Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Server cluster review.
#1
Myself and some staff are planing out some new infrastructure, at the moment this is what we're thinking;

OVH Node (Nginx Reverse Proxy) <--> Backend node (PHP+Nginx) <--> SQL.

The backend node would only accept connections from the OVH node IP (public); and thus allowing us to run our backend in nearly PURE LAN, adding extreme security to our setup topology. Our SQL is already deployed on pure LAN.

If an attacker would manage to get into the primary node, nothing more than Nginx files would be present, along with the IP of our backend, which is heavily locked with LFD & CSF as its on near-pure LAN; only accepting HTTP requests from the front-end.

The front-end (OVH) node would also work as a traffic scrubber, allowing us to scrub any L7,L3 & L4 DDoS attacks, before reaching our already DDoS protected (with another provider) node.


Any ideas, or suggestions?
Do NOT PM me for any inquiries related to advertising on PacketPunks. 

For our change log, CLICK HERE.
For our help docs, CLICK HERE.
Reply
#2
Sounds great! I don't know much about this sort of thing, but I'm sure Mr. Zane does Tongue

Best regards,
-Siberia
PacketPunks
Knowledge talks, wisdom listens.
PM me with any questions or comments
Reply
#3
(04-21-2014, 05:50 AM)Siberia Wrote: Sounds great! I don't know much about this sort of thing, but I'm sure Mr. Zane does Tongue

Best regards,
-Siberia

Zane INC'ing in 5...4...3...2....
Do NOT PM me for any inquiries related to advertising on PacketPunks. 

For our change log, CLICK HERE.
For our help docs, CLICK HERE.
Reply
#4
(04-21-2014, 05:59 AM)Schultz Wrote:
(04-21-2014, 05:50 AM)Siberia Wrote: Sounds great! I don't know much about this sort of thing, but I'm sure Mr. Zane does Tongue

Best regards,
-Siberia

Zane INC'ing in 5...4...3...2....

Lol! I bet Zane would figure that out :tounge:

Best regards,
-Siberia
PacketPunks
Knowledge talks, wisdom listens.
PM me with any questions or comments
Reply
#5
I would consider bringing the traffic into Varnish on the first server, which then load balances between (nginx) localhost and server 2:80, where server 2 is running nginx. Both nginx instances tie into PHP-FPM, with a perconaSQL database running on the backend.

This is all pretty simple, with the exception of writing the VCL for varnish. Start reading :3

Zane
Reply
#6
(04-21-2014, 07:14 AM)Mr. Zane Wrote: I would consider bringing the traffic into Varnish on the first server, which then load balances between (nginx) localhost and server 2:80, where server 2 is running nginx. Both nginx instances tie into PHP-FPM, with a perconaSQL database running on the backend.

This is all pretty simple, with the exception of writing the VCL for varnish. Start reading :3

Zane

The master has spoken, all hail Zane the great.

No sarcasm intended, you are a networking wiz :)
Reply
#7
(04-21-2014, 08:58 AM)Anonymous Wrote:
(04-21-2014, 07:14 AM)Mr. Zane Wrote: I would consider bringing the traffic into Varnish on the first server, which then load balances between (nginx) localhost and server 2:80, where server 2 is running nginx. Both nginx instances tie into PHP-FPM, with a perconaSQL database running on the backend.

This is all pretty simple, with the exception of writing the VCL for varnish. Start reading :3

Zane

The master has spoken, all hail Zane the great.

No sarcasm intended, you are a networking wiz Smile

Oh yea! Mr. Zane is a genius!
I wonder how many certifications he has Confusedad:

Best regards,
-Siberia
PacketPunks
Knowledge talks, wisdom listens.
PM me with any questions or comments
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)