i have a centos 6 server working as a gateway receiving two internet connection from 2 isp, what i need to do is to load balance those two connection and forward the traffic to a third network card into the internal network
i also need to use Radius server to perform network authentication for the users.
solution already tried:
i tried to create a bridge between the two input connection, it worked but i'm not able to perform traffic control
i also tried to install FreeRadius
my question is:
1- is it possible to perform the load balancing from the FreeRadius mean that i can only use it for the whole solution
2- if not can anyone please guide me to a solution or a utility to perform such task
P.S i can't use a dedicated Firewall such as ZeroShell or EndianFirewall i need to implement the solution under Centos 6
Yes, you can create pools of home servers and forward requests between them, see raddb/proxy.conf.
Related
Problem:
I have an AWS EC2 instance running FreeBSD. In there, I'm running a NodeJS TLS/TCP server. I'd like to create a set of rules (in my NodeJS application) to be able to individually block IP addresses programmatically based on a few logical conditions.
I'd like to run an external (not on the same machine/instance) firewall or load-balancer, that I can control from NodeJS programmatically, such that when certain conditions are given, I can block a specific remote-address(IP) before it reaches the NodeJS instance.
Things I've tried:
I have initially looked into nginx as an option, running it on a second instance, and placing my NodeJS server behind it, but after skimming through the NGINX
Cookbook
Advanced Recipes for High Performance
Load Balancing I've learned that only the NGINX Plus (the paid version) allows for remote/API control & customization. While I believe that paying $3500/license is not too much (considering all NGINX Plus' features), I simply can not afford to buy it at this point in time; in addition the only feature I'd be using (at this point) would be the remote API control and the IP address blocking.
My second thought was to go with the AWS/ELB (elastic-load-balancer) by integrating AWS' SDK into my project. That sounded feasible, unfortunately, after reading a few forum threads and part of their documentation (unless I'm mistaken) it seems these two features I need are not available on the AWS/ELB. AWS seems to offer an entire different service called WAF that I honestly don't understand very well (both as a service and from a feature-stand-point).
I have also (briefly) looked into CloudFlare, as it was recommended in one of the posts, here on Sackoverflow, though I can't really tell if their firewall would allow this level of (remote) control.
Question:
What are my options? What would you guys recommend I did?
I think Nginx provide such kind of functionality please refer to link
If you want to block an IP with Node TCP you can just edit a nginx config file and deny IP address.
Frankly speaking, If I were you, I would use AWS WAF but if you don’t want to use it, you can simply use Node JS
In Node JS You should have a global array variable where you will store all blocked IP addresses and upon connection, you will check whether connected host IP is in blocked IP variable. However there occurs a problem when machine or application is restarted, you will lose all information about blocked IP-s. So as a solution to that you can just setup Redis (It is key-value database but there are also other datatypes) DB and store blocked IP-s there. Inasmuch as Redis DB is in RAM all interaction with DB will be instantly and as long as machine or node is restarted, Redis makes a backup on hard drive and it syncs from it and continue to work in RAM with old databases.
I want to host my own server and database on my computer, I don't want to pay monthly for services.
I developed a node.js app and it's using a postgresql database. I have a domain with an angular app and the app needs to use data from the server.
Can someone tell me how I can do this and which OS would be the best?
Thanks!
You have to do few things for that to work.
First, your Angular app needs to be able to connect with your home server so it either needs a static IP address accessible from the outside, a dynamic IP with dynamic DNS, or a VPN.
Your server needs to properly support CORS so that your Angular app would be able to connect with it. It will send OPTIONS requests that your server needs to handle properly.
Make sure that your server is always on, the internet connection is reliable, the power is reliable and that your services are properly restarted on reboot.
Make sure that your server is always up to date with security patches, is configured properly and doesn't use any unneeded software and services.
For (1) you have a lot of options and it all depends on whether you have a static or dynamic IP address, whether it is accessible from the internet etc. which you didn't include in your answer.
For (2) it depends on what Node framework do you use for you server-side application which you didn't include in your question. You need to use a way to set up CORS that is specific for the framework that you use.
The (3) is hard in home environment but it's important because on any downtime your users will not be able to use your application.
The (4) is critical in home environment because if anyone breaks into your server, he'll have access to your home network which may have a different kinds of consequences that breaking into a data center.
Another option would be to use a cheap VPS provider like Digital Ocean where you can get a server for $5 a month (or 2 months for free with this link) which may be less hassle that setting up your own server - for which you have to pay for electricity, manage the hardware, monitor the connectivity etc.
If you choose a VPS then (1) us taken care for you - you get your own static IP address accessible from the world, (3) is taken care for you completely, (4) is relatively easy to do and the biggest issue is making sure that CORS works as it should - but here you can host your API on the same domain as your frontend and then you don't need to worry about CORS at all.
If you get a VPS then you can host your frontend Angular app from the same server so that it doesn't even have to cost you more.
I'm looking into wide area service discovery and bonjur / avahi seem to be really good.
However, I'm a bit confused about how all this works?
So:
I have a bunch of services running in a cloud.
I have clients which can be located anywhere in the world.
I want the clients to automatically discover the services in the cloud.
I need the clients to be absolutely zero conf, so they don't know IPs, ports, nothing.
If I understand it correctly, this can be done using the above mentioned dns-sd libs. I have full access to a DNS server, so I suppose, the services can register themselves on startup using these libs and then the data can be spread through DNS servers world wide.
The clients can obtain the advertised info by querying the DNS record of my domain using bonjur / avahi tech, right?
All I need to do is to link the client with bonjur / avahi libs, and tell it which domain it should use (query).
Is this correct?
Am I missing something here or is it how this works?
Thanks in advance!
Avahi does not currently support publishing to a wide-area server, though it can browse wide-area. So if you can dynamically update a DNS server somewhere with the appropriate records Avahi would be able to see it.
You do however potentially have more problems to solve here including port mapping/nat traversal which Avahi does not address at all.
I have a slight problem bit of the back story. recently ive been trying to test out univention which is a linux distribution with the goal of being able to replace Microsoft active directory.
I tested it locally and all went reasonably well after a few minor issues i then decided to test it remotely as the company wants to allow remote users to access this so i used myhyve.com to host it and its now been setup successfully and works reasonably well.
however
my main problem is DNS based as when trying to connect to the domain the only way windows will recognize it is by editing the network adapter and setting ip v4 dns server address to the ip address of the server hosting the univention active directory replacement. although this does allow every thing to work its not ideal and dns look up on the internet are considerably longer. i was wondering if any one had any ideas or have done something similar and encountered this problems before and know a work around. i want to avoid setting up a vpn if possible.
after initially registering the computer on the domain i am able to remove the dns server address and just use a couple of amendments to the HOST file to keep it running but this still leads to having issues connecting to the domain controller sometimes and is not ideal. any ideas and suggestions would be greatly received.
.Michael
For the HOST entries, the most likely issue is, that there are several service records a computer in the domain needs. I'm not sure, whether these can be provided via the HOST file or not but you'll definitely have authentication issues if they are missing. To see the records your domain is using issue the following commands on the UCS system.
/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
For the slow resolution of the DNS records there are several points where you could start looking. My first test would be whether or not you are using a forwarder for the web DNS requests and whether or not the forwarder is having a decent speed. To check if you are using one, type
ucr search dns/forwarder
If you get a valid IP for either of the UCR Variables, dns/forwarder1, dns/forwarder2 or dns/forwarder3, you are forwarding your DNS requests to a different Server. If all of them are empty or not valid IPs then your server is doing the resolution itself.
Not using a forwarder is often slow, as the DNS servers caching is optimized for the AD operations, like the round robin load balancing. Likewise a number of ISPs require you to use a forwarder to minimize the DNS traffic. You can simply define a forwarder using ucr, I use Google on IPv4 for the example
ucr set dns/forwarder1='8.8.8.8'
The other scenario might be a slow forwarder. To check it try to query the forwarder directly using the following command
dig univention.com #(ucr get dns/forwarder1)
If it takes long, then there is nothing the UCS server can do, you'll simply have to choose a different forwarder from the ucr command above.
If neither of the above helps, the next step would be to check whether there are error messages for the named daemon in the syslog file. Normally these come when you are trying to manually remove software or if the firewall configuration got changed.
Kevin
Sponsored post, as I work for Univention North America, Inc.
We would like to protect the Cassandra against man-in-the-middle attacks. Is there any way to configure Cassandra in a way that the client-server and server-server (replication) communications are SSL encrypted?
thank you
short answer: no :)
For client - server : THRIFT-151
Edit: You might want to follow this thread on the ML
Encrypted server server communication seems to be available now:
https://issues.apache.org/jira/browse/CASSANDRA-1567
Provide configurable encryption support for internode communication
Resolution: Fixed
Fix Version/s: 0.8 beta 1
Resolved: 19/Jan/11 18:11
The strategy I employ is to have Apache Cassandra nodes communicate through a site to site VPN tunnel.
Specific configurations for the cassandra.yaml file:
listen_address: 10.x.x.x # vpn network ip
rpc_address: 172.16.x.x. # non-vpn network for client access although, I leave it blank so that it listens on all interfaces
The benefits to this approach is that you can deploy Apache Cassandra to many different environments and you become provider agnostic. For example, hosting nodes in various Amazon EC2 environments and hosting nodes in your own physical data center and hosting a few others under your desk!
Cost an issue preventing you from looking into this approach? Check out Vyatta ...
As KajMagnus pointed out, there is a JIRA ticket resolved and available in the stable version of Apache Cassandra: https://issues.apache.org/jira/browse/CASSANDRA-1567 which enables you to accomplish what you would like via TLS/SSL .. but there are a few ways to accomplish what you would like.
Finally, if you want to host your instance on Amazon EC2, region to region can be problematic and although there is a patch available in 1.x.x, is it really the right approach? I have found the VPN approach reduces latency between nodes in different regions and still maintains the necessary level of security.
http://cassandra-user-incubator-apache-org.3065146.n2.nabble.com/Running-across-multiple-EC2-regions-td6634995.html
Finally -- part 2 --
If you want to secure client to server communications, have your clients (web servers) communicate through the same VPN .. The configuration I have:
Front end webservers communicate via internal network to application servers
Application servers sit on their own internal network and VPN network and communicate to the Data Layer via the VPN tunnel and between each other on the internal network
Data Layer exists on it's own network per Data Centre / Rack and receives requests via the VPN network
Node to Node (gossip) communication can be secured per the issue above. Client and server will both soon support Kerberos (In Hector master as of commit: https://github.com/rantav/hector/commit/08149a03c81b559cba5680d115943dbf334f58fa should hit Cassandra side shortly).