Project 2: Web Redundancy - squatchulator/Tech-Journal GitHub Wiki
Project 2: Web Redundancy
Plan of Action
- Configure baseline servers
- Networking, hostname, accounts, etc. for Web02, Ha1, and Ha2
- Install services
- Apache, HAProxy, Keepalived
- Configure firewall
- Allow traffic between OPT and WAN
- Configure services
HAProxy Servers
- Both of these guys need to be set on to the OPT network before being booted.
- Do the whole add user, elevate to wheel, delete old user, rename machine routine
- Edit the network with netplan. To do this, edit the file
/etc/netplan/00-installer-config.yaml with the following:
network:
ethernets:
ens160:
dhcp4: false
addresses: [10.0.6.11(12)/24]
gateway4: 10.0.6.1
nameservers:
addresses: [10.0.6.1]
- Once done, save the file and run
sudo netplan try to test the config. If all works, run sudo netplan apply.
Web02
- First, put this one on the LAN network and boot it up.
- Rename the machine, new user, wheel group, delete old.
- Install Apache with
sudo yum install httpd and create a new index.html file in /var/www/html with some temporary text (preferably something similar to Web01 that lets you distinguish when you're visiting one or the other)
- Run nmtui and give it the address 10.0.5.101/24 with the gateway and DNS of 10.0.5.1.
- Allow port 80 through the local firewall and reload it, you should now be able to see the webpage on one of your other LAN machines. Make sure Web01 resolves as well while you're at it.
VyOS 1/2
- On both boxes we need to set NAT rules to forward traffic out through to the WAN from OPT and DNS forwarding to allow DNS to be accessible on our OPT network.
set service dns forwarding allow-from 10.0.6.0/24
set service dns forwarding listen-address 10.0.6.1
set nat source rule 20 description 'NAT from OPT to WAN'
set nat source rule 20 source address 10.0.6.0/24
set nat source rule 20 translation address masquerade
set nat source rule 20 outbound-interface eth0
Back to HAProxy Servers
- Now to actually install and configure HAProxy. We can install it with
apt install haproxy. Open up the config file once installed; it's located at /etc/haproxy/haproxy.cfg. Make sure to make a quick backup of this file!
- This guide showed me how to configure HAProxy through this file. Append the following to the .cfg:
frontend ha
bind *:80
default_backend webpool
backend webpool
balance roundrobin
server web01 10.0.5.100:80 check
server web02 10.0.5.101:80 check
- Now start HAProxy with systemctl and enable it as well. Assuming you did everything right, going to the haproxy address on a LAN box should resolve web01, and upon refresh it should go to web02.
- Assuming this all works, we can start working on setting up keepalived. You can just install it using apt, you will probably need to run updates/upgrades though.
- Create a new file
/etc/keepalived/keepalived.conf:
vrrp_instance haproxy {
state MASTER
# NOTE: Make this BACKUP on ha2
interface ens160
virtual_router_id 20
priority 200
# NOTE: Make this 100 on ha2
advert_int 1
authentication {
auth_type PASS
auth_pass <password here>
}
virtual_ipaddress {
10.0.6.10/24
}
}
- Now start and enable keepalived using systemctl.
VyOS 1/2 again
- Now we need to let HTTP traffic be directed to our VRRP address. I tried adding these firewall configs as a new destination rule, but load balancing was not working properly. It took me a while and some additional help to learn that it's the existing HTTP to LAN rule in our firewall that's interfering with HAProxy due to it translating only to Web01's address.
delete nat destination rule 10
set nat destination rule 10 description "Allow HTTP from WAN to OPT"
set nat destination rule 10 destination port 80
set nat destination rule 10 destination address 10.0.17.102
set nat destination rule 10 protocol tcp
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 translation port 80
set nat destination rule 10 translation address 10.0.6.10