PFSense in-front of high traffic web-servers
-
Yes, if you can use routed IPs instead of NAT I would definitely do that.
Steve
-
Thanks for all your feedback.
I currently route public IPs directly to each server as opposed to using NAT however this doesn't satisfy my requirements.
The servers are not in a cluster, they are not used for load balancing. Each server contains its own set of websites running in complete isolation to the other servers. HAProxy with load balancing isn't what I require for this.
The reason I want to switch from routed IPs to NAT is that with NAT I can easily divert traffic to another server via PFSense for maintenance with no downtime. I recently had to restart one of our beefiest servers that deals with huge traffic spikes. I was in literally sweating and praying it will come back online with no issues, although I had an identical spare ready to go in the event of a disaster I rather have the ability to do this with zero downtime.
To avoid this I am planning to use NAT and when I need to switch off or restart a server for maintenance I can setup an identical secondary server and via PFSense just switch the NAT internal IP to the secondary server whilst I do maintenance on the primary server resulting in no time.
I tried this in the past with routed IPs but there was about a 5-minute downtime until the switch realises the device for a given IP has now moved to a different mac address.
The PFSense spec I am thinking of is
12 cores E5-2620 V2 processors
32GB Ram
256GB SSD
Dual redundant power supplies
An identical back up server will always be on stand by. -
@g7cloud
NAT is real evil in any network. Specially for Web-apps. This my point of view, but I think it correct.
With HAproxy you doesn't forced to use load balancing. You can configure one IP per backend.
In case it goes down in any of issues client will have nice 503 and you will have alert on your Email. This in 100 times better then have: No response from server which will happen with NATed not working web-server.
You can force HTTPS 301 redirect for all sites, add strict-transport-security, referrer-policy, x-xss-protection, x-content-type and x-frame-options headers on pfSense Haproxy WebGUI and not worry about missed back-end configuration. -
@dragoangel can HAProxy pass SSL termination? I need SSL termination to take place at the server-level not at HAProxy. Additionally, Can HAProxy forward any port I require i.e. 22, 21, 3307 etc. If so I will explore this option for sure.
-
@g7cloud yes for all: http://cbonte.github.io/haproxy-dconv/
- HAproxy can work with SSL offloading or forward SSL without termination end even log requests with this case. But in the case or forward SSL without termination, HAproxy will have incomplete capabilities: it will only see who was connected, what link it went to and which backend responsible for that request. Health checks work for SSL websites OK even on Layer 7 with SNI if you add Host header to backend.
- HAproxy can be proxy for any TCP protocol. It can even be used for load balancing LDAP or MySQL. For example I use it to load-balancing GIT over SSH. Part of functionality only available for HTTP type, but many of functions like reject connection rules, logging, health checks will work even with TCP.
- Now only UDP proxy are not supported by HAproxy. But it already in HAproxy 2.1 development. =)
-
Hey @dragoangel thanks for all your comments.
I have used HAProxy before for load balancing a single website therefore slightly familiar with it. However I am not sure its suitable for my specific requirements.
As I currently have 26 public IPs I would need to assign all of them to a single virtual machine running HAProxy which means 26 virtual Ethernet adapters. Furthermore I need all ports forwarded for mail, DNS, MySQL etc. I still think mapping out a public IP to a local IP via NAT might be the simplest and best solution. With the spec I posted earlier it should be good for 30 or so million states and with slight tuning to close TCP connections early it should be up for the task at hand. I could quite easily upgrade to 128GB or even 384GB of ram if ever needed.
If anyone strongly opposes my PFSense + NAT plan please do speak up, I will take everyone's comments on board.
-
@g7cloud DNS can't be proxied due it mostly UDP. Mail and SQL over proxy have more control over simple nat, but if you have no time on confirmation and tuning then nat is ok. P.s. be careful when nat sql: use only with ssl
-
Some good read here:
https://forum.netgate.com/topic/7226/how-far-have-you-scaled-your-pfs-box/14
just a bit dated. Pictures missing from forum conversion. -
@jahonix what did you try looking at post with 8 year old? This posts not about this internet that we have now and not about this pfsense os and hardware too... It not comparable I think
-
Some nostalgia from 11 years ago. Same problem then, just scaled.