Now that we have a dynamic DNS resolving Backend with Haproxy 1.6, i've been wondering whether I can make resolving to endpoint to dynamic backends. Here's what I would be looking for:
resolvers docker
nameserver dnsmasq 127.0.0.1:53
defaults
mode http
log global
option httplog
frontend f_myapp
bind :443
default_backend b_myapp
backend b_myapp
server services *:443 check resolvers docker resolve-prefer ipv4
OR
server services [%Host]:443 check resolvers docker resolve-prefer ipv4
Having this would allow me not to have to touch haproxy's configuration but only use DNS to update the backend-routing.
Thanks
Alessandro
A server declared in HAProxy is a single destination IP address. Even if that IP address is dynamic and can change, as is now possible in 1.6, a server is only/always/ever a single destination, not a target that changes with each request. What you are contemplating is not consistent with the design of HAProxy.
Your back-end servers must be declared in advance. You can create dummies and modify them via the stats socket, and dynamic configuration can be accomplished by scripting the configuration-file-generating process (using external tools) and then reloading HAProxy but... it has no internal concept matching what you are contemplating.
Additionally, of course, even if it did, is a problem with your plan -- it represents a potential security hole: if HAProxy were to interpret %[Host] (which I assume refers to %[req.hdr(host)]) as an IP address, no resolution would be needed and you've just given internal access to anyone who passed an IP address in the Host header.
Related
I am developing multiple TypeScript (NodeJS 14) client applications (all Dockerized). Most of the HTTP requests are made using axios, but not exclusively.
By default, all DNS queries resolve to IPv4 addresses, so all HTTP traffic is over IPv4 as well.
I could specify the exact IPv6 address for each and every one of the requests I make - but I'd like to find a way to have these apps opt for IPv6 DNS resolution, preferably with as little code changes as possible. Maybe a tsnode.json modification or some other flag that affects NodeJS at the "root" level?
Pretty sure You are looking for dns.setDefaultResultOrder(order)
which allows you to set dns lookup priority: ipv4first and verbatim.
https://nodejs.org/api/dns.html#dnssetdefaultresultorderorder
Is there a good API alternative to res_ninit?
There are problems with this call because the res->_u.ext.nscount6 and res->nscount do not reflect correct numbers. Adding a IPv6 address to /etc/resolv.conf still results in the nscount increasing where you would have expected the nscount6 to increase.
An older glibc version seems to increase both nscount and nscount6 for a IPv6 address in /etc/resolv.conf.
I am currently parsing resolv.conf directly because i am unable to depend on the res_ninit call. But this is fine for Manual DNS.
When it comes to DHCP DNS, then i need an API to give me the result. There is no other way (that i can think of) to determine the DNS IP addresses over DHCP.
Tried posting in other places within the board but not of help so far. E.g.
Retrieve IPv4 and IPv6 nameservers programmatically
res_ninit and res_init only ever read name server information from /etc/resolv.conf. You can always get the same data name servers by parsing /etc/resolv.conf yourself and examining the nameserver lines. If there is no nameserver line, the default 127.0.0.1 will be used.
I don't think it is necessary to provide an API for that because the file format is so simple that is likely more difficult to use the API than to read the file instead.
Name server assignment over DHCP is implemented by rewriting /etc/resolv.conf if there is no local caching resolver running on the machine. The exact mechanism used for that is distribution-specific, e.g. Debian uses resolvconf if it is installed.
If a local caching resolver is running on the system (such as dnsmasq or Unbound), name servers over DHCP can be directly configured in that caching resolver. In this case, /etc/resolv.conf will keep pointing to the same name server, typically by listing nameserver 127.0.0.1 or no name server information at all (which is the default).
I'm trying to start ASP.NET 5 web application so that it could be accessible via public internet address, like "http://hostname.dom".
I don't want it to be acessible via "http://www.hostname.dom", "http://test.hostname.dom", etc. And I have DNS records configured to point server's ip address by "*.hostname.dom" and "hostname.dom" names.
So I start Kestrel with the parameter:
server.urls=http://hostname.dom
I expect it to ignore any address that is not "http://hostname.dom", but application is available by every "http://justanything.hostname.dom" address and even just by IP address. So it is listening for all requests to 80 port rather than requests to a specific hostname.
For example, when configuring IIS site bindings, you can specify binding like "hostname.dom" and it will ignore any other possible prefixes until you specify them explicitly.
Does Kestrel support urls/hostnames, or it can only listen to a port?
Well yes, Kestrel doesn't support hostname listening. Only ip:port binding. To make it possible, you, my friend, either must use another hosting solution (like WebListener, if running on Windows) or configure forwarding with a webserver: http://druss.co/2015/06/asp-net-5-kestrel-nginx-web-server-on-linux/
I have a server that has multiple ip addresses. It also has multiple web apps written in nodejs that I'm running.
In short I'd like to forward specific ip addresses to specific node applications. How is this done? Should I use apache or nginx?
running centos 7
Any running application can bind to either 0.0.0.0 (to catch all the packets) or to some specific IP (it must use this ip when it calls bind() on the socket). Thus almost any TCP/IP server application has option like "Listen" in it's config file or command line, so you should read your docs carefully to figure out how can it be made in your particular application. For Apache it's port-based virtual hosts.
If you want to route user requests to different application based on user's IP address, you should read about iptables nat table and REDIRECT target.
I have installed CentOS-6 server in our DMZ.
I have a public IP address which I will use for it.
Now, how should I set up its DNS in order to make it accessible from internet?
Is there any particular steps required for BIND in order to propagate the server to internet?
Thanks
to configure you can use
http://www.howtoforge.com/bind-installation-on-centos
You should refer this previous thread
https://serverfault.com/questions/153690/why-arent-our-dns-records-propagating-out-into-the-internet
There is no "propagation" so to speak; propagation is usually a term used to describe the delay in any updates made to the DNS when the old records have already been cached by some servers.
In this case, when you say that you want DNS on your server to be accessible to the Internet, you likely are planning to use BIND as an authoritative server, serving one or more zones. In that case, you will just have to ensure that TCP and UDP port 53 are open for incoming traffic from anywhere. You will set up BIND in a fairly standard manner. Just install BIND, add some zones to it.
On the zone that you're hosting, you will then refer to the hostname of the machine that you are running this BIND instance (and that hostname must be resolvable to an IP address), say ns1.myzns.com.