1

my question is about proposed implementation of high available and secure FrontEnd to WebApps behind a firewall. The components of the network and their relationships are as follows:

1) 2 WebApps servers behind a firewall (BackEnd), denoted by GUI1 and GUI2, running Web Applications

2) 2 machines LB1 and LB2 located in DMZ configured with floating IP in active/standby mode for redundancy. Their task is

  • to give an additional layer of security serving as a proxy (they are performing NAT on packets coming from GUI)
  • to handle the traffic basing on inspection of cookies (in fact the only requirement is to achieve cookie-based session persistence, not sophisticated LB techniques)

Security requirments:

  • The only acceptable communication method with GUI that is allowed (clearly through the FireWall) is via reverse SSH tunnel.
  • The traffic incoming to FrontEnd is most often https (and some http)

The question is: what kind of software (open source) is the best option to be implemented on frontend machines LB1 and LB2, to realize these goals? Recall, in short:

  • SSL termination (as necessary for inspecting cookie)
  • Cookie Based LB
  • active/standby mode

I have no practical experience in this field, however it seems that NginX on LB1 and LB2 (to solve SSL and cookies issue) together with HearBeat (to achieve the desired redundancy property) should work.

I am aware that the proposed architecture is somehow similar to HAproxy or LVS (configured as two redundant instances), however I need a solution that guarantees dealing with all described tasks simultaneously (for instance, HAproxy does not support SSL termination).

Any comments and suggestions are welcomed. Thanks!

Maciej Skorski
  • 113
  • 5
  • Looks like a shopping question, but have a look at http://www.apsis.ch/pound/ (if you cant afford f5-bigip). –  Aug 17 '12 at 23:12

2 Answers2

1

how about nginx behind haproxy?

pQd
  • 29,981
  • 6
  • 66
  • 109
  • I am not sure if I have understood correctly. Did you mean setting an nginx server in front of haproxy in such a way that the request from the webbrowser is send through the nginx server first where SSL is terminated if necessary and next to haproxt server which performs load balancing to the suitable backend server? In this way nginx would be used as SSL terminator only and in fact both servers could be running on the same machine (nginx is listening on http and https port and forwarding packages on another port where haproxy is configured to listen). Does it make sense? – Maciej Skorski Aug 18 '12 at 17:25
  • @MaciejS - i was rather thinking about having HAProxy as internet facing server [if you have so much load] to do load balancing between nginxes. and nginxes as ssl terminators / cookie-based load balancers between your backends. although probably just nginx might be enough. – pQd Aug 18 '12 at 19:17
1

With native SSL support coming in haproxy in a few days/weeks, maybe you'll want to be a happy beta tester ? :-)

Willy Tarreau
  • 3,896
  • 1
  • 20
  • 12