SEC 440 Web and Proxy Redundancy Project - Zacham17/my-tech-journal GitHub Wiki
In this project, I completed the following objectives:
- Configured and Networked the following systems:
- ha01(Load Balancing system)
- ha02(Load Balancing System)
- web02
- Configured redundant Load Balancing and Web Servers
- Configured port forwarding for the following:
- HTTP(port 80) from the WAN to port 8080 on the load balancers on the OPT network
- NAT from the OPT network to the WAN network
- Set redundant default gateway on OPT systems
The next portion of this page will cover each system and the setup and configuration involved for this project.
vyos1 Updated Configuration
This sections will outline additional changes made to the vyos1 system since Project 1.
Network Information:
- Eth0(WAN) IP : 10.0.17.24
- Eth1(LAN) IP : 10.0.5.2
- Eth2(OPT) IP : 10.0.6.2
- Virtual IP(LAN) : 10.0.5.1
- Virtual IP(WAN) : 10.0.17.114
- Virtual IP(OPT) : 10.0.6.1
- Default Gateway : 10.0.17.2
- Name Server: 10.0.17.2
Network Configuration Commands:
The following commands were used for vyos1's network configuration for the newly added OPT network:
set interfaces ethernet eth2 address '10.0.6.2/24'
set interfaces ethernet eth2 description 'OPT'
set service dns forwarding allow-from '10.0.6.0/24'
set service dns forwarding listen-address '10.0.6.1'
set service dns forwarding listen-address '10.0.6.2'
Port Forwarding
The commands below are used to port forward from the LAN to the WAN. This allows internet connection from the LAN network.
set nat source rule 20 description 'NAT from OPT to WAN'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '10.0.6.0/24'
set nat source rule 20 translation address 'masquerade'
In this project, HTTP traffic will now be forwarded to the Load Balancers and then the web servers rather than directly to the web servers.
The nat rule that forwards http traffic directly to port 80 on web01 can be removed. This is done using the command, del nat destination rule 10
The commands below are used to port forward connection on port 80 from the WAN to the load balancers on the OPT network.
set nat destination rule 30 description 'HTTP->Load Balancers'
set nat destination rule 30 destination port '80'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 translation address '10.0.6.10'
set nat destination rule 30 translation port '8080'
Virtual Router Redundancy Protocol(VRRP)
VRRP is used to create redundancy between vyos1 and vyos2. It allows for multiple devices to share a virtual IP address. This creates an environment where if one device goes down, the other device will still supply services to connected devices. The commands below were used to configure VRRP for the OPT network:
set high-availability vrrp group optgroup address 10.0.6.1/24
set high-availability vrrp group optgroup interface 'eth2'
set high-availability vrrp group optgroup priority '200'
set high-availability vrrp group optgroup vrid '20'
This is where the virtual IP addresses are set. The priority specifies which devices are prioritized when being connected to by other devices. The higher the number, the higher the priority. Vyos1 is the master in this scenario.
vyos2 Updated Configuration
Network Information:
- Eth0(WAN) IP : 10.0.17.84
- Eth1(LAN) IP : 10.0.5.3
- Eth2(OPT) IP : 10.0.6.3
- Virtual IP(LAN): 10.0.5.1
- Virtual IP(WAN): 10.0.17.114
- Virtual IP(WAN): 10.0.6.1
- Default Gateway: 10.0.17.2
- Name Server: 10.0.17.2
Network Configuration Commands:
The following commands were used for vyos2's network configuration for the newly added OPT network:
set interfaces ethernet eth2 address '10.0.6.3/24'
set interfaces ethernet eth2 description 'OPT'
set service dns forwarding allow-from '10.0.6.0/24'
set service dns forwarding listen-address '10.0.6.1'
set service dns forwarding listen-address '10.0.6.2'
Port Forwarding
The commands below are used to port forward from the LAN to the WAN. This allows internet connection from the LAN network.
set nat source rule 20 description 'NAT from OPT to WAN'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '10.0.6.0/24'
set nat source rule 20 translation address 'masquerade'
In this project, HTTP traffic will now be forwarded to the Load Balancers and then the web servers rather than directly to the web servers.
The nat rule that forwards http traffic directly to port 80 on web01 can be removed. This is done using the command, del nat destination rule 10
The commands below are used to port forward connection on port 80 from the WAN to port 8080 on the load balancers on the OPT network.
set nat destination rule 30 description 'HTTP->Load Balancers'
set nat destination rule 30 destination port '80'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 translation address '10.0.6.10'
set nat destination rule 30 translation port '8080'
Virtual Router Redundancy Protocol(VRRP)
VRRP is used to create redundancy between vyos1 and vyos2. It allows for multiple devices to share a virtual IP address. This creates an environment where if one device goes down, the other device will still supply services to connected devices. The commands below were used to configure VRRP for the OPT network:
set high-availability vrrp group optgroup address 10.0.6.1/24
set high-availability vrrp group optgroup interface 'eth2'
set high-availability vrrp group optgroup priority '100'
set high-availability vrrp group optgroup vrid '20'
This is where the virtual IP addresses are set. The priority specifies which devices are prioritized when being connected to by other devices. The higher the number, the higher the priority. Vyos2 is the backup in this scenario.
All Vyos configuration commands:
The links below lead to files containing the configuration commands for vyos1 and vyos2
NOTE: The following command can be used to show the configuration commands that have been used on a vyos machine:
show configuration commands | grep -v "syslog global\|ntp\|login\|console\|config\|hw-id\|loopback\|conntrack"
web02
Network Information:
- IP : 10.0.5.100
- Default Gateway: 10.0.5.1
- Name Server: 10.0.5.1
The network information was configured using the nmtui tool. As seen, the default gateway was set to the virtual IP address created with VRRP.
HTTPD Setup
I installed apache web server onto web01.
I ran the commands below:
sudo yum update httpd
sudo yum install httpd
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
In the /var/www/html/ directory, I added an index.html file with arbitrary code to identify web02.
I then started the httpd service by running the command sudo systemctl start httpd
ha01(Master Load Balancer)
The ha01 system is a load balancer that uses HAProxy to balance connections between web01 and web02. There are two HAProxy load balancers in this lab, so the keepalived service is used to establish redundancy between the two.
Network Information:
- IP : 10.0.6.11/24
- Virtual IP(Used for VRRP): 10.0.6.10
- Default Gateway: 10.0.6.1
- Name Server: 10.0.6.1
Netplan is used for initial network configuration. The /etc/netplan/00-installer-config.yaml file was configured as shown below:
The command, sudo netplan apply was used to apply the configuration
HAProxy Installation and Configuration
The following steps were used to install and configure HAProxy on ha01.
- Run
sudo apt update - Install haproxy using
sudo apt install haproxy - Edit the /etc/haproxy/haproxy.cfg file by adding the following lines to the end of the file:
Frontend ha01
bind 10.0.6.10:8080
default_backend webapps
option forwardfor
backend webapps
balance roundrobin
server web01 10.0.5.100:80 check
server web02 10.0.5.101:80 check
- The syntax of the configuration can be checked using
haproxy -f /etc/haproxy/haproxy.cfg -c -V
Note: With this configuration, HAProxy can't be successfully run until keepalived is also installed and configured, since it is using the virtual IP that will be configured with keepalived.
Keepalived Installation and Configuration
Keepalived is used to establish redundancy between ha01 and ha02 load balancers in this project. The following steps were taken to install and configure keepalived on ha01.
- Run the command
sudo apt install keepalivedto install the service - Run the command
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.confto allow for ip address forwarding - As the root user, run the command echo "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf``` to allow the interface to be bound to keepalived.
- Create and edit the /etc/keepalived/keepalived.conf file. The configuration used can be found here. This configuration sets the virtual IP address to 10.0.6.10, identifies peer devices, and sets the priority of the system. ha01 is the master system.
- Run the command
sudo systemctl start keepalivedto start the service, andsudo systemctl enable keepalivedto start the service on boot.
The HAProxy service can also be started/restarted now using the command sudo systemctl start haproxy or sudo systemctl restart haproxy.
ha02(Backup Load Balancer)
The ha02 system is a load balancer that uses HAProxy to balance connections between web01 and web02. There are two HAProxy load balancers in this lab, so the keepalived service is used to establish redundancy between the two.
Network Information:
- IP : 10.0.6.12/24
- Virtual IP(Used for VRRP): 10.0.6.10
- Default Gateway: 10.0.6.1
- Name Server: 10.0.6.1
Netplan is used for initial network configuration. The /etc/netplan/00-installer-config.yaml file was configured as shown below:
The command, sudo netplan apply was used to apply the configuration
HAProxy Installation and Configuration
The following steps were used to install and configure HAProxy on ha02.
- Run
sudo apt update - Install haproxy using
sudo apt install haproxy - Edit the /etc/haproxy/haproxy.cfg file by adding the following lines to the end of the file:
Frontend ha02
bind 10.0.6.10:8080
default_backend webapps
option forwardfor
backend webapps
balance roundrobin
server web01 10.0.5.100:80 check
server web02 10.0.5.101:80 check
- The syntax of the configuration can be checked using
haproxy -f /etc/haproxy/haproxy.cfg -c -V
Note: With this configuration, HAProxy can't be successfully run until keepalived is also installed and configured, since it is using the virtual IP that will be configured with keepalived.
Keepalived Installation and Configuration
Keepalived is used to establish redundancy between ha01 and ha02 load balancers in this project. The following steps were taken to install and configure keepalived on ha02.
- Run the command
sudo apt install keepalivedto install the service - Run the command
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.confto allow for ip address forwarding - As the root user, run the command echo "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf``` to allow the interface to be bound to keepalived.
- Create and edit the /etc/keepalived/keepalived.conf file. The configuration used can be found here. This configuration sets the virtual IP address to 10.0.6.10, identifies peer devices, and sets the priority of the system. ha02 is the backup system.
- Run the command
sudo systemctl start keepalivedto start the service, andsudo systemctl enable keepalivedto start the service on boot.
The HAProxy service can also be started/restarted now using the command sudo systemctl start haproxy or sudo systemctl restart haproxy.
Redundancy between the load balancers is now establish and both HA01 and HA02 will balance the connections between web01 and web02.
Requirement Testing
To test that I met the objectives of this project, I performed the following actions:
| Step # | Description | Command/Action |
|---|---|---|
| 1 | On xubuntu-wan, curl the vyos virtual WAN IP address. This should show the contents of the web page on the active web server. This will show that load balancing is active and redundancy is active. | curl http://10.0.17.114 |
| 2 | Bring down the active vyos router. | Disconnect vyos1 in vcenter. show vrrp on WAN arp -a on WAN |
| 3 | Repeat step 1. This will show that the backup router is now being used, showing that there is redundancy. | curl http://10.0.17.114 |
| 4 | Bring down a web server. | Disconnect a webserver from the network in vcenter. |
| 5 | Repeat step 1. This will show that the active web server is being used, showing that there is redundancy. | curl http://10.0.17.114 |
| 6 | Bring down the active proxy server. | Disconnect ha01 in vcenter. ip a on ha01 and ha02 |
| 7 | Repeat step 1. This will show that the backup haproxy server is now being used, showing that there is redundancy among the haproxy servers. | curl http://10.0.17.114 |
Reflection
I found this lab fairly simple, as it built off of the previous project and involved a lot of the same techniques. Some new topics I learned implementing are load balancing with HAProxy and redundant routing using keepalived. Learning about these two services and how to implement them may prove useful.
References:
The following links lead to references used to complete this project: