0

We have multiple locations (2 now, soon to be 3) with ProxMox servers that have containers (ubuntu server) on them set up as the following (but will have more web servers):

Location 1:

  • GitLab-server
  • db-server
  • rproxy
  • web-server-1
  • web-server-2

Location 2:

  • db-server
  • rproxy
  • web-server-1
  • web-server-2

We have the db-servers set up as multi master using galera on MariaDB, so they are not an issue. When we deploy, we want to deploy to Location 1 (where the GitLab server is) and have it sync across to Location 2 on the same webserver there (and any more Locations in the future). We will be using Symfony for inhouse solution development, and possibly other services like flarum for forums.

There is a reverse proxy server that sends the correct subdomain.domain to the correct LAN IP and directs all traffic from http to https as well as dealing with letsencrypt certs. I have also created a ddns solution that connects to an online cpanel server to update dns for dynamic dns locations and in the case of a failover (the only time anything after site one will be used is in the case of an outage at site 1)

Originally we were thinking use Resilio Sync to sync the project (/var/www/html/) directory between them, but then it will loose permissions and we need to make sure there are not constantly changing files that will cause syncs (with symfony we can move them out of the sync folder as they will not need to be synced in an update normally).

If it was only one server we would look at using rsync over ssh if that port was not used elsewhere, but we don't want to have to set up complex port forwarding every time we add a new web server. Resilio doesn't need port forwarding, so would be great except for the permission issues. Im guessing we can't really do it over https (because the website is running on that port).

Any suggestions?

MicWit
  • 111
  • 2
  • Rearrange your network to use best practices. Setting up rsync should be trivial on a decent network. If your firewall setup is so difficult to maintain that a port forward is more then a few seconds work, something is likely wrong. Another tool to use (or misuse if your network is stuffed up) is OpenVPN or something between the sites, so they can all be considered as a single network, with knowledge that all data flowing across them is encrypted and considered internal. Another alternative would be to set up bastions/jump hosts, and configure rsync to through those to minimize pain. – davidgo May 07 '20 at 02:05
  • Other options include rsync without ssh (but I wouldn't) - https://stackoverflow.com/questions/8575345/rsync-without-ssh-access. Another solution worth considering is asynchronous block replication - I've never done 3 way replication, but this is possible. DRBD is the better known tool, but also look at MARS (https://schoebel.github.io/mars/) which is technically superior, but, I found, harder to implement due to kernel issues - though that has likely changed. DRBD can use its own ports, but MARS runs over SSH. – davidgo May 07 '20 at 02:11
  • Unfortunately rearranging the network to best practices would mean way larger expense to manage the failover etc, so not an option (operating on $0 budget). The port forward issue is that with the dns changes on cpanel, that gets extremely complex, (compared to 80 and 443 that have the reverse proxy). OpenVPN is an option we looked at but that has its own issues in this case because they are home network systems. I Think the best ideas are the base stations (they would act like a reverse proxy for ssh) or...... – MicWit May 07 '20 at 02:42
  • ... experiment with SSH on ports other than 22 (give each web server a different port) and then we just have to do one port forward for each web host (and never touch port 22 for other things). I will also check out the other 2 options you suggested. – MicWit May 07 '20 at 02:43
  • Please recommend you find your company someone who specializes in network and system administration - your competencies obviously lie elsewhere. I am a system administrator by trade. What you said above is illogical to someone with a solid networking/sysadmin perspective. – davidgo May 07 '20 at 03:35
  • Rearranging a network should REDUCE the expense to manage failover, and anyone looking to set this up should understand enough about networking to design it without significant expense. Port forwarding should have nothing to do with DNS changes (as port forwards operate on IPs and ports, not domain names). OpenVPN works perfectly in home networking situations, provided the OpenVPN server(s) have static IPs - and if you dont have static IPs at central points you should not be doing hosting, let alone failover. Base stations are not a networking term, they are a wireless term... – davidgo May 07 '20 at 03:49

0 Answers0