New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to prevents any direct traffic to backend server.
Hello all,
So I want to ask something here. I've planned to make a simple load balancing scheme for my website using IPtables.
So when visitors accessing www.blabla.com, the first 100 requests will be redirected to ww1.blabla.com, and the next requests after them will be redirected to ww2.blabla.com. I've successfuly found the way, but for security reasons, I don't want people to access ww1.blabla.com and ww2.blabla.com directly, so they must access www.blabla.com first and then redirected.
Do you know how it could be done? I mean, only allowing people accessing my backend server by accessing my main domain first.
Comments
Not sure if this helps:
http://stackoverflow.com/questions/15488452/make-page-only-visitable-after-visiting-previous-page
Don't give either of the backend servers a public IP address, or use GRE tunneling (or another method of tunneling) to pass IP-packets directly to the recipient server, thus the source IP should not be known**
That being said, there will always be ways to get the source IP of an individual server, if they have one. Thus the best way is to have the servers interconnect on a private link.
Emm.. Honestly, I'm a bit new about this stuff, any easier method?
Thanks a lot, I'll check it out.
If you're redirecting the visitors, they're going to have the IP of the backend server - nothing you can do about that.
If you want to hide the IPs of the backend servers, you need to proxy it using nginx or varnish or a similar technology. With this method, all traffic goes through your load balancer, rather than your load balancer redirecting them.
You can do that in an isolated network with NAT for example. IWStack's virtual router can do load balancing with various algorithms and also hide the IPs (they are private ones anyway) of the servers behind it. Also, you can open only port 80 if you wish, all other connections can be done with IPSec with the built-in VPN. There are some tutorials on our forum and also some on www.iwstack.com/tutorials
setting up ip tables on ww1.blabla.com and ww2.blabla.com to block access to port 80 from any IP except www.blabla.com would be the simplest, no?
EDIT: @Maounique - IWStack in North America would save everyone over here a lot of time. Just saying...
That will not work with redirects, in the end, if the first IP is not set as a reverse proxy, will merely redirect, the visiting browser will have to connect to the backend to get the data and iptables will block that.
Is www in the same LAN as ww1 and ww2?
www, ww1, and ww2 are on different servers each other. I build it for geoIP and load balancing.
Wasnt referring to servers but to networks. But from your statement I take it they are in different networks. In that case you could simply restrict access to ww1 and ww2 to only www or use some sort of tunneling as suggested by @HardCloud.
What is wrong with nginx proxy pass. If you need some sort of ha get to load balancing nginx machines and put them in rage4dns and set fail over to the other machine. Then have it proxy the connections to your back end servers.
So, it will block direct access to backend server too except for traffic coming from my load balancer.
Sorry, can you make it more detailed? I'm a bit new in this stuff.
Sure i am going to explain it in a few steps. Should help you understand. So the first thing you can do is use nginx its a load balancer there is away to do it in apache ha proxy and all sorts of other ones but nginx is my favorite you simply set your dns record to the ip address of the nginx server confugure nginx to foward traffic to your web serves and finally you use ip tables to block all traffic on port 80 unless its comming from your nginx node.
Now to get a little better uptime depending on your node setup you can have 2 or more nginx servers just like how you have more than one web servers. set both nginx servers in dns records and it will give users both ips there computer will pick one at random some will even try the next ip if the first one is down and then it works the same way like above.
you can also signup for services like cloudflare and incapsula which can be your dns and nginx nodes. i use nginx and cloud flare together but thats just a choice.
In short, it wont work.
You can setup a proxy to connect and retrieve the data from the back-ends, however, this will render the attempt to load balance and geoip over the world completely futile.
You may try something with cloudflare since they have more locations.
@wojons, that's really details, and thanks for your additional info @Maounique
Anyway, based from your explanations, I've found these lines :
`http {
upstream myproject {
server 127.0.0.1:8000 weight=3;
server 127.0.0.1:8001;
server 127.0.0.1:8002;
server 127.0.0.1:8003;
}
server {
listen 80;
server_name www.domain.com;
location / {
proxy_pass http://myproject;
}
}
}`
So if I need to add those lines to my nginx configuration after creating virtualhost for my domain (am I right ?), I only need to replace those lines with my domain and IP?
best option is for you to make the new config file put it on gist and pm me then i will be able to take a look at it but it looks like it
Thank you so much for your help.
Anyway, I've tried to replace my iptables rules with nginx as load balancer. I'm using those lines in my configuration and it works.
But my problem is, those configurations are used to deliver traffic to another server by their IP/hostname, actually I have a lot of websites in my server and if it's using IP/hostname, it will redirect traffic to cPanel default page, not to my website.
Do you know how to use it for redirecting to spesific domain, not IP/hostname?
I'm sorry if it's confusing, but I'm really new about this stuff...
its cool it takes time to learn these things.
From what i think you are saying is your connecting to the nginx server via its ip address and not a host name there for everything is getting routed to the ip address which is really nothing.
Make sure your load balancer/proxy does not lose any headers.
I'm assuming that your actual servers have named based virtual hosts set-up, i.e. 1 IP address - many host names. Turn up logging on the server and start tailing the requests that are coming in. This will show if your lb/proxy server is requesting the content properly, with all the headers, so the name based virtual host can answer. It sounds that in your case the request is done by IP address instead.
Just to show you how it works on the front-end:
Now in your case make sure that the load balancer - nginx in your case does not lose this request header while passing the requests to the back-end servers. And that's the hard part. I can explain further later; gotta go now.
I'm waiting for your explanation, thanks for your help. I really need to study more about this stuff.
I am also interested in this .....really great info
@Anomaly - can you please post you nginx config, but please remove all the sensitive info from it.
I'm only guessing but I think the problem may be that you're running your back-end server in name based virtual host set up. I think it would be easier to switch to IP based virtual host, so for example you'd be running your main load balancer/proxy host on port 80, but your back-end hosts would be on other ports, for example:
ww2.blahblah.com would be on back-end host xx.yy.zz.26:8081
Of course you would have to adjust the back-end hosts to reflect the port values used in the proxy set-up.