Open Source Network Redesign

As you might have noticed in recent blog posts, I’m spending a fair amount of time working with open source solutions like Ubuntu Linux, OpenBSD, Puppet, and similar. As part of the effort to make myself more familiar with these and other open source projects, I’ve decided to re-architect my home network using predominantly open source software.

Here are the open source software projects that I know for sure I’ll end up using:

  • Ubuntu Server 12.04 LTS
  • OpenBSD (probably version 5.1)
  • Squid and the Squidguard content filter
  • BIND v9
  • ISC DHCP server
  • Open source Puppet

However, there are a few packages that I haven’t quite settled for sure. I’d love to hear some feedback on these questions:

  1. What do you recommend for low-volume web serving—Apache HTTP or Nginx? (Manageability via Puppet is a consideration, too.)
  2. It looks as if I can use Heartbeat to provide high availability/failover at the application level for the web and web proxy services (this would be active/passive only). Anyone have any experience with Heartbeat, or some good resources to share?
  3. It would be great if I could actually do load balanced sessions for the web and web proxy services (active/active instead of active/passive). It appears as if LVS will do this, but it also looks like I’ll need separate VMs (everything will be virtualized) for LVS. Anyone have some resources for LVS?
  4. Are there any other projects or tools I should be considering?

Thanks for any help or information you can provide!

Tags: , , ,

  1. Bob Plankers’s avatar

    Apache is still the king of web servers, and while it takes some criticism for being slower than others by default in raw throughput shootouts it can do absolutely everything you want to do, is super flexible, and all documentation includes examples for configuring it so you spend less time fighting the web server and more on fighting the tool you’re testing.

    I’ve been wanting to try the Zen load balancer, just haven’t had much time. Darn kids! (not really complaining). :)

  2. Dan’s avatar

    You could try OpenBSD’s relayd for load balancing

  3. slowe’s avatar

    Bob, thanks for your comment. I was leaning toward Apache (as I’m more familiar with it than Nginx), but wasn’t sure if it was worth the extra effort to learn a new package. Sounds like sticking with Apache is reasonable. I’ll also have a look at the Zen load balancer.

    Dan, I saw relayd while doing some searching; I suppose that’s an option as well. I was really hoping to avoid running separate VMs for the load balancing, because then I need to provide high availability for the load balancers. I guess I could scratch high availability for the “back-end” services and just provide high availability for the “front-end.” Can I use CARP to provide high availability for relayd?

  4. Brad C’s avatar

    mod_proxy_balancer works pretty well for web load balancing and is another reason to go with Apache:

    http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html

  5. John McAuley’s avatar

    You could run PF for your firewall and load balancer to give you basic levels of functionality. You don’t have all the load balancing algorithms you might find on more feature rich platforms but if you just want to use source based or round robin, that would work. You could also run that on the same VM so you’re not talking about separate VMs for each function (which I suppose you could do with several of the options out there).

    Once all of this is set up, if you’re interested in playing around with some orchestration pieces and user portals, consider looking at some of the platforms that would help you with bringing user functionality into your portal. NicTool is one that I’ve used for building things like DNS management functions (which would work with your BIND implementation). Good luck! Sounds fun.

    McAuley

  6. slowe’s avatar

    Brad_C, I’ll have a look at mod_proxy_balancer as well. Thanks for the heads-up!

    John, I considered using PF (and I’m investigating using CARP as well). Relayd looks pretty nice, so I might dig further into that as well. Thanks for the tips!

  7. Kyle’s avatar

    If you only need recursive dns then I would recommend you try dnscache over the kitchen-sink that is BIND9.

    Apache works fine for low and high volume, you just need to know how to tune it. Everyone knows how to use it.

  8. slowe’s avatar

    Kyle, I’m using BIND9 now, and I’ve configured it to do dynamic DNS updates to my ISC DHCP daemon. While it probably is overkill, I’ll likely stick with it anyway. Same for Apache HTTP—for an environment like this where latency isn’t a big deal and page volume is extremely low, it should be fine. Thanks for your comment!

  9. Brett’s avatar

    Hi Scott,

    I use heartbeat with HAproxy for load balancing works well and is very easy to setup/monitor/manage.

    Search around for loadbalancing exchange 2010 CAS to see some great articles on basics for it.

    Alternatively there is a full package called zenloadbalancer that is quite good and they are very good at support but its not as full featured just has an easy to use GUI.

    If you want more info on heartbeat let me know but it is fairly easy set the interface for “heartbeats” and then the list of IP’s you want on what server each resource can be on separate servers creating a active/active setup.

  10. Chase Christian’s avatar

    I would suggest Apache, if not for the sheer amount of configuration and troubleshooting information available. People have done EVERYTHING on nginx, and you’ll never have an issue finding a guide or how-to. Nginx, on the other hand, is much newer and I have had issues finding consistent documentation and guides for it. I run both in production, but I tend to lean towards Apache first.

  11. slowe’s avatar

    Brett, thanks for your comment. So, if I understand correctly, you’re using Heartbeat for active/passive instances of HAProxy, which are then load balancing active/active instances of back-end services? Is that accurate? That sounds quite interesting—if you have more information you’d like to share, I’d love to see it. You can post it here in the comments, or drop me an e-mail (address is on my About page). Thanks!

    Chase, thanks for the feedback. Going with Apache seems to be the consensus so far, for a lot of the same reasons you shared. I appreciate the information!

  12. Brett’s avatar

    Hi Scott,

    Yes I use heartbeat but have it setup in active/active to explain I setup one IP resource on one node and then haproxy binds to that IP for any ports it needs to listen on for load balancing back end servers. Then I add another IP resource to heartbeat but set its master to the other node then allowing haproxy to bind to it for different backend resources. This gives me better utilization of the loadbalancers.

    The other benefit as it is in production is that at any point in time I know both loadbalancers work and if a failover happens I can be sure the other is ready as it is already serving connection for different applications.

    My only downfall is that upon a fail condition I can flood one loadbalancer as it essentially takes on the load of two. thankfully I have not had any problems due to the shear speed of haproxy.

    Will send something via email to explain better.

    As for the config of each it is very simple and I can have a full redundant loadbalancer setup in about an hour including installing the OS.

  13. slowe’s avatar

    Brett, got your email—thanks! I appreciate the information.

  14. harshvardhan gupta’s avatar

    Visit for readymade appliance at turnkey linux http://www.turnkeylinux.org/
    all are based on ubuntu.

  15. Kristian’s avatar

    Why not have a look at Varnish instead of the old fashioned squid? Varnish seems to be the answer to all web cache assignments these days.

  16. Simone’s avatar

    Hi,

    As far as an http server I would consider using lighthttpd.
    Apache is the most well documented, flexible, feature rich and modular httpd ever, but if you don’t need so much features…
    Lighthttpd needs lower resources and scale pretty well based on his event driven approch.

    For doing application level HA I’ll suggest LVS/ldirectord. This because of two main reasons:

    1- Heartbeat manages resources and his focus is doing HA of them. to achieve this it’s approach is using arp packets, moving ip from one resource and another an so on. All of heartbeat stuff is focused on HA of host, or nodes, and moving resources from the failed node to the other. This is not application level, is system|host|vm level..
    2- to do an application failover I don’t like to deal with arp caches of switches or restarting services on different machines.. I prefer the approach of “one httpd server is not running anymore.. I’ll take care of it later on, now i’ll use the other one”.

    Linux Virtual Server (LVS) toes exactly this: it’s a balancer that handles the falure of a realserver (the backend http in our example) such a zero-wheighted connection.
    No arp, no service restarts, no service down, no loss of connections. Moreover LVS does load balancing, hence in the worst scenario only 50% of the request(if you use two realservers) could ever notice some delay (if any..). If you use Heartbeat-like setup and a node fails the takeover will take some more (minimal) time.
    In my personal experience, a fail of a realserver behind LVS is not noticed, a fail of a node managed by heartbeat is always noticed.

    This considering only two realserver or nodes.. If you plan to use more nodes using heartbeat simply you can’t. You must use coroscyn, openAIS, peacemaker and so on.. If you use LVS, you define a new realserver and add it to the pool, you don’t need no other configuration.

    As far as doing reverse proxy or even content filtering on http traffic, I’ll suggest you to give a try to Varnish Cache. In some scenario it’s reported as faster and better than Squid.
    In general performance and scalability of (reverse and forward) proxies is offen the more important aspect, but I did some interesting configurations with spamassassin/clamav and http proxy for diong some analisys of blog comments, attachment uploads and so on. In this use cases I found interesting the client-server approach of clamav and spamassassin that made me able to deploy a “cleaning machine” that offloads the content analisys from the proxy server.

    I drop here a list of some projects that would like to suggest/consider:

    -Heartbeat2
    -Corosync
    -OpenAIS
    -Lighthttpd
    -Varnish
    -Dansguardian
    -eAccelerator (if you plan to serve PHP pages..)
    -OWASP(?)

  17. slowe’s avatar

    Kristian, I listed Squid simply because I am quite familiar with it. Also, I use Squid primarily because of its support for content-filtering extensions. I’ll do a bit of digging and see what Varnish is like. Thanks!

    Simone, wow—thanks for your detailed response! I agree that LVS or similar should be used for the load-balancing, but I’ll still need something like Heartbeat or CARP so that I can provide redundancy for the load balancers. I’ll take a look at some of the projects you mentioned to see if they make sense.

  18. Paul C’s avatar

    What are you using for NAT/Firewall? if iptables/pf and you’re likely to get complicated ( HA, lots of rules, etc ) you might want to use Firewall Builder to maintain. It gives a nice simple interface configure and manage firewall rules and push them out to a number of different firewall products.

    http://www.fwbuilder.org/

  19. slowe’s avatar

    Paul C, the firewall is one item that I won’t be swapping out—I’m currently using a hardware firewall and will continue to use that after the redesign.

  20. John McAuley’s avatar

    Oh, sorry about that. I didn’t realize you were using a hardware firewall. From the sound of it, I thought you were trying to build a VM based firewall which is why I brought up PF and relayd as a simple solution.

  21. Daniel Schrader’s avatar

    I’m curious if you have looked at Vyatta for routing/firewall/VPN? (http:www.vyatta.org)

  22. Josh’s avatar

    There’s a gem I found several years back that saved a little project I was working on at 3AM. LongStoryShort – a solution I had worked up turned out to not work the way it was supposed to at implementation time and I needed a semi-smart load balancer that I could setup quick and be reliable. Cue Crossroads (http://crossroads.e-tunity.com/). It’s easy to configure, lightweight, and fast. I think it ran for 5 years after I put it in without *any* intervention and was quite busy 24×7.

  23. slowe’s avatar

    John McAuley—no worries! The relayd information was actually quite useful, and it may be something that I use even if I’m not using pf for my border firewall.

    Daniel, I did look at Vyatta, but there isn’t a great deal of routing I’m going to need within the home network. I wouldn’t be surprised if a Vyatta instance appears sometime, though…

    Josh, thanks for the link—I’ll take a look!

  24. John A’s avatar

    What kind of hardware do you have? It’d be interesting if you outlined what machines you’ll be running this on, or showed a diagram of what your current and future home network will look like.

  25. slowe’s avatar

    John A, I’m acquiring new home lab servers as part of this project, and I haven’t finalized the specs just yet. I would expect them to be pretty entry-level—a single quad-core CPU, 16GB of RAM or so, and a modest disk subsystem. The plan is to use Ubuntu and KVM to host the VMs on these systems. I agree that it might be helpful to have more information on the topology and such, so perhaps I’ll put up another post with more information. Thanks!

  26. manish’s avatar

    CARP and PF will be single point of failure so not sure how you are doing to make it redundant.

  27. Stefan’s avatar

    2+3: I would recommend keepalived: does IP HA + LVS, has simple and small configuration files.
    Also you can setup keepalived on the servers with your actual services – no additional VMs needed

  28. Chris Greer’s avatar

    So I’m more of a Fedora/Centos, but check out FreeIPA (I believe this is available for Ubuntu). It will give you account management, certificate server, and Kerberos but I’m not sure if the *BSDs will integrate. Using Apache + mod_proxy for a load balancer add in a firewall and something like openswan and you have a pretty nifty vshield edge type of device.

    Just my $0.02 worth

  29. al’s avatar

    If your new job travel schedule is as heavy as previous, you might want to bring up the VPN first, so that you can do your config on the road.

  30. Ben’s avatar

    2 of the comments briefly mention Varnish. I’d definitely recommend looking into Varnish, it can do your web server load balancing* for you, in addition to being a very powerful caching solution.

    There is a bit of a learning curve involved to get it configured properly, but thankfully Varnish is very well documented.

    * https://www.varnish-cache.org/trac/wiki/LoadBalancing

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>