Rebuilding from the ground up - looking for advice.

Here is what I have running:

IPCop Firewall/Webcache/dns proxy/DHCP with telco DSL in and single IP serving all web applications on different ports facing the internet. on a single domain name. Internal network is 192.168.80.0 and a series of different technologies server different web applications from virtual machines.

cloudmin pro master ubuntu server 64 12.0.1: Hewlett-Packard / ProLiant DL360 G5 with 4 cores (2.66GHz) & 20 GB of ram. LVM Setup on Raid 1+0 disks SYSTEM=72GB/72GB STORAGE=146GB/146GB

kvm host ubuntu server 64 12.0.1: Hewlett-Packard / ProLiant DL360 G6 with 16 cores (2.67GHz) & 24 GB of ram. LVM Setup on Raid 1+0 disks SYSTEM=146GB/146GB STORAGE=146GB/146GB

kvm host ubuntu server 64 12.0.1: Hewlett-Packard / ProLiant DL360 G5 with 4 cores (2.66GHz) & 32 GB of ram LVM Setup on Raid 1+0 disks SYSTEM=146GB/146GB STORAGE=146GB/146GB

Netgear ReadyNas Pro 1.5 TB (for VM Backups via SSH)

I have this new server coming In about 2 weeks:

Hewlett-Packard / ProLiant DL360p G8 with 12 cores (2.5GHz) & 196 GB of ram LVM Setup on Raid 1+0 disks SYSTEM=146GB/146GB LVM Setup on Raid 5 disks STORAGE=146GB+146GB+146GB+146GB+146GB+146GB

With this new server, I was hoping to migrate my cloudmin pro over to the new server and have all three older servers provide additional processor, memory and disk resources(iSCSI im thinking) to cloudmin, for some kind failover arrangement as these web applications are mission critical during the summer.

A buddy told me that virtualmin (Something I have never used) can allow me to provide multiple applications (all on port 80) from multiple VMs all over a single IP if virtualmin controls the DNS.

I am wondering if this is all possible and or feasible and looking for some guidance before I start buying more licences and reformatting servers.

Thanks for any and all guidance. Franco

Status: 
Active

Comments

Since I have seen no responses I will assume I was too verbose or did not ask a specific enough question, I know you guys are very busy doing great things, so let me try asking this another way.

1) I have all the resources above including a cloudmin pro licence. I need to serve up a bunch of different websites on the same domain name (as subdomains) all on one IP address. Can I do this with what I have or do I need more stuff (like a virtualmin licence, usermin or other software etc.)

2) Assuming I can do number 1, I am looking for a recommendation of an optimal configuration of this hardware so that I have automatic failover, I have not seen such in the documentation But I admit I have not read it all yet - but im working on separating wheat from chaff as I go.

Thanks for any help Franco

Sorry, I missed this ticket initially.

So if you want to do webhosting, Virtualmin is the package you want. However, we do have a free GPL version that meets most needs.

I'm a little confused as to what kind of webhosting setup you want to do though. Do you want to have multiple sites on the same IP, but served by different machines?

Hi, I am not doing commercial style webhosting per se, but I am doing something similar. I have one domain name blah.com and I have an IP from the telco. I have several different web applications in different virtual machines some on alternative ports like 8080 but most on port 80. I need to server them all, on port 80 over a single IP. I want to segregate them by using subdomains. so for example:

firemapping.blah.com (mapserver php/apache on ubuntu 11.04) port 80
geo.blah.com (geoserver on tomcat7 in ubuntu 11.04) port 8080
firemodelling.blah.com (drupal 7 on apache over mysql and postgresql ubuntu 12.04) port 80
weather.blah.com (decodes on java, drupal on apache/mysql Ubuntu 10.04) ports 80,88,81
helpdesk.blah.com (spiceworks on windows on ruby) 80
meetings.blah.com (BigBlueButton on Ubuntu 10.04) port 80, 9123, 1935
and even more etc.

in the end, one domain/IP with ports 80 8080 88 81 9123 1935

etc etc. my system is incredibly complex and these are all seperate virtual machines running under my cloudmin system. I would like to accomplish on this system what I can do from my VPS at site5.com it has a single ip and and multiple accounts and websites all served from a single IP.

What I am doing now is difficult becuase I can only use one hostname, not subdomains. But I a freind who accomplished this using virtualmin a year ago and bragged about it (which is how I found cloudmin).

Anyhow, I hope this better explains it better!!!
F

In that case, what you'd want to do is install Virtualmin on the system with the external IP, create your domains, and set each up to proxy traffic through to the appropriate backend VMs.

Yeah like Jamie said, this is what you would do:

  • Create all the different VMs you want, setting up all of their various services and hostnames. I.e. one might host "mail.blah.com:80" and another might host "git.blah.com:80" and so on.

  • Create one VM, or use the cloudmin master, to install Varnish or Nginx, the two highest-performance proxy servers in the world. I would probably pick varnish because it's natively capable of doing memcaching (nginx requires the memcached module for that) of static resources like javascript and images and such, and will only forward requests for dynamic resources (like PHP) over to the backend servers, saving you a lot of CPU time.

  • In the chosen proxy config, set it up so that i.e. requests for "mail.blah.com:80" are proxied to the internal "10.0.1.1:80" machine, "git.blah.com:80" is proxied to the internal "10.0.1.2:80" machine etc.

  • This setup is known as reverse proxying, so now you know what to search for.

  • Bonus: coincidentally, this is the same kind of setup you would do if you wanted to do load balancing. In that case, you would set up a central SQL server which stores all data + all PHP sessions (many apps already use SQL for their session storage by default, i.e. Roundcube and piwik and will work out of the box), then set up the same set of websites on every VM (you can do this by creating 1 VM template and then launching multiple copies of it), so that they all contain the website contents for mail.blah.com, git.blah.com, etc. Then, put your load balancing proxy server in front of them and tell it to send the request to a random internal server. The servers in turn will be talking to the central SQL backend, ensuring that all of the servers have the same "state" and are equally suited to handling the request.

Good luck and have fun! :)

ok, so I would get rid of my IPCop firewall computer (The one that gets the IP from the Telco) And replace it with a computer running Virtualmin and Varnish. This machine would then serve out IPs and proxy traffic to my VM hosts and subsequently the VMs?

If I have that right then I would point my domain registration dns server records to my virtualmin/varnish box which would control the DNS of my domain?

THanks guys for helping me with this!!! F

Correct, you make your DNS point to the Varnish machine, and the Varnish machine in turn forwards the request to the internal machine (and sends some headers containing the IP of the actual person that wanted the page, so that your site knows who accessed it from outside the proxy).

Look for Varnish load balancing / reverse proxy guides. I suggest the Load balancing setup, in which case you would have the same sites on every VM. It ensures that load is spread evenly rather than all mail users hammering the mail machine and all git users hammering the git machine, etc. The only thing you need to do is take care that all sites are configured to read/write data from a central MySQL database so that they are all equally capable of handling any request.

There will be some extra initial work to set up all systems so that every website speaks to the central SQL server, but after that you're in heaven because all of your machines can be based on 1 single VM template that contains all software, and you can effortlessly spawn new VMs from the template if you need more processing power for your sites. When updating software, you simply need to update that single template, and you then re-spawn new VMs from it, killing off the old and outdated ones.

This of course depends entirely on how busy your projects are, but for heavy sites it's absolutely worth doing load balancing and not just reverse proxying.

All good stuff thanks.

Im not convinced I will need load balancing as I have enough horsepower to fly a battleship and cant see this system having more than 100 users ever but I will go through the process and double my drupal servers over a single database, just to get the hang of it and learn it.

So looks like a stand alone computer with two nics, one on the DSL and one on the private network. This machine running ubuntu server on bare metal and virtualmin and varnish with a single virtual server for the domain. then subservers for each subdomain/host which will proxy to VMs hosting web applications on the private network.

I will see how I make out getting this far, then perhaps check back.
Franco

You're welcome.

Also, you don't need two NICs, as long as you put the Varnish proxy behind a router:

Internet | Router ____ / \ \ Varnish App1 App2

Requests would go into the Router, which passes it on to the Varnish server, which speaks to the App VMs over the local network.

Ok, thats even easier, so I could then eliminate router and put varnish in vm and just use ?

Internet
|
vmhostmachine
/ \ \
Varnish-VM App1 App2

Oh, so every VM is hosted on one machine? That's awfully inefficient in a proxying situation, especially in your example graph where traffic would come in on the physical adapter, get translated and enter the Varnish VM, which then goes back out to the virtual network adapter and then back into itself on a different VM, which then returns the request out to the virtual network adapter again, and then from there back into the Varnish VM, and then from the Varnish VM back out onto the real network. Luckily, some of these steps can be taken out of the equation (I'll show you how).

I assume you're only running multiple VMs for a sense of security and isolation between sites, then? Or perhaps you're offering people their own VMs all running on your machine, and you want a way to direct traffic to the correct machine? Those are the reasons I can think of why you'd be running different VMs per-site, instead of simply having every site on a single VM. If it's only your own sites, then I suggest that you run every site inside one VM and avoid all the headaches.

Anyway, whatever your reasons may be, here's a setup that would work for you and is as efficient as possible given the circumstances:

Internet | Varnish + Cloudmin (host) / \ VM1 VM2

Configure the VMs to use Host-only Networking, which means that the host and its VMs can speak to each other but the VMs don't have any presence of their own on the physical network adapter/network. From there, your host machine runs Varnish which looks at the HTTP/1.1 "Host" header to determine which internal VM to send the traffic to.

Basically, what you do is define a network bridge adapter that isn't tied to any physical network card, then tell your VMs to use that. This will allow your host and VMs to speak to each other via their own little virtual network, without exposing the VMs to the physical network whatsoever. Just make sure to assign an unused IP range to the virtual network, and a netmask that won't clash with your physical network. That's easily done by choosing a start-address that's higher than what you use on your own network. I.e. your physical network may use 10.0.0.0 to 10.0.0.255, so you would simply assign the virtual network on the 10.0.1.0 to 10.0.1.255 range, or any other private, unused range.

The other issue is that your VMs will have to be able to make outgoing connections to the internet for various features like DNS lookups and whatever. For that, your host machine will have to act as their NAT/Gateway.

You're getting into advanced and quite inefficient routing territories here, and should also be asking yourself if you could simply move all sites to a single VM, with unix User permissions handling the user isolation and security.

Hi Aitte, I appreciate your time in explaining and trying to understand my system, If I may I would like to elaborate a bit more on what I am doing.

I have several different virtual machines that serve web applications, they do not all share common stacks however and they have different OS requirements or they are powered by a distinct distribution of linux. For this reason, each system is separated into discrete virtual machines tuned to provide the best perfomance as a VM and to provide ease of management for upgrading packages, distributions and components etc. In cases where my web applications have common stacks or partial stacks as in drupal, I have both drupal 6 and drupal 7 hosted on the same VM while the Drupal 7 based application is the current opensourced implementation of my work, it uses the more generic mysql server which is dedicated to Drupal 7, the Drupal 6 (legacy application being migrated into drupal 7) shares a postrgreSQL geodatabase backend with Geoserver and Mapserver.

These VMS are NOT all on one machine, but they are all controlled by a single cloudmin master, which itself provides KVM, processors, memory and diskspace. 2 other servers provide the coudmin master with resources (KVM, processors, memory and diskspace) as well and now a new and powerful machine will be added to all of this as my cloud master is outdated (all hardware listed in first post). These VMs should be spaced out over the KVM resource servers and I want to use failover capabilities found in cloudmin/webmin/virtualmin.

That said these systems are operating in-situ and are in use by off season staff preparing for the fire season. I would like to have my system up and running in the new configuration by may 1, so that the system is as robust as possible for the upcoming season.

My primary goal in reconfiguring all of this is to be able to serve multiple VM based web applications which cannot run on the same VM for different reasons, through a single IP and on a single domain name. The majority of clients using my systems are locked behind tight govt firewalls and can only use a few TCP ports (like port 80, 8080 and 8000) to access web applications so I am limited to these 3 different ports on that single IP hence the need for the complicated proxy/routing that we are exploring now.

I would like to limit the hardware to the vhost machines if possible and I need a finer grain of control than a conventional dlink router etc might provide. I am only just starting to realize how the webmin/virtualmin/cloudmin system simplifies the use of the powerful capabilities of linux, and makes configuring and managing this system so much easier.

I have to go on the road for a week on courses, but while I am gone I will try and diagram what I see as my ideal infrastructure arrangement and post it here and perhaps we can continue this most enlightening discussion when I return next weekend. I think that this discussion will help others who are unsure of how to do such a thing as well.

Thanks again Franco

Oh so you do have multiple machines, and a very good reason for that as well. Good, then let's proceed!

Since they are actually physically separate machines, you are definitely going to need a router so that you can have all machines and VMs in a local network address space, capable of speaking to each other. The router will be responsible for sending incoming port 80 (and other) traffic to the Varnish machine.

This is the setup for you:

Internet | ____ Router (1.2.3.4) ____ / | \ VM1 Cloudmin+Varnish VM3 | VM2

Each VM is bridged to the local network, with its own internal address, such as VM1=10.0.1.1, VM2=10.0.1.2, VM3=10.0.1.3

The Cloudmin hostmachine speaks to all of them via those IPs for control purposes.

You run Varnish directly on the Cloudmin host (not in a VM), to cut out a few routing steps.

The DNS for all websites point to the router's IP (1.2.3.4).

The Router directs incoming Port 80 (web) traffic to the Varnish host.

Varnish looks at the "Host: example.com" header and decides which VM (10.0.1.1, 10.0.1.2 or 10.0.1.3) to send that request to.

You only need 1 physical network adapter per machine, since the router handles the issue of where to send the traffic.

For your needs, even a $50 home-grade router with a big routing table would suffice, like a DLink DIR-655 gigabit router. Just any router with enough memory to keep track of all the open connections and their sources/destinations. You only need enterprise-grade routers if you want to have multiple VLANs (meaning different LANs for different ports), if you have more than a gigabit connection, or if you need more than 4 physical ports. Otherwise the DIR-655 will suit your needs as it has enough memory to handle all the connections to your sites.

I hope you have a nice trip! :-)