancing framework relies on well-known and widely used Linux Virtual Server (IPVS) kernel module providing Layer4 loadbalancing. Keepalived implements a set of checkers to dynamically and adaptively maintain and manage loadbalanced server pool according their health. On the other hand high-availability is achieved by VRRP protocol. VRRP is a fundamental brick for router failover. In addition, Keepalived implements a set of hooks to the VRRP finite state machine providing low-level and high-speed protocol interactions. Keepalived frameworks can be used independently or all together to provide resilient infrastructures.
http://www.keepalived.org

  • Configuring Keepalived for Session Persistence and Firewall Marks
Many web-based application require that a user session is persistently served by the same web server.
If you enable the load balancer in Keepalived to use persistence, a client connects to the same server provided that the timeout period (persistence_timeout) has not been exceeded since the previous connection.
Firewall marks are another method for controlling session access so that Keepalived forwards a client's connections on different ports, such as HTTP (80) and HTTPS (443), to the same server

https://docs.oracle.com/cd/E37670_01/E41138/html/section_g5j_4lf_qr.html