SEC 440 Week 2 Project 2 - JadenGil/Jaden-Tech-Journal GitHub Wiki

Project Plan:

  1. Beginning

1.1. Verify Network Configuration

Ensure that the OPT network and LAN are properly configured and can communicate with each other. Confirm that the WAN network is set up and can reach the OPT network.

1.2. Prepare Virtual Machines

Confirm that web01 and web02 are operational and accessible. Install and configure the operating system on the HAProxy servers.

  1. Configure Load Balancers

2.1. Install HAProxy or Alternative

Install HAProxy on both load balancer servers.

2.2. Configure HAProxy

Set up HAProxy configuration to balance traffic between web01 and web02. Ensure that HAProxy configuration handles failover if one of the web servers is down.

  1. Set Up High Availability for Load Balancers

3.1. Install and Configure keepalive

Install the keepalived service on both load balancer servers.

Configure keepalived for VRRP to create a VIP that will float between the two load balancers.

Ensure keepalived is configured to monitor HAProxy and handle failover between load balancers.

  1. Network Configuration

4.1. Configure VRRP

Set up VRRP on both load balancer servers using keepalive.

Assign a virtual IP address for the load balancers.

4.2. Configure Port Forwarding Rules

Set up port forwarding rules on the WAN firewall/router to route traffic to the VIP of the load balancers.

  1. Web Server Configuration

5.1. Configure Web Servers

Ensure web01 and web02 have index pages that display their respective hostnames

Test the index pages by accessing them directly.

  1. Testing and Validation

6.1. Test Web Traffic from WAN

Use curl from xubuntu-wan to the VIP of the load balancers to verify that traffic is properly routed to either web01 or web02.

6.2. Test Failover Scenarios

6.2.1. Bring down the active load balancer and verify that traffic is routed to the standby load balancer.

6.2.2. Bring down the active web server and ensure traffic is redirected to the operational web server.

6.2.3. Bring down the active load balancer and verify that traffic is still routed correctly through the standby load balancer.

High availability setup:

I discussed the settings for High-Availability in the previous lab but I'll show a bit more info here.

Link to the guide: https://www.dpcvirtualtips.com/basic-vrrp-configuration-on-vyos/

Commands that I used:

`configure`

`set high-availability vrrp group LAN hello-source-address 10.0.5.5`

`set high-availability vrrp group LAN interface eth1`

`set high-availability vrrp group LAN peer-address 10.0.5.3`

`set high-availability vrrp group LAN no-preempt`

`set high-availability vrrp group LAN priority 200`

`set high-availability vrrp group LAN address 10.0.5.1/24`

`set high-availability vrrp group LAN vrid 10`

`commit`

`save`

Backup commands:

`configure`

`set high-availability vrrp group LAN hello-source-address 10.0.5.3`

`set high-availability vrrp group LAN interface eth1`

`set high-availability vrrp group LAN peer-address 10.0.5.2`

`set high-availability vrrp group LAN no-preempt`

`set high-availability vrrp group LAN priority 100`

`set high-availability vrrp group LAN address 10.0.5.1/24`

`set high-availability vrrp group LAN vrid 10`

`commit`

`save`

When setting up the WAN and OPT groups on each of the machines you only need to include the following:

configure

set high-availability vrrp group WAN interface eth0

set high-availability vrrp group WAN no-preempt

set high-availability vrrp group WAN priority 200

set high-availability vrrp group WAN address 10.0.17.108/24

set high-availability vrrp group WAN vrid 158

commit

save

OPT will have a VRID of 20 on both ends.

What the groups should look like after setup:

Vyos1:

image

Vyos2:

image

WAN pinging OPT Test before fully getting started:

image

On Web02 I logged in and set the proper IP address using NMTUI

image

Both Web machines should be using "LAN" primarily.

To make sure that Web2 had its website up and running I installed httpd with yum install httpd and made sure to add it to the firewall with sudo firewall-cmd --add-service=http --permanent and sudo firewall-cmd --reload and once HTTP was installed I edited the index.html file and made the homepage for the website

index.html file on web2:

image

Homepage on Google via Xubuntu:

image

Setting up HA1 and 2

The network adapter on both machines should be set to OPT before powering on.

Once powered on we'll wanna set up the .yaml file for netplan so we can get access too the internet.

using sudo nano /etc/netplan/00-installer-config.yaml we can set it up to look like this:

HA1:

image

HA2:

image

These won't be able to ping anything outside of the network until we update the NAT destination and source rules on the VyOS machines. The new NAT rules should look like this on both machines:

image

now on both HA machines enter sudo netplan apply and you'll have internet!

Setting up HAProxy and Keepalived:

install HAProxy using sudo apt install haproxy -y on both machines.

Then make a backup of the haproxy.cfg file located in /etc/haproxy/ and make a new one with the following settings:

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
    log    global
    mode    http
    option    httplog
    option    dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

frontend my_frontend
  bind *:80
  default_backend my_backend

backend my_backend
  balance roundrobin
  server server1 10.0.5.100:80 check
  server server2 10.0.5.101:80 check

Install keepalived using sudo apt install keepalived -y on both machines.

HA1 Keepalived settings:

image

HA2 Keepalived settings:

image