wiki:ChecklistBGS02

BGS02

  1. iproutes2 за multi-homed сървър
    • tables arena, orbitel: ftp://root@bgs01/etc/iproute2/rt_tables
      100	orbitel
      101	arena
      
    • routing по модел на ftp://root@bgs01/etc/sysconfig/network-scripts/route-eth2
      195.34.113.148/27 dev eth2 src 195.34.113.148 table orbitel
      default via 195.34.113.129 dev eth2 table orbitel
      77.238.66.0/24 dev eth2 src 77.238.66.164 table arena
      92.247.210.0/24 via 77.238.66.1 dev eth2                 <--- nonono: towa е za upload na wqw.bgbiz.com da minawa prez arena
      default via 77.238.66.1 dev eth2 table arena
      # default scope global nexthop via 195.34.113.129 dev eth2 weight 1 nexthop via 77.238.66.1 dev eth2 weight 1 
      default scope global via 195.34.113.129 dev eth2
      # default scope global via 77.238.66.1 dev eth2
      
    • rules по модел на ftp://root@bgs01/etc/sysconfig/network-scripts/rule-eth2
      from 77.238.66.164 table arena
      from 195.34.113.148 table orbitel
      
  2. ip routes/rules за tproxy
  3. gwping
  4. iptables
    • forward с prerouting не работи заради multi-homed изпълнението
    • само с -A INPUT -p tcp -m multiport --dport ##,###,#### -j ACCEPT към haproxy правим
    • логваме с -A logdrop -p tcp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "iptables: TCP " --log-level 4
    • DIVERT таблицата заради tproxy по този модел http://www.snapt-ui.com/haproxy/snapt-haproxy-and-tproxy/
      *mangle
      :PREROUTING ACCEPT [14677:2614148]
      :INPUT ACCEPT [4122:2484680]
      :FORWARD ACCEPT [13410:2433142]
      :OUTPUT ACCEPT [4643:2458547]
      :POSTROUTING ACCEPT [18042:4891213]
      :DIVERT - [0:0]
      -A PREROUTING -p tcp -m socket -j DIVERT
      -A DIVERT -j MARK --set-mark 111
      -A DIVERT -j ACCEPT
      COMMIT
      
    • /etc/sysctl.conf заради tproxy
      # we do not want all our interfaces to send redirects
      net.ipv4.conf.default.send_redirects = 1
      net.ipv4.conf.all.send_redirects = 0
      
      [root@bgs02 ~]# sysctl -p
      
  5. haproxy
    • forward на client IP със source 0.0.0.0 usesrc client
      backend backend-www
      	source      0.0.0.0 usesrc client
      	balance     roundrobin
      	server 		ucslamp 172.17.17.3:81 check
      
    • panda, impress, dreem -> VWS01 по модел на http-main от ftp://root@bgs01/etc/haproxy/haproxy.cfg
    • mail.saas.bg -> MAIL
    • сертификати за SSL по модел на http://blog.exceliance.fr/2012/09/04/howto-ssl-native-in-haproxy/
      195.34.113.131	BGS02	*.saas.bg
      195.34.113.132	BGS02	*.unicontsoft.com
      195.34.113.133	BGS02	*.bgbiz.com
      77.238.66.220	BGS02	*.saas.bg
      77.238.66.221	BGS02	*.unicontsoft.com
      77.238.66.222	BGS02	*.bgbiz.com
      
    • forward на портове за RSQL към VTS05 трябва да станат със source 0.0.0.0 usesrc client
      #listen rdp-vts05
      #    mode tcp
      #    bind 195.34.113.135:3389
      #    log global
      #    option tcplog
      #    server vts05 10.10.10.105:3389 check
      
      #listen rsql3927-vts05
      #    mode tcp
      #    bind 195.34.113.135:3927
      #    log global
      #    option tcplog
      #    server vts05 10.10.10.105:3927 check
      
      #listen rsql3928-vts05
      #    mode tcp
      #    bind 195.34.113.135:3928
      #    log global
      #    option tcplog
      #    server vts05 10.10.10.105:3928 check
      
  6. rsyslog.conf
    :msg, startswith, "iptables: "                          -/var/log/iptables.log
    & ~
    
    local2.*                                                -/var/log/haproxy.log
    & ~
    
Last modified 9 years ago Last modified on 02/02/2013 01:59:41 PM