Solved

redundant web server and email server

Posted on 2012-04-08
16
625 Views
Last Modified: 2012-04-21
Hi,

I'm wondering what I would need to do the the DNS settings and what config files I need to change to add in a secondary redundant web server and email server. I'm using apache 2.x, php 5.4, mysql 5.x and postfix mail_version = 2.3.3. If my web server goes down then the secondary server should pick up and, likewise, if the primary mail server goes down then I wish for the secondary mail server to be chosen.

Thank you,
Victor
0
Comment
Question by:Victor Kimura
  • 7
  • 6
  • 3
16 Comments
 
LVL 21

Assisted Solution

by:Papertrip
Papertrip earned 110 total points
ID: 37821611
For a backup MX that part is pretty easy to achieve with Postfix.  Read through http://www.howtoforge.com/postfix_backup_mx which explains it clearly.  Let me know if you have any specific questions after that.

In regards to having a backup web server, this cannot be done without using some sort of intelligent monitor/load balancer such as LVS.  You would create a VIP with a single public IP which you would add to DNS, and configure the load balancer to listen on that IP.  Then configure the load balancer with the real internal IP's of both web servers and tell it to monitor port 80 (or whatever Apache is listening on on both servers and to stop sending requests to one of them if they are down.

http://www.centos.org/docs/5/html/Virtual_Server_Administration/
http://kezhong.wordpress.com/2010/03/28/setup-linux-loadbalancer-with-piranha-and-lvs-on-centos-5-4/ -- this one looks like a good end-to-end explanation along with using the GUI to LVS.
http://www.austintek.com/LVS/LVS-HOWTO/mini-HOWTO/LVS-mini-HOWTO.html
http://www.linuxvirtualserver.org/
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 390 total points
ID: 37821663
To have two mailservers capable of handling and serving access, you would need common storage or have data replication between/among the servers.

Similar issue could apply to the webservers but depends on whether you have a single domain or multiple ones.

You could user a squid reverse proxy that will old balance the requests using an internal name to ip reference.

The only caveats deals with secure sites which are bound to a specific ip/port.

Using squid reverse proxy you can achieve most what you want on the web side.
0
 
LVL 21

Assisted Solution

by:Papertrip
Papertrip earned 110 total points
ID: 37821668
The instructions I gave about backup MX is only for receiving mail, it's not an end-to-end redundancy as far as say your IMAP users are concerned.  For strictly needing just a backup MX the servers do not need to share any storage and operate independently.  Haven't had much experience with squid, I'll check that out.  Does it take a server out of rotation if it fails to respond to requests?
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 390 total points
ID: 37821695
There are tools to use to detect the live sever. Discussion in link
http://squid-web-proxy-cache.1019090.n4.nabble.com/fail-safe-and-load-balancing-with-reverse-proxy-td2237148.html

Presumably the asker's use of redundant means to have full functionality in the event of a server failure.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37821704
Presumably the asker's use of redundant means to have full functionality in the event of a server failure.
Thanks for the clarification.
0
 

Author Comment

by:Victor Kimura
ID: 37821841
Thanks, Papertrip. I'll read those references soon.

---
To arnold,

"To have two mailservers capable of handling and serving access, you would need common storage or have data replication between/among the servers."
> So, Papertrip, was mentioning the system he was suggesting was not really for data replication. So what should I be studying/looking at for data replication for, in the case, of using IMAP services?

"Similar issue could apply to the webservers but depends on whether you have a single domain or multiple ones."
> For simplicity sake, what would I do (first steps) for a single domain. I'm assuming/guessing that a multiple domain would be similar (or is that a bad assumption?).

"You could user a squid reverse proxy that will old balance the requests using an internal name to ip reference.
> Are there some good references/tutorial sites for setting up/installing squid reverse proxy for a Centos 5 system (or I guess linux system)?

"The only caveats deals with secure sites which are bound to a specific ip/port."
> Not that I'm dealing with secure sites (yet) but would the squid server be able to handle them or would some other additional add-on be used?

"Using squid reverse proxy you can achieve most what you want on the web side."
> What would/should I be using for data replication of Postfix if using IMAP? Are there some good tutorial sites on it so I can study it?

Thanks so much,
Victor
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 390 total points
ID: 37822450
Drbd, andrew fs are two replication schemes
Drbd.ord
http://en.wikipedia.org/wiki/Andrew_File_System

If you have name based hosting the config from one with the minimal change to the namehost localserverip

For webservers,the replication does not have to be on all the time. I.e. the data can be uploaded to each.

Squid as a reverse proxy can be configured with the certificates such that the httpd connection terminates on it the redirection of the requests on the backend of the reverse proxy will be going to the webserver with insecure traffic.

Internet <ssl=> reverse proxy <unencrypted=> web servers

You can have reverse proxy publicip1 port 443, public ip2 port 443, etc and each instance with its own squid configuration will point to a different combination depending on your setup.

There are many write ups.
http://www.visolve.com/squid/whitepapers/reverseproxy.php with some detailed explanations.
http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
0
 

Author Comment

by:Victor Kimura
ID: 37845322
Hi,

I was just reading on those articles. They give a good introduction but are there any good tutorials on the step-by-step, how-to setup webserver replication or redundancy? I'm still new to all of this data replication/redundancy so I'm not certain if replication/reduncancy are referring to the same thing. Practically, I just wish to set up a webserver/email system in case one of the servers crash or is unavailable for some reason.

Reverse proxy (from the articles) seem to be more of a caching system. I'm stil unclear how a caching system can implement better uptime for the webserver/email server (if one of the servers is unavaiable).
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:Victor Kimura
ID: 37845363
I'm just previewing http://www.drbd.org/docs/about/ and it doesn't mention about email replication using something like Postfix/Dovecot. I don't know if it would be the same set up as like the webserver. I just want to be sure (or more sure) before I go and read whole documentation setups and to be sure that I'm heading in the right direction...though I know I'll learn alot about practicing the setup for drbd =).

thanks,
Victor
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 390 total points
ID: 37845369
The reverse proxy can be configured to load blanche the requests with check such that when one server becomes unavailable the proxy will only direct the request to the remaining one.

Drbd refines a file system that is synchronizing to the other server similarly setup. You would then use this drbd partition as the location of the data for the web server. I.e. new file stored in this partition will be replicated to the other server into the similar partition.

Andrew fs is file based replication setup In a similar fashion defining a partition that is then used for storing the web site data.

With mailserver, the same applies depending on whether you want to have both using a central common storage using NSF shares which is where the user data is stored.
/home
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 390 total points
ID: 37845388
drbd is low level (media/hard drive replication)

i.e. the setup is such that the configured "drive"  as drbd mirrors to the configured "drive" on the other system.
there are two option,
 master /replica i.e. only one active at a time which means only one server can write.
The other setup is master/master where writes can occur on either and the changes are replicated. The mail server does not keep track on what is in each users "mailbox" unless the user is accessing it using IMAP or POP. The mail server will rescan which is what it does while the user is accessing the emails, a new message is delivered.

drbd though is network intensive/dependent.

what resources do you have on hand?
0
 

Author Comment

by:Victor Kimura
ID: 37858800
Hi arnold,

Okay, I'm beginning to understand. I don't have any resources set up really. I have a home server (Centos 5.3, Postfix/Dovecot) and I was going to use just some dynamic DNS setup with Dyndns.org. I have a couple of VPS servers that I can use as the other server (mail/web). I think one is Exim for one of the VPS servers. I have a godaddy VPS and Westhost VPS (which is using an outdated Redhat version so I'm thinking of switching to Hostgator VPS). Godaddy is my client's but I can use some of the resources.

Right now I want to do some test set ups and see how everything works and to learn the process of setting something up with drdb and/or Andrew fs. I guess I'm leaning more towards master/replica.

I am wondering though (for some clients who are using a shared hosting service already like Bluehost) if it's possible to set up this drdb system with a shared hosting server. Is it possible to eliminate the downtime setting this system up or is it better to end up migrating from the shared to a VPS? If it's the latter, then how does one migrate without downtime. I've spoken to some techs and some say there is no downtime in the DNS but, practically, I've found that there is downtime. I think though these sets of questions are for another post. =)

So should I be reading on the drdb and/or Andrew fs? Is that the way I should go? Can dbdb and the Andrew fs be used together or do I choose one or the other?

Thank you for your help. This info is really helpful.

Victor
0
 
LVL 76

Accepted Solution

by:
arnold earned 390 total points
ID: 37859028
In the resources you outlined, you could readup on the two option in the event you will at some point have two local servers that you would cluster and either have a common storage from another system or use DRBD or Andrew FS to replicate the data.

Since the DRBD is network intensive and would be rather Bandwidth expensive.
AndrewFS will likely be a similar issue and would have an issue if the VPS does not include Andrew FS support which you would need to install.

In your senario, the redundancy option is not available.

What is available is a backup mail server.  The draw backs is if your primary/main mailserver will have services such as anti-virus/malware/ and other filters, the spammers will inject messages for your domain through the backup servers grinding them because they when configured, will accept messages destined to your server without the filtering yours has and would then have to deal with the rejections of the messages by your server.

Normally the behavior of any sending mail server is to try and send an email to the destination for at least five days. Some use seven days, while others may have a three or fewer days.
This is the amount of time you normally would have to correct the issue on your server.

DNS configuration for mail handling is done through MX records.
If you have multiple MX records which have the format domain.com. IN MX weight servername.
The lower the weight (0) the higher the preference for the referenced mail server such that
domain.com. IN MX 0 mail.domain.com.
domain.com. IN MX 10 mail.somedomain.com.
domain.com. IN MX 20 mail.someotherdomain.com.

sending mail servers will always try to connect to mail.domain.com first to transmit a message for user@domain.com. Inability to connect (establish a port 25 connection) the sending mail server will mark the preferred mail server as inaccessible and will next try the next preferred, mail.somedomain.com as the server to which it will try to connect and deliver a message for user@domain.com.  The same applies for the other.
The "marking" of the mail.domain.com as "bad" is not permanent.  Depending on the mail server, when the queue no longer has an email for user@domain.com. The next email for user@domain.com will start the process a new where mail.domain.com will be checked first (there is some time that has to elapse for the redetection)
0
 

Author Comment

by:Victor Kimura
ID: 37863348
Hi arnold,

Thank you very much for the info. Very helpful indeed. I'm going to read more on DRDB and Andrew fs.

But just wondering for the other setup you mentioned "... two local servers that you would cluster and either have a common storage from another system..." are there some good reading/tutorial material online about how to set this up and to educate myself more on it.

Thanks so much,
Victor
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 390 total points
ID: 37863462
Look at cluster Debian, Ubuntu, rehat/centos.
Openfiler.org is a good central storage setup supporting nfs shares and cifs for windows as well as iscsi, FC types resources.
0
 

Author Closing Comment

by:Victor Kimura
ID: 37875004
Thank you both for your extensive input. =)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

The purpose of this article is to demonstrate how we can use conditional statements using Python.
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now