Is there any command to find out the server IP instead of load balancer IP or proxy IP for any website?
Why can't we connect to few server IP directly. What config or setting is blocking us to connect using IP and what is the need of disabling this feature?
Best-practice for both security and load balancing is typically:
Expose the Load Balancer to the Internet
Put servers behind a firewall so that they are not directly accessible
Configure the Load Balancer to send traffic to the servers
The benefits are:
Minimum surface area exposed to the Internet (limits potential security problems)
Allows servers to be added/removed without impacting end users since they all connect via the Load Balancer (but the Load Balancer will need to know when servers are being added/removed)
Ensures that requests are balanced between the servers rather than allowing end users to directly access a server
Related
Google Cloud Network load balancer is a pass-through load balancer and not a proxy load balancer. ( https://cloud.google.com/compute/docs/load-balancing/network/ ).
I can not find any resources in general on a pass through LB. Both HAProxy and Nginx seems to be proxy LBs. I'm guessing that pass through LB would be redirecting the clients directly to the servers. In what scenarios it would be beneficial?
Are there any other type of load balancers except pass-through and proxy?
It's hard to find resources for pass-through load balancing because everyone came up with a different way of calling it: pass-though, direct server return(DSR), direct routing,...
We'll call it pass-through here.
Let me try to explain the thing:
The IP packets are forwarded unmodified to the VM, there is no address or port translation.
The VM thinks that the load balancer IP is one of its own IPs.
In the specific case of Compute Engine Network Load Balancing https://cloud.google.com/compute/docs/load-balancing/: For Linux this is done by adding a route to this IP in the "local" routing table, Windows by adding a secondary IP on the network interface.
The routing logic has to make sure that packets for a TCP connection or UDP "connection" are always sent to the same VM.
For GCE network LB see here https://cloud.google.com/compute/docs/load-balancing/network/target-pools#sessionaffinity
Regarding other load balancer types there can't be a definitive list, here are a few examples:
NAT. An example with iptables is here https://tipstricks.itmatrix.eu/use-iptables-to-load-balance-web-trafic/.
TCP Proxy. In Google Cloud Platform you can use TCP Proxy Load Balancing https://cloud.google.com/compute/docs/load-balancing/tcp-ssl/tcp-proxy
HTTP Proxy. In Google Cloud Platform you can use HTTP(s) Load Balancing https://cloud.google.com/compute/docs/load-balancing/http/
DNS, called "DNS forwarder". For example: dnsmasq http://www.thekelleys.org.uk/dnsmasq/doc.html, or bind in "forwarding" mode https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04
Database communication protocols. For example the MySQL Protocol with https://github.com/mysql/mysql-proxy
SIP protocol. Big list of implementations here https://www.voip-info.org/wiki/view/Open+Source+VOIP+Software#SIPProxies
As for the advantages of pass-through over other methods:
Some applications won't work or need to be adapted if the addresses on the IP packets is changing, for example the SIP protocol. See the Wikipedia for more on applications that don't play along well with NAT https://en.wikipedia.org/wiki/Network_address_translation#NAT_and_TCP/UDP.
Here the advantage pass-through is that it does not change the source and destination IPs.
Note that there is a trick for a load balancer working at a higher layer to keep the IPs: the load balancer spoofs the IP of the client when connecting to the backends. As of this writing no load balancing product uses this method in Compute Engine.
If you need more control over the TCP connection from the client, for example to tune the TCP parameters. This is an advantage of pass-through or NAT over TCP (or higher layer) proxy.
I'm currently configuring DNS in my network with Bind9.
This network is splitted in VLANs and it should have 2 DNS zones : an internal zone (internal servers, users VLAN...) and an external zone (DMZ).
Of course the DNS mustn't give internal records to an external request.
I have just configured my DNS master (storing external and internal records) in "internal servers" VLAN and I'm asking myself how to deal with this problem :
-> My DNS master will not reply to an external request since it is in the internal zone (though 802.11Q is enabled), even with external records. Is it right?
-> My DNS mustn't be in the DMZ.
-> If I configure a slave on the DMZ to manage the external zone, who will just store external records, then I have to configure another slave to replicate the master (so 3 servers...).
Initially I just planned to configure 2 servers, a master and a slave which would just be a full replicate.
Am I missing something? Is there any better solution?
The architecture that you will follow depends on what you want to serve and where (internal clients, external both)?
In general, yes you need internal DNS servers these will have at least all the necessary entries for you internal network.
As for the servers in DMZ who will have access to them and from which path? If you need access to them from the internal network directly through firewall, it makes sense to have entries for them also in your internal dns servers.
If you serve also from servers in DMZ to external users you have two solutions either you declare them in public DNS if the external users are from internet or you should have another DNS server on your DMZ.
The key point here is to think who will visit your server and from which path, then it will become kind of obvious how you will configure DNS for them.
So basically.
I have one external IP.
I am running few web servers on my internal network.
All web servers are configured in NAT with different ports (80,81,82,...)
My domain's DNS is configured on my external IP. And NAT forwards it to my first web server.
Until now when I open my domain let's say example.com it opens my first web server's page.
When I open example.com:81 it opens second server, etc..
What I am trying to achieve is some way to open my other web servers on different sub-domains without specifying port.
So I would like to have something like:
second.example.com -> example.com:81
third.example.com -> example.com:82
I am using SRV record for my TeamSpeak3 server, so my TS3 is running on port 2222 and SRV record translates my ts3.example.com to example.com:2222 and it works like a charm.
Can those sub-domains be configured by SRV records in DNS?
If it can't. Is there any other way?
Thanks
Since you are behind a NAT all your web-servers share the same endpoint. You will need to set up virtual hosts that resolve all requests based on domain information passed in an HTTP packet. The server that hosts these virtual hosts will then parse the incoming packets and distribute the request to the appropriate virtual host based on domain name resolution.
Apache makes this pretty easy through its implementation of name-based virtual hosts.
IIS has a solution as well as this stack overflow answer points to.
Good luck!
In our TCP servers deployment, we have load balancer to which all clients initially connect. Then load balancer gives each of them actual server IP address to which they are suppose to connect. Client then disconnects from load balancer and proceeds with TCP connection to the server IP address they've got. Thus, load is being distributed amongst servers.
This arrangement works perfectly well for thousands of connections. But we are worried if this would work for millions of number of connections? Load balancer itself will not be able to cater server IP address to all those clients in timely manner, is what our nightmare. What are alternatives here?
Really depends on the load balancer you are using on whether it can cater or not. Some load balancers can do millions of L4 connections. Also I don't think that having connections go direct to the server is a good idea because what happens to the connections if the server becomes unavailable. I would keep all traffic going to the load balancer. You could also consider Direct Server Return which is where requests from clients go through the load balancer and responses go direct to the client (bypassing the load balancer).
I use to develop my project on my localhost, on apache in ubuntu machine.
Sometimes i need to show progress to my costumer.
Is it possible to access to localhost from remote machine?
You can use a service that provides a tunnel to your local service, such as localtunnel, pagekite or ngrok. These services simplify setting up remote demos, mobile testing and some provide request inspection as well.
I find ngrok useful because it provides a https address, which is needed to test things like webcam access.
Terms used in this answer:
Host = machine with site on it
Client = machine you are trying to access the host from
If the host and client are on the same network, you can access the host from the client by entering
http://(hostname or ip address)
in your client's browser. If the site is not running on port 80 (for http) or port 443 (for https), add the post as so (this example is for if your server is on 8080, a common alternate port):
http://(hostname or ip address):8080
If the host and client are not on the same network, and you need to reach across the internet from the client to see the host, you will need to make your host available on the internet for the client to access.
This can be extremely dangerous for your information security if you're not sure what you're doing and I'd recommend getting a cheap-o hosting account (can get them for like $10/month at places like 1:1 hosting).
There are many methods to do this - the difference is security, easiness of the configuration and cost of the solution.
Following I am typing some methods with some analyses
Port Forwarding (with Dynamic DNS and SSL encryption)
This requires router configuration (to forward your routers public port to loclhoat port), however this requires you to have fixed ip address. In case your ip address is not fixed (in most cases) you need to use Dynamic DNS services to be able to use domain name instead ip address (there are lot of available free services). Here we still have security question open. To solve security question i.e. setup ssl certificate we can use Let’s Encrypt service ( https://letsencrypt.org/ ) to get free certificate, however we should configure local server to use the certificate or we should setup reverse proxy (in most cases nginx or apache) and configure proxy to use certificate.
Conclusion – Hard to setup if we want to have secure connection (can be done for free)
VPN
For this scenario we should use VPN services. We should connect our local machine to VPN then in other side we should connect our client's machine to VPN that will allow us to access to localhost by local IP address. We can set up our own VPN server however this requires knowledge to do it right.
Conclusion – Easy, Paid, Secure, Bad User Experience (connecting to VPN every time you need to connect to localhost)
Tunneling
For this scenario we can use free tunneling services (i.e. https://tunnelin.com/). The process is very straight forward i.e. Register a User, Connect your device to service (by running one line command on device), use Web interface to open/close secure tunnels to the device.
Conclusion – Free, Secure, Easy
Yes, if you have a public and static IP. Usually, ISPs offer static ips during a session (i.e. until you disconnect and connect again)