Skip to content

J
joohanhong
Commit 3cdf617e authored by JooHan Hong's avatar JooHan Hong
Browse files
Options

dns init

parent 495bbd7b
Hide whitespace changes
Inline Side-by-side
Showing with 680 additions and 0 deletions
INFRA/DNS/ENV/README.md 0 → 100644
View file @ 3cdf617e
[![logo](https://www.hongsnet.net/images/logo.gif)](https://www.hongsnet.net)
# HA-Proxy를 이용한 Load Balancer 운용
> Front-End에서 운용되는 각종 서비스의 Load Balancer의 구성내역을 살펴본다.
# 서비스 구성
- 공통: Round-Robin 분산 알고리즘 사용 (Default Value)
- LDAP
- InfluxDB
- www.hongsnet.net
- newsystem.hongsnet.net
- edu.hongsnet.net
- monitor.hongsnet.net
- django-api.hongsnet.net
- working.hongsnet.net
## 구성 내역
- **haproxy.cfg 설정 내역**
```bash
# cat haproxy.cfg |grep -v '#'
global
daemon
# 연결할 수 있는 최대 connection 을 지정한다. 이걸 안하면 기본값이 2000 으로 설정된다.
maxconn 8192
# haproxy 프로세스를 구동할 user(gid/uid를 지정할 수도 있다.)
user root
# ssl 을 구성할 때 key size를 지정한다.
tune.ssl.default-dh-param 2048
# haproxy는 로그를 남기기 위해서 file io 를 직접 처리하지 않는다. rsyslog 로 UDP 전송을 한다.
log /dev/log local0
log /dev/log local1 notice
# ciphers 설정
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES128:ECDH+AES256:DH+AES128:DH+AES256:DH+CAMELLIA128:DH+CAMELLIA256:DH+SEEDCBC:RSA:!aNULL:!MD5:!eNULL:!RC4
#소켓을 활성화한다.
#stats socket /var/run/haproxy/info.sock mode 666 level user
#stats timeout 2m
cache web_cache
total-max-size 1024 # MB
max-object-size 10000 # bytes
max-age 180 # seconds
defaults
log global
# mode is inherited by sections that follow
#mode tcp
mode http
option http-server-close
option forwardfor
option accept-invalid-http-request
timeout http-request 10s
timeout client 20s
timeout connect 10s
timeout server 30s
timeout http-keep-alive 10s
listen stats
mode http
bind 0.0.0.0:9000 # Listen on localhost:9000
stats enable # Enable stats page
stats realm Haproxy\ Statistics # Title text for popup window
stats uri /haproxy_stats # Stats URI
stats auth admin:패스워드
frontend ldap
# receives traffic from clients
bind :389
default_backend ldap_server
backend ldap_server
# relays the client messages to servers
server ldap1 172.16.0.247:389 check fall 2 rise 1
server ldap2 172.24.0.240:389 check fall 2 rise 1
frontend influxdb
bind :8086
default_backend influxdb_server
backend influxdb_server
# relays the client messages to servers
server influxdb-slave1 172.16.0.189:8086 check fall 2 rise 1
server influsdb-slave2 172.24.0.251:8086 check fall 2 rise 1
frontend monitor_dev
bind :80
bind *:443 ssl crt /etc/haproxy/certs/hongs.pem
# monitor-dev.hongsnet.net
acl is_monitor_dev_web hdr_end(host) -i monitor-dev.hongsnet.net
use_backend monitor_dev_web if is_monitor_dev_web
# django-api.hongsnet.net
acl is_django_api_web hdr_end(host) -i django-api.hongsnet.net
use_backend django_api_web if is_django_api_web
# working.hongsnet.net
acl is_django_working_web hdr_end(host) -i working.hongsnet.net
use_backend django_working_web if is_django_working_web
# www.hongsnet.net
acl is_www_hongsnet_net hdr_end(host) -i www.hongsnet.net
use_backend www_hongsnet_net if is_www_hongsnet_net
# hongsnet.net
acl is_www_hongsnet_net hdr_end(host) -i hongsnet.net
use_backend www_hongsnet_net if is_www_hongsnet_net
# edu.hongsnet.net
acl is_edu_hongsnet_net hdr_end(host) -i edu.hongsnet.net
use_backend edu_hongsnet_net if is_edu_hongsnet_net
# newsystem.hongsnet.net
acl is_newsystem_hongsnet_net hdr_end(host) -i newsystem.hongsnet.net
use_backend newsystem_hongsnet_net if is_newsystem_hongsnet_net
# edu.example.com
acl is_edu_example_com hdr_end(host) -i edu.example.com
use_backend edu_example_com if is_edu_example_com
#default_backend monitor_dev_web
backend monitor_dev_web
# relays the client messages to servers
option httpchk
http-check send meth GET uri /login
server tb3 172.16.0.253:32000 check fall 2 rise 1
server tb3-docker 172.16.0.251:32000 check fall 2 rise 1
backend django_api_web
# relays the client messages to servers
# 에러 파일 설정
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
option httpchk
http-check send meth GET uri /
server tb2 172.24.252:32090 check fall 2 rise 1
server tb3 172.24.253:32090 check fall 2 rise 1
server tb3-docker 172.24.0.251:32090 check fall 2 rise 1
backend django_working_web
# relays the client messages to servers
option httpchk
http-check send meth GET uri /
server tb2 172.24.0.252:32091 check fall 2 rise 1
server tb3 172.16.0.253:32091 check fall 2 rise 1
server tb3-docker 172.16.0.251:32091 check fall 2 rise 1
frontend monitor_nodejs
bind :8081
bind *:4438 ssl crt /etc/haproxy/certs/hongs.pem
default_backend monitor_nodejs_api
backend monitor_nodejs_api
# relays the client messages to servers
option httpchk
http-check send meth GET uri /version
server tb3 172.16.0.253:32001 check fall 2 rise 1
server tb3-docker 172.16.0.251:32001 check fall 2 rise 1
frontend monitor_nodejs_db
bind :8900
default_backend monitor_nodejs_db_server
backend monitor_nodejs_db_server
# relays the client messages to servers
option httpchk
http-check send meth GET uri /status
server tb3 172.16.0.253:32002 check fall 2 rise 1
server tb3-docker 172.16.0.251:32002 check fall 2 rise 1
backend www_hongsnet_net
# relays the client messages to servers
option httpchk
http-check send meth GET uri /
server tb2 172.24.0.252:30000 check fall 2 rise 1
server tb3 172.16.0.253:30000 check fall 2 rise 1
server tb3-docker 172.16.0.251:30000 check fall 2 rise 1
backend edu_hongsnet_net
# relays the client messages to servers
option httpchk
http-check send meth GET uri /
server tb2 172.24.0.252:30000 check fall 2 rise 1
server tb3 172.16.0.253:30000 check fall 2 rise 1
server tb3-docker 172.16.0.251:30000 check fall 2 rise 1
backend newsystem_hongsnet_net
# relays the client messages to servers
option httpchk
http-check send meth GET uri /
server tb2 172.24.0.252:30000 check fall 2 rise 1
server tb3 172.16.0.253:30000 check fall 2 rise 1
server tb3-docker 172.16.0.251:30000 check fall 2 rise 1
backend edu_example_com
# relays the client messages to servers
option httpchk
http-check send meth GET uri /
server tb2 172.24.0.252:30000 check fall 2 rise 1
server tb3 172.16.0.253:30000 check fall 2 rise 1
server tb3-docker 172.16.0.251:30000 check fall 2 rise 1
backend study_hongsnet_net
# relays the client messages to servers
option httpchk
http-check send meth GET uri /
server tb2 172.24.0.252:30000 check fall 2 rise 1
server tb3 172.16.0.253:30000 check fall 2 rise 1
server tb3-docker 172.16.0.251:30000 check fall 2 rise 1
```
## 주요설정 내역
- **Mode**
```bash
mode http
```
> http 프로토콜을 지원하도록 설정한다.
- X-Forwarded-For Add Header
```bash
option forwardfor
```
> request를 서버로 보낼 때 Backend에서는 HA-Proxy의 IP가 로그가 기록된다. 따라서 이 옵션을 추가하면 실제 클라이언트의 IP주소가 기록된다.
- **ACL 설정**
```bash
acl is_www_hongsnet_net hdr_end(host) -i www.hongsnet.net
use_backend www_hongsnet_net if is_www_hongsnet_net
```
> 요청되는 호스트의 URI에 www.hongsnet.net 이 검출되면, is_www_hongsnet_net으로 설정하고, 이 설정은 www_hongsnet_net의 **Backend**로 라우팅되도록 설정한다.
- **Back-end 설정**
```bash
server tb2.hongsnet.net 172.24.0.151:30000 fall 2 rise 1
server tb3.hongsnet.net 172.16.0.158:30000 fall 2 rise 1
server tb3-docker.hongsnet.net 172.16.0.251:30000 fall 2 rise 1
```
> 연결할 Back-end 서버들의 리스트다. 2번 health check가 실패하면 down으로 판단되고, 1번 성공하면 다시 Load Balancer 대상에 포함시킨다. 그리고 backup의 경우 서버점검 시 사용한다.
> **30000**번 포트는 `K8s의 NodePort 설정으로 외부에 노출되는 서비스 포트` 이다.
INFRA/DNS/ENV/README.md_20220808 0 → 100644
View file @ 3cdf617e
[![logo](https://www.hongsnet.net/images/logo.gif)](https://www.hongsnet.net)
# HA-Proxy를 이용한 Load Balancer 운용
> Front-End에서 운용되는 www.hongsnet.net 서비스의 Load Balancer의 구성내역을 살펴본다.
# 서비스 구성
- www.hongsnet.net Backend (Round-Robin 분산 알고리즘)
- edu.hongsnetnet Backend (Round-Robin 분산 알고리즘)
- SSL Redirection (Backend의 경우 80만 Listen)
## 구성 내역
- **haproxy.cfg 설정 내역**
```bash
# cat haproxy.cfg |grep -v '#'
global
daemon
maxconn 8192
user haproxy
tune.ssl.default-dh-param 2048
log 127.0.0.1 local0
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES128:ECDH+AES256:DH+AES128:DH+AES256:DH+CAMELLIA128:DH+CAMELLIA256:DH+SEEDCBC:RSA:!aNULL:!MD5:!eNULL:!RC4
stats socket /var/run/haproxy/info.sock mode 666 level user
cache web_cache
total-max-size 1024 # MB
max-object-size 10000 # bytes
max-age 180 # seconds
defaults
log global
mode http
option httplog clf
option dontlognull
option dontlog-normal
option forwardfor
option http-server-close
timeout http-request 10s
timeout client 20s
timeout connect 10s
timeout server 30s
timeout http-keep-alive 10s
option accept-invalid-http-request
listen stats
bind :9000 # Listen on localhost:9000
stats enable # Enable stats page
stats realm Haproxy\ Statistics # Title text for popup window
stats uri /haproxy_stats # Stats URI
stats auth admin:패스워드
frontend hongs
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/hongs.pem
http-response set-header Cache-Control web_cache,\ max-age="600"
http-request deny if deny_useragent
compression algo gzip
compression type text/plain application/json application/xml
acl deny_useragent hdr_sub(user-agent) -i -f /etc/haproxy/deny_useragent.list
acl private-network src 127.0.0.0/8
acl private-network src 172.24.0.0/16
acl private-network src 192.168.200.0/24
monitor-uri /monitor
monitor fail if !private-network
capture request header Host len 128
capture request header User-Agent len 64
capture request header Referrer len 64
log-format "%ci\ [%trl]\ %HM\ \"%HU\"\ \"%HV\"\ %ST\ %B\ %hr\ %s\ %b\ %TR/%Tw/%Tc/%Tr/%Ta\ %ac/%fc/%bc/%sc/%rc"
acl is_www_hongsnet_net hdr_end(host) -i www.hongsnet.net
use_backend www_hongsnet_net if is_www_hongsnet_net
acl is_edu_hongsnet_net hdr_end(host) -i edu.hongsnet.net
use_backend edu_hongsnet_net if is_edu_hongsnet_net
acl is_newsystem_hongsnet_net hdr_end(host) -i newsystem.hongsnet.net
use_backend newsystem_hongsnet_net if is_newsystem_hongsnet_net
acl is_edu_example_com hdr_end(host) -i edu.example.com
use_backend edu_example_com if is_edu_example_com
acl is_study_hongsnet_net hdr_end(host) -i study.hongsnet.net
use_backend study_hongsnet_net if is_study_hongsnet_net
acl is_hongsnet_net hdr_end(host) -i hongsnet.net
use_backend hongsnet_net if is_hongsnet_net
backend www_hongsnet_net
# 에러 파일 설정
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
http-request cache-use web_cache
http-response cache-store web_cache
http-request set-src src
#Redirect if HTTPS is *not* used, 강제 https 리디렉션, 평시운영 시
redirect scheme https code 301 if !{ ssl_fc }
server tb2.hongsnet.net 172.24.0.151:30000 check fall 3 rise 2
server tb3.hongsnet.net 172.16.0.158:30000 check fall 3 rise 2
backend edu_hongsnet_net
# 에러 파일 설정
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
http-request cache-use web_cache
http-response cache-store web_cache
http-request set-src src
# Redirect if HTTPS is *not* used, 강제 https 리디렉션
redirect scheme https code 301 if !{ ssl_fc }
server tb2.hongsnet.net 172.24.0.151:30000 cookie tb2 check fall 3 rise 2
server tb3.hongsnet.net 172.16.0.158:30000 cookie tb3 check fall 3 rise 2
server tb3-docker.hongsnet.net 172.16.0.251:30000 cookie tb3-docker check fall 3 rise 2
backend edu_example_com
# 에러 파일 설정
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
http-request set-src src
# Redirect if HTTPS is *not* used, 강제 https 리디렉션
redirect scheme https code 301 if !{ ssl_fc }
server tb2.hongsnet.net 172.24.0.151:30000 cookie tb2 check fall 3 rise 2
server tb3.hongsnet.net 172.16.0.158:30000 cookie tb3 check fall 3 rise 2
server tb3-docker.hongsnet.net 172.16.0.251:30000 cookie tb3-docker check fall 3 rise 2
backend newsystem_hongsnet_net
# 에러 파일 설정
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
http-request set-src src
# Redirect if HTTPS is *not* used, 강제 https 리디렉션
redirect scheme https code 301 if !{ ssl_fc }
server tb2.hongsnet.net 172.24.0.151:30000 check fall 3 rise 2
server tb3.hongsnet.net 172.16.0.158:30000 check fall 3 rise 2
server tb3-docker.hongsnet.net 172.16.0.251:30000 check fall 3 rise 2
backend study_hongsnet_net
# 에러 파일 설정
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
http-request set-src src
# Redirect if HTTPS is *not* used, 강제 https 리디렉션
redirect scheme https code 301 if !{ ssl_fc }
server tb2.hongsnet.net 172.24.0.151:30000 cookie tb2 check fall 3 rise 2
server tb3.hongsnet.net 172.16.0.158:30000 cookie tb3 check fall 3 rise 2
server tb3-docker.hongsnet.net 172.16.0.251:30000 cookie tb3-docker check fall 3 rise 2
```
## 주요설정 내역
- **SSL Redirection**
```bash
redirect scheme https code 301 if !{ ssl_fc }
```
- X-Forwarded-For Add Header
```bash
option forwardfor
```
> request를 서버로 보낼 때 Backend에서는 HA-Proxy의 IP가 로그가 기록된다. 따라서 이 옵션을 추가하면 실제 클라이언트의 IP주소가 기록된다.
- **Session Reuse**
```bash
option http-server-close
```
> 기본적으로 HAProxy는 접속유지 관점에서 keep-alive 모드로 동작을 하는데, 각각의 커넥션은 request와 reponse를 처리하고나서, 새로운 request을 받기까지 connection idle 상태(유휴상태)로 양쪽이 연결되어 있다. "option http-server-close" 는 클라이언트 사이드에서 HTTP keep-alive를 유지하고 파이프라이닝을 지원하면서 서버 사이드에 커넥션을 닫는 형태를 설정한다. 이는 클라이언트 사이드에서 최저 수준의 응답지연을 제공하고, Server-Side에서 리소스를 재활용할 수 있게 되어 **backend 에서 빠르게 세션을 재사용할 수 있도록** 해준다.
- **Unicode Accept**
```bash
option accept-invalid-http-request
```
> 이 설정을 적용하지않으면, URI에 한글 등의 유니코드가 호출될 경우 400에러가 발생한다.
- **ACL 설정**
```bash
acl is_www_hongsnet_net hdr_end(host) -i www.hongsnet.net
use_backend www_hongsnet_net if is_www_hongsnet_net
```
> 요청되는 호스트의 URI에 www.hongsnet.net 이 검출되면, is_www_hongsnet_net으로 설정하고, 이 설정은 www_hongsnet_net의 **Backend**로 라우팅되도록 설정한다.
- **Back-end 설정**
```bash
server tb2.hongsnet.net 172.24.0.151:30000 check fall 3 rise 2
server tb3.hongsnet.net 172.16.0.158:30000 check fall 3 rise 2
server tb3-docker.hongsnet.net 172.16.0.251:30000 check fall 3 rise 2
```
> 연결할 Back-end 서버들의 리스트다. 3번 health check가 실패하면 down으로 판단되고, 2번 성공하면 다시 Load Balancer 대상에 포함시킨다. 그리고 backup의 경우 서버점검 시 사용한다.
> **30000**번 포트는 `K8s의 NodePort 설정으로 외부에 노출되는 서비스 포트` 이다.
INFRA/DNS/README.md 0 → 100644
View file @ 3cdf617e
[![logo](https://www.hongsnet.net/images/logo.gif)](https://www.hongsnet.net)
# CI/CD 툴을 활용한 DNS Zone Files 관리자동화 구성
> CI/CD 툴을 사용해 DNS Zone 파일적용 및 관리 (GitLab 오픈소스 버전관리 솔루션을 활용하여, 적용/롤백/백업을 진행)
## DNS Server(Bind 9) 구성
이 문서에서는 설치 과정을 다루지않고, 결과적인 설정만 명시
```bash
# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 61.100.0.135; };
#listen-on-v6 port 53 { ::1; };
version "not";
tcp-clients 3000;
recursive-clients 300000;
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
notify yes;
also-notify { 61.100.0.152; 61.100.0.158; };
allow-transfer { 61.100.0.152; 61.100.0.158; };
allow-recursion { localhost; 127.0.0.1; 61.100.0.128/25; 192.168.1.0/24; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel "misc" {
file "/var/log/named/misc.log" versions 10 size 10m;
print-time YES;
print-severity YES;
print-category YES;
};
channel "query" {
file "/var/log/named/query.log" versions 10 size 10m;
print-time YES;
print-severity NO;
print-category NO;
};
category "default" { "misc"; };
category "queries" { "query"; };
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/named/zones/hjh.conf";
```
> CI/CD 요소는 /var/named/zones/hjh.conf
## /var/named/zones/hjh.conf 내역
```bash
# cat /var/named/zones/hjh.conf
zone "freehongs.net" IN {type master; file "/var/named/zones/freehongs.net"; };
zone "hongsnet.net" IN {type master; file "/var/named/zones/hongsnet.net"; };
```
## .gitlab-ci.yml 내역
```bash
# cat .gitlab-ci.yml
stages:
- deploy
- backup
variables:
GIT_STRATEGY: clone
GIT_SSL_NO_VERIFY: "1"
TARGET_BIND_DIR: /var/named/zones/
TARGET_TB2_DIR: /GIT/hongsnet/UPLOAD
TARGET_TB3_DIR: /GIT/hongsnet/UPLOAD
dns_hongsnet:
stage: deploy
only:
- master
script:
- rsync -ar --exclude=.git --exclude=README.md --delete ${CI_PROJECT_DIR}/ ${TARGET_BIND_DIR}
- chown -R named.named /var/named/zones
- rndc reload
tags:
- dns135
tb2:
stage: backup
only:
- master
before_script:
- (if [[ ! -d ${TARGET_TB2_DIR} ]]; then mkdir -p ${TARGET_TB2_DIR}; fi);
script:
- rsync -ar --delete ${CI_PROJECT_DIR}/* ${TARGET_TB2_DIR}/
tags:
- tb2
tb3:
stage: backup
only:
- master
before_script:
- (if [[ ! -d ${TARGET_TB3_DIR} ]]; then mkdir -p ${TARGET_TB3_DIR}; fi);
script:
- rsync -ar --delete ${CI_PROJECT_DIR}/* ${TARGET_TB3_DIR}/
tags:
- tb3
```
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment