Linux Clustering of Web Application Firewall

WAF Conversion to cluster

Please bear in mind that # is the cli prompt and do not include ---bof--- and ---eof--- in your configs.

clone off vm and set network to disconnected, then start.

change the hostname with x being the node number
# nano /etc/hostname

add under '  localhost'
# nano /etc/hosts

# nano /etc/network/interfaces
update the IP.

reboot node, then check settings like IP etc.
enable and connect virtual nic.

at this point it is better to ssh onto the box rather than use vmware console.

nano /etc/apache2/mod-enabled/status.conf
find the line '#  allow from' and change to ' allow from'

# apt-get install heartbeat pacemaker wget

# nano /etc/cron.daily/clean-archived-logs

--- bof -----
cd /var/log
rm *.gz
---eof -----

# chmod 777 /etc/cron.daily/clean-archived-logs

# nano /etc/ha.d/

--- bof -----
#debugfile             /var/log/ha-debug
logfile                     /var/log/ha-log
logfacility              local0
keepalive               2
deadtime               30
warntime               10
initdead 120
udpport                  694
# IP address of the other node (change it in every node)
ucast                      eth1
#Tell what nodes are in the cluster, must match uname -n
#Enable pacemaker
crm respawn
---- eof -----

# nano /etc/ha.d/authkeys

auth 1
1 crc
---eof ----

# chmod 600 /etc/ha.d/authkeys

# service heartbeat restart

only need to run crm commands on a single node once cluster has had time to communicate, check with 
# crm status

# crm configure property stonith-enabled=false
# crm configure property expected-quorum-votes="2"
# crm configure property no-quorum-policy=ignore

Adding our virtual IP's here
# crm configure primitive VIP61-www-site1-co-uk ocf:IPaddr2 params ip= cidr_netmask=32 nic=eth0 op monitor interval=15s
# crm configure primitive VIP59-wildcard-site2-co-uk ocf:IPaddr2 params ip= cidr_netmask=32 nic=eth0 op monitor interval=15s
# crm configure primitive VIP58-www-site3-co-uk ocf:IPaddr2 params ip= cidr_netmask=32 nic=eth0 op monitor interval=15s

Adding our service
# crm configure primitive SRV-apache-rproxy-dotDefender lsb::apache2 op monitor interval=15s

Binding our VIP to the Service
# crm configure colocation SRV-apache-rproxy-dotDefender-VIP61 INFINITY: VIP61-www-site1-co-uk SRV-apache-rproxy-dotDefender
# crm configure colocation SRV-apache-rproxy-dotDefender-VIP59 INFINITY: VIP59-wildcard-site2-co-uk SRV-apache-rproxy-dotDefender
# crm configure colocation SRV-apache-rproxy-dotDefender-VIP58 INFINITY: VIP58-www-site3-co-uk SRV-apache-rproxy-dotDefender

Configure service startup order, ensure VIP's are started first
# crm configure order ip-apache mandatory: VIP58-www-site3-co-uk VIP59-wildcard-site2-co-uk VIP61-www-site1-co-uk SRV-apache-rproxy-dotDefender

setup subversion
# apt-get install subversion

Somescript i wrote using svn, to get stuff into svn run # svn import --username Some.Admin sourceDir  DestinationServer
you then need to checkout the folder before you can commit changes.

svn co --username Some.Admin --force https://vm-svn.somecompany.local/svn/Infrastructure/0WebApplicationFirewall/apache2/@head /etc/apache2/

svn commit /etc/apache2/


Popular Posts