1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

IIS HA reverse proxy

Discussion in 'Business & Enterprise Computing' started by Ding.Chavez, Nov 25, 2015.

  1. Ding.Chavez

    Ding.Chavez Member

    Joined:
    Jul 27, 2001
    Messages:
    423
    Location:
    Sydney
    Has anyone got any practical experience with some web servers behind a HA reverse proxy?

    My devops team approached me about this new build and mentioned this topic, they just wanted a reverse proxy and I mentioned that this is still a single point of failure, can I HA it ? ... which means NLB in some form.

    I have an onprem esx virtual environment and moving to a cloud (not Az or AWS) so anything I use will need to be virtual.

    Any recommends, any do's and dont's ?
     
  2. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    Why use IIS?
     
  3. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    What's your acceptable downtime for the website?

    If you have HA in your underlying infrastructure then don't bother with the proxy. You'll have to deal with all the issues like cookies, sticky sessions and the most fun a split brain scenario. The big systems can do it ok, but you're going to fork out about $200k to get there.

    Unless it's a very large system where you'll be running a cluster of proxies, simple and reliable is what you want. I deal with haproxy and Varnish systems in my work and they're incredibly reliable. Varnish gives you easy config changes on the fly and will reject changes if they syntax isn't correct.
     
  4. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    I think you'll get better responses if you tell us what the 'devop' thinks he's fixing by adding a reverse proxy to the mix.

    eg are you trying to offload ssl or do ddos mitigation, poor mans load balancer or firewall?
     
  5. OP
    OP
    Ding.Chavez

    Ding.Chavez Member

    Joined:
    Jul 27, 2001
    Messages:
    423
    Location:
    Sydney
    Not attached to it.

    I can see where he wants to go, we have a very poor DMZ setup which is hard to change before our cloud journey. So basically it is a security thing. - edit: We also have some very chatty api's that need help.

    It can have downtime, acceptable would be hard to define, but the more it is up the better. If it is down we do not lose money so its acceptable for some duration down.

    I will look at Varnish as someone did mention that in the meeting.
     
    Last edited by a moderator: Nov 25, 2015
  6. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    I should have added the caveat that Varnish isn't trivial to configure.

    Nor is any reverse proxy if you're dealing with auth / sessions / security if you use any form of caching.

    A reverse proxy doesn't act as a Web Application Firewall (WAF), so there's near zero security benefits to using one.
     
  7. OP
    OP
    Ding.Chavez

    Ding.Chavez Member

    Joined:
    Jul 27, 2001
    Messages:
    423
    Location:
    Sydney
    Funnily enough this came up too ;)

    I need to take a look at a few solutions and measure them up against each other and our requirements vs time vs budget.

    I have a feeling this may start as a small project that feeds into a bigger one, so a phased approach maybe on the cards...
     
  8. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,396
    Location:
    Canberra
    reminds me of:
     
  9. OP
    OP
    Ding.Chavez

    Ding.Chavez Member

    Joined:
    Jul 27, 2001
    Messages:
    423
    Location:
    Sydney
    I'm the guy on the left, yeah?? :):)
     
    Last edited: Nov 25, 2015
  10. Wynne

    Wynne Member

    Joined:
    Sep 22, 2003
    Messages:
    270
    Location:
    sydney.au
    There's also Pound, which may not offer as much as what others have suggested but is quite trivial to set up :)

    Otherwise in paid land that will also work on AWS/Azure there's the Kemp load balancers.
     
  11. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    Ok well a reverse proxy with filtering can help with security. As long as you are careful with how you build it. A reverse proxy that just blindly shunts everything straight through, unchecked, won't protect you against much.

    Not sure this is going to help you. You want the proxy to take the load off the webserver somehow? This implies a level of reprocessing by the proxy.

    Are you running your web front-end on your database/backend server. Rather than reverse proxy, why not just stick your front end in the DMZ?

    The cynical IT guy in me smells a "devop" who is all dev and no op. The kind who say "I installed my own linux desktop and LAMP stack therefore I'm a systems administrator". Ask them where their "hyper converged web scale" is :lol:
     
  12. joe_sixpack

    joe_sixpack Member

    Joined:
    Jan 21, 2002
    Messages:
    2,850
    Location:
    Brisbane
    Spend $20 a month with CloudFlare... SSL, WAF, CDN, analytics etc..
     
  13. Alationever

    Alationever Member

    Joined:
    Jun 10, 2014
    Messages:
    56
    I'm amazed that nobody has mentioned Nginx or HAProxy, they're certainly the top choices that come to mind when somebody says "reverse proxy".
     
  14. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,396
    Location:
    Canberra
    you must be new here, oh wait.....

    come to think of it, are you a millennial?
     
    Last edited: Dec 5, 2015

Share This Page

Advertisement: