My brother wrote a follow-up – HAProxy abuse filtering and rate limiting – to his previous post – Nginx rate limit by user agent (control bots). This is just a tip of the iceberg that we are working with at the office, but it’s pretty cool.
Hopefully, soon enough our Ansible playbooks will be up to date and shareable…
“HAProxy SNI” is pure gold! If you want to have a load balancer for HTTPS traffic, without managing SSL certificates on the said load balancer, there is a way to do so.
The approach is utilizing the Server Name Indication (SNI) extension to the TLS protocol. I knew about it and I was already using it on the web server side, but it didn’t occur to me that it’ll be utilized on the load balancer. Here’s the configuration bit:
frontend https *:443
description Incoming traffic to port 443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend backend-ssl-foobar if { req_ssl_sni -i foobar.com }
use_backend backend-ssl-example if { req_ssl_sni -i example.com }
default_backend backend-ssl-default
The above will make HAProxy listen on port 443, and then send all traffic for foobar.com to one backend, all traffic for example.com to another backend, and the rest to the third, default backend.
In “Why Configuration Management and Provisioning are Different” Carlos Nuñez advocates for the use of specialized infrastructure provisioning tools, like Terraform, Heat, and CloudFormation, instead of relying on the configuration management tools, like Ansible or Puppet.
I agree with his argument for the rollbacks, but not so much for the maintaining state and complexity. However I’m not yet comfortable to word my disagreement – my head is all over the place with clouds, and I’m still weak on the terminology.
The article is nice regardless, and made me look at the provisioning tools once again.
Is it on AWS? is a simple website that tells you if the server is hosted on the Amazon Web Services infrastructure.
This blog post also shows how the website was built with AWS and how it works.
“How to monitor your Linux servers with nmon” article provides some details on how to use the comprehensive server monitoring tool “nmon” (Nigel’s Monitor) to keep an eye on your server or two. If you have more than a handful of servers, you’d probably opt out for a full blown monitoring solution, like Zabbix, but even with that, nmon can be useful for quick troubleshooting, screenshots, and data collection.
I’ve heard of nmon before and even used it occasionally. What I didn’t know was that it can collect system metrics into a file, which can then later be analyzed and graphed with the nmonchart tool.
That’s pretty handy. The extra bonus is that these tools are available in most Linux distributions, so there is no need to download/compile/configure things.