keepalived provides a strong and robust health checking for LVS clusters. It nginx implements a framework of health checking on multiple layers for server failover, and VRRPv2 stack to handle director failover. How do I install and configure Keepalived for reverse proxy server such as nginx or lighttpd?

If your are using a LVS director to loadbalance a server pool in a production environment, you may want to have a robust solution for healthcheck & failover. This will also work with reverse proxy server such as nginx.

lb0 – Linux box directly connected to the Internet via eth1. This is master load balancer.
lb1 – Linux box directly connected to the Internet via eth1. This is backup load balancer. This will become active if master networking failed.

202.54.1.1 – This ip moves between lb0 and lb1 server. It is called virtual IP address and it is managed by keepalived.
eth0 is connected to LAN and all other backend software such as Apache, MySQL and so on.

You need to install the following softwares on both lb0 and lb1:

keepalived for IP failover.
iptables to filter traffic
nginx or lighttpd revers proxy server.

DNS settings should be as follows:

hackadmin.in – Our sample domain name.
lb0.hackadmin.in – 202.54.1.11 (real ip assigned to eth1)
lb1.hackadmin.in – 202.54.1.12 (real ip assigned to eth1)
www.hackadmin.com – 202.54.1.1 (VIP for web server) do not assign this IP to any interface.

Install Keepalived

Visit keepalived.org to grab latest source code. You can use the wget command to download the same (you need to install keepalived on both lb0 and lb1):

# cd /opt

# wget http://www.keepalived.org/software/keepalived-1.1.19.tar.gz

#  tar -zxvf keepalived-1.1.19.tar.gz

# cd keepalived-1.1.19

Install Kernel Headers

You need to install the following packages:

Kernel-headers – includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package.
kernel-devel – this package provides kernel headers and makefiles sufficient to build modules against the kernel package.

Make sure kernel-headers and kernel-devel packages are installed. If not type the following install the same:

Compile keepalived

Type the following command:
# ./configure –with-kernel-dir=/lib/

How do I redirect 80 port to 8123 using iptables?

You can easily redirect incoming traffic by inserting rules into PREROUTING chain of the nat table. You can set destination port using the REDIRECT target.

Syntax

The syntax is as follows to redirect tcp $srcPortNumber port to $dstPortNumber:

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport $srcPortNumber -j REDIRECT –to-port $dstPortNumbe

The syntax is as follows to redirect udp $srcPortNumber port to $dstPortNumber:

iptables -t nat -A PREROUTING -i eth0 -p udp –dport $srcPortNumber -j REDIRECT –to-port $dstPortNumber

Replace eth0 with your actual interface name. The following syntax match for source and destination ips:

iptables -t nat -I PREROUTING –src $SRC_IP_MASK –dst $DST_IP -p tcp –dport $portNumber -j REDIRECT –to-ports $rediectPort

Examples:

In The following example redirects TCP port 25 to port 2525:

# iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 25 -j REDIRECT –to-port 2525

this example all incoming traffic on port 80 redirect to port 8123

# iptables -t nat -I PREROUTING –src 0/0 –dst 192.168.1.5 -p tcp –dport 80 -j REDIRECT –to-ports 8123

How Do I View NAT Rules?

Type the following command:

# iptables -t nat -L -n -v

How Do I Save NAT Redirect Rules?

Type the following command:

# iptables-save

How do I restrict the number of connections used by a single IP address to my server for port 80 and 25 using iptables?

You need to use the connection limit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). This is useful to protect your server or vps box against flooding, spamming or content scraping.

Syntax
The syntax is as follows:

# /sbin/iptables -A INPUT -p tcp –syn –dport $port -m connlimit –connlimit-above N -j REJECT –reject-with tcp-reset

save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save

Example: Limit SSH Connections Per IP / Host

Only allow 3 ssh connections per client host:

# /sbin/iptables  -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT

save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save

Example: Limit HTTP Connections Per IP / Host

Only allow 20 http connections per IP (MaxClients is set to 60 in httpd.conf):

# /sbin/iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save

Skip proxy server IP 1.2.3.4 from this kind of limitations:

# /sbin/iptables -A INPUT -p tcp –syn –dport 80 -d ! 1.2.3.4 -m connlimit-above 20 -j REJECT –reject-with tcp-reset

Enjoy it….

Openvpn is an open source software, allows us to create a Virtual Private Network.

1. Installing openvpn

install these packages openvpn openssh-server openssl:

laptop:~$ sudo apt-get install openvpn openssh-server openssl

Now the ssh server is installed we can control it and access to it from anywhere on the web using the IP and port 22.

In reality 22 is for SSH The best port for OpenVPN (http://www.iana.org/assignments/port-numbers) is 1194.

There is special web interfaces to can interact and configure openVPN through a browser like webmin,

so we should install apache, php and mysql with this command:

laptop:~$ sudo apt-get install apache2 mysql-server-5.0 libapache2-mod-php5 php5 php5-common php5-mysql

To install webmin:

laptop:~$ sudo apt-get install webmin

2. VPN configuration:

The openvpn use Private Key Infrastructure (PKI):

1. One Public key for server and Private keys for each client.

2. It uses Certification for more security each Certification is valid for one couple (Server, Client)

The authentication With OpenVPN is a bidirectional, means the sever identify the client before trusting on and client identify the server too.

Key Generation:

To generate a Key we can use scripts provided by OpenVPN

We create openvpn/ in /home to manipulate and create keys there:

laptop:~$ sudo cp /usr/share/doc/openvpn/examples/easy-rsa /home/openvpn/ -R

All commands are in /home/openvpn/2.0/ file

laptop:~$ cd /home/openvpn/2.0

Edit vars file:

laptop:~$ sudo nano vars ————–// (nano is a text editor you can use others: gedit, …)

Setup these variables KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL

EX:

export KEY_COUNTRY=DZ

export KEY_PROVINCE=ALGER

export KEY_CITY=alger

export KEY_ORG=alger

export KEY_EMAIL=xxxxxxxxx@xxx.dz

* We can find other variables like:

* KEY_SIZE by default set to 1024 in some countries there is limit that you

should respect for this KEY_SIZE you can’t go over the limitation.

* CA_EXPIRE : In how many days your certification will expire?

Save and close (in nano ctrl+x)

To set these variables we run this:

laptop:~$ . ./vars ——————– //first dot isn’t a mistake

We should clean all existing certification we have to not have conflits (run this command):

laptop:~$ sudo ./clean-all ———————-// will delete /home/openvpn/2.0/keys

If you do’nt have certification set before nothing will be done.

Now we create our Certification and key with CA (master Certification Authority) with this command:

laptop:~$ sudo ./build-ca

The certification now are created in keys directory: ca.crt ca.key

Generate a certification and key to the SERVER:

laptop:~$ sudo ./build-key-server SERVER ——————- //we suppose that server’s named SERVER

When common name is required type the name OS the server (here SERVER)

Generate certification and key for client:

laptop:~$ sudo ./build-key client1

when common name is required type the name of the client (client1)

this common name MUST be different if you have many clients.

To protect your key with a password use ./build-key-pass instead of ./build-key

NB: We were able to generate the client key on its own end to avoid transfer through the network

Diffie Hellman parameters should be generated for the openvpn server:

laptop:~$ sudo ./build-dh

these parameters are copied in keys directory dh1024.pem

So now all Certifications and keys are in /home/openvpn/2.0/keys directory:

name Utile for Role Secret

ca.crt servers and all clients root Certification CA no

ca.key key signing the machine (both) root key CA yes

dh1024.pem server Diffie Hellman parameters no

SERVER.crt server server certification no

SERVER.key server server key yes

client1.crt Client1 Client1 certification no

client1.key Client1 Client1 key yes

We copy files to the client machines using a secured tunel

3. Creation of the file configuration for clients and server

There is samples of this configuration in /usr/share/doc/openvpn/examples/sample-config-files/ client.conf and server.conf.gz

1. Server configuration:

We should gunzip the server.conf.gz

laptop:~$ sudo gunzip server.conf.gz

and then copy this file to /home/openvpn using:

laptop:~$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/

Edit server.conf:

laptop:~$ sudo nano /home/openvpn/server.conf

this would create a VPN with virtual interface and listen to the connections in 1194 port and distribute

virtual addresses to clients that connect through 10.8.0.0/24

By default this server.conf is useful but we can set more parameters(directives) like (IP, PORT, KEY_SIZE etc…)

Client configuration and server one must be coherent.

1. Client configuration:

Edit the client.conf:

laptop:~$ sudo nano /home/openvpn/client.conf

Verify the name of certification and key of each client:

ca ca.crt

cert client.crt

key client.key

Go to the remote parameter and set up the server IP

remote my-server-1 1194

save the file

Now we verify if client parameters if they correspond to the server one:

dev (tun ou tap)

proto (udp ou tcp)

comp-lzo

fragment

4. Starting the VPN:

4.1. Before we start we should copy all file in keys directory and .conf to /etc/openvpn:

4.1.1 SERVER:

laptop:~$ sudo cp /home/openvpn/keys/SERVER.crt /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/SERVER.key /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/dh1024.pem /etc/openvpn

laptop:~$ sudo cp /home/openvpn/server.conf /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/ca.crt /etc/openvpn

4.1.2 Client:

laptop:~$ sudo cp /home/openvpn/keys/client1.crt /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/client1.key /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/ca.crt /etc/openvpn

laptop:~$ sudo cp /home/openvpn/client1.conf /etc/openvpn

4.2 Start the server:

laptop:~$ cd /etc/openvpn

laptop:/etc/openvpn$ sudo openvpn server.conf

4.3 Start the client1:

aptop:~$ cd /etc/openvpn

laptop:/etc/openvpn$ sudo openvpn client1.conf

4.4 Test the VPN:

From the client terminal try to ping the server which has the 10.8.0.1 by default:

ping 10.8.0.1

To can communicate with other client through the network with the VPN you have to uncomment the client-to-client parameter in server.conf
and then you would be able to ping the other clients.

1. Setup More than one IP address for one network interface:

The file which contains descriptions of the network interfaces on Ubuntu or debian is /etc/nework/interfaces
A network interface (material) by default is referenced by eth0 so if you have more than one it would be eth1 eth2,
etc… so to setup a virtual ip we should create a virtual network interface, the name of this one would be as follows
eth0:1, eth0:2 etc… to create this interface we should add some lines to the
/etc/network/interfaces file to discribe this interface

NB: modifying this file need the superuser privilages

laptop:/$ sudo nano /etc/network/interfaces

We add this lines

auto eth0:1 //——————-we have one eth0 and we add another virtual interface refered by :1
iface eth0:1 inet static //——-this interface would use a static IP We can use dhcp as well
address 192.168.1.34 //——— IP we want to assign
netmask 255.255.255.0 //——— The netmask IP
broadcast 192.168.1.255 //——– Broadcast IP
gateway 192.168.1.1 //——– Gateway (router or…)

Save the file

As you can see this is a simple text file, so right now the network interface isn’t set yet because this
configuration isn’t applied

To set it we should restart our network interface by using this command with superuser privilages:

laptop:/$ sudo /etc/init.d/networking restart

Your interface is set

To verify if it works you can ping the address you assigned by useing this command

laptop:/$ ping [IP_you_assigned]

_______________________________________________________________________________________

2. There is a second method we can use is not permanent which means if you restart your machine or your interface
it would be deleted.

To do it we have to use the binary file /sbin/ip

To add a virtual IP we use this command:

laptop:/$ sudo /sbin/ip addr add [IP_you_want_to_add]/24 dev eth0

Here we don’t need to restart our network interface cause it’s not a simple file it a binary file it’s applied by
this command.

To check that your change works you can ping the new address using this command:

laptop:/$ sudo ping [IP_address_you_added]

You can also verify the new IP has been added by using the ifconfig command as shown below:

laptop:/$ ifconfig eth0:1
eth0:1 Link encap:Ethernet HWaddr 00:26:b9:11:34:16
inet addr:192.168.3.22 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:19 Base address:0xa000

This will show you that the address you assigned is actually on the correct interface.