|panda 6cb6e6c09d Add 'Ansible_DEMO/haproxy.cfg_EXAMPLE'||7 months ago|
|Ansible_DEMO||7 months ago|
|imgs||11 months ago|
|LICENSE||11 months ago|
|README.md||10 months ago|
the scope of this project is to provide a pre-tested layer of protection for the publication of a service, via an external machine, ideally a cheap vps without any important data onboard.
this approach allows us to have "higly mobile" services since are not directly published to the world.
in this layer we find the external machines, they are configured with:
the dns records of the services are pointed on those machines, see the BIND section for more info on the redundancy approach.
this layer provides a layer of anonimity and flexibility between the external machines and the ones with the services onboard.
we made this with a full-mesh network like tinc, which provides a "virtual L2 switch" with alle the machines connected.
the services machines and the external ones connect to these 2 (or more) machines
in this layer we find the machines that provide the actual services
to proxy the connections without terminating the SSL, thus not having any SSL certificate on the external machines, we need to use haproxy to read the SNI and, using ACLs, send the connection to the correct backend.
bind provides our poor-fella's redundancy to our machines, this is done by hosting a bind instance on every external machine and delegating a zone to each of them, for example: balanced.domain.net
domain hosting configuration example:
balanced 300 IN NS machine01.domain.net. balanced 300 IN NS machine02.domain.net. balanced 300 IN NS machine03.domain.net. machine01 300 IN A 100.100.100.1 machine02 300 IN A 100.100.100.2 machine03 300 IN A 100.100.100.3
every machine's bind has a record for a common host inside that zone that is pointed to the machine itself, for example: publish.balanced.domain.net
bind configuration on machine01 example:
$ORIGIN . ; ---Area 1--- $TTL 300 ; 5min ; ---Area 2--- balanced.domain.net IN SOA machine01.balanced.domain.net. root.balanced.domain.net. ( 2021100101 ; serial 300 ; refresh (5 min) 300 ; retry (5 min) 600 ; expire (10 min) 300 ; minimum (5 min) ); ; ---Area 3--- IN NS machine01.balanced.domain.net. ; ---Area 4--- $ORIGIN balanced.domain.net. ;NOTE: machine01 is the server that solves the names machine01 300 IN A 100.100.100.1 ;NOTE: here we can define the content of our zone: publish 30 IN A 100.100.100.1 balanced.domain.net. 300 IN A 100.100.100.1
in this way when we ask the dns for "publish.balanced.domain.net", we are told to go ask the 3 machines to solve the zone "balanced.domain.net", the first machine that we ask to and is able to solve names is the one that will deliver our service.
there are no primary and secondary servers, in the dns all are equal
we want to sync all the configurations on the various servers from a single, maybe shared, point to do that we'll use a git repo where we'll add the configuration, a script called by cron will check every 2min if the repo changes and download new haproxy config files and restart the service.