Project 2 ‐ Web Redundancy - jacobwilliams100/sec-440 GitHub Wiki

Project Plan

vyos1&2

  • DNS for opt network
  • New nat rule (opt to wan)
  • Adjust inbound wan http rule to point towards opt

ha1/ha2

  • Set network adapter in vcenter
  • Network setup (need to do manually with netplan)
  • haproxy
    • Install, start, enable
    • Configure
  • keepalived
    • Install, start, enable
    • Configure

web01

  • Create index.html for apache

web02

  • Set network adapter in vcenter
  • Network setup (nmtui)
  • Install, start, enable apache
  • Create firewall rule
  • Create index.html for apache

VyOS adjustments

Inbound Rule (opt to wan)

set nat source rule 40 description "opt to wan"

set nat source rule 40 outbound-interface eth0

set nat source rule 40 source address 10.0.6.0/24

set nat source rule 40 translation address masquerade

This will allow ha1+2 to get online.

Changing nat rule to point towards vrrp

set nat destination rule 20 destination address 10.0.17.107

set nat destination rule 20 translation address 10.0.6.10

Setup of ha1 and ha2

image

Network Setup

no nmtui, so we must do this manually.

sudo nano /etc/netplan/00-installer-config.yaml

image

sudo netplan apply to activate configuration

HAProxy on ha1 and ha2

https://www.haproxy.com/documentation/haproxy-configuration-tutorials/core-concepts/frontends/

We use HAProxy to balance load between web01 and web02. Normally it will distribute requests evenly between the two. But if one fails, 100% of requests will go to the other, to retain service.

You will need to update first

sudo apt update

sudo apt install haproxy

Now we must configure it

sudo nano /etc/haproxy/haproxy.cfg

and add the lines shown here to the bottom of the file

image

(same on ha1 and ha2)

Then we must turn it on.

sudo nano /etc/default/haproxy

and add the line ENABLED=1 at the bottom, save and quit

image

Once you do this, start and enable the HAProxy service with

systemctl start haproxy

systemctl enable haproxy

systemctl restart haproxy

KeepAlived on ha1 and ha2

We use KeepAlived to implement high availability for the proxies themselves. If one fails, the other will resume service (seamlessly!)

https://tecadmin.net/setup-ip-failover-on-ubuntu-with-keepalived/

sudo apt-get install keepalived

sudo nano /etc/keepalived/keepalived.conf

Configuration on ha1 image

Configuration on ha2 image

start and enable haproxy with

sudo systemctl start keepalived

sudo systemctl enable keepalived

Setup of web02 + adjustment to web01

Luckily we can use nmtui to config IP

image

Setting up simple web server

yum install httpd

systemctl start httpd

systemctl enable httpd

firewall-cmd --zone=public --add-port=80/tcp

Creating index page (do this on web01 too!)

nano /var/www/html/index.html

index.html on web01... image

on web02... image

Reflection

This lab went significantly smoother than the last one. I am gaining proficiency with VyOS, so the adjustments to DNS and NAT were easy. HAProxy was pretty straightforward to configure. KeepAlived was a little more involved. I was familiar with both types of service on a conceptual level because I have worked with high availability and fault tolerance on AWS, but it was certainly interesting to see how they work on a less abstract level. The issue I ran into both was that I forgot to turn them on with systemctl. It's somethign to remember for the future any time I install a new program on Linux. The initial config for the new machines was no issue, I've done that enough times.