"backup" server in traefik backend - backup

I'm trying to find functionality known as "backup" in nginx or haproxy world. Server will be used only if all active backend servers no longer respond ( healthcheck failed ). I don't see it in docs, but maybe I'm overlooking something?
If there is an option to switch to different backend on error condition, that would help too.
I'd like to understand how will be weight = 0 implemented in traefik 1.6. If server is completely ignored even if remaining servers are no longer available.

Related

Mixed Mode for HTTP/2 on Windows 2016 IIS

Background
I have a scenario where I run two websites, Website A is hosted on Server 2016 running IIS 10 and Website B is hosted on CentOS 6 running Apache 2.2. Both websites are served using HTTPS and work just fine on the local network. Publicly, I use SNI and URL Rewrite Rules on the IIS server to gain access to the Apache 2.2 server.
Most user agents can access Website B without issue, however, iOS will report back the error "failed to load resource the operation couldn’t be completed. protocol error" and present a blank screen. I have determined the cause to be related IIS serving back an HTTP/2 response even though Apache 2.2 can't support those requests.
Question
Is there any way to disable HTTP/2 responses on just a specific site on IIS 10? I found many instructions to disable it entirely, but the performance improvements are too great to ignore on Website A.
I'm not aware of how to do this. HTTP/2 allows connection coalescing so will attempt to reuse HTTP/2 connections for as many sites as it can.
However your setup should work fine. I'd suggest the problem is probably a bad HTTP header in your Apache 2.2 setup. HTTP/2 is more strict about these, whereas HTTP/1 would try it's best to carry on despite there being bad headers, so a bad multi-line header which wasn't closed properly, or a header with spaces in the name or double colons, can cause issues. Weird that it's just iOS though. You don't see this on Chrome? Chrome has a nice way of debugging these, but that might be more difficult if just on iOS. Unless you are sending an specific bad header back to iOS only clients?
Oh and btw upgrade Apache 2.2. It's been end of life for over a year now and is no longer being patched! Do yourself a favour and upgrade to 2.4. If on Windows then it should be fairly easy to install, though some of the config options have been changed. You could always assign a separate IP address to this and host it directly rather than through IIS if you can find no other way around the issue, though for that you certainly shouldn't be using old, unsupported software.

Multiple stun/turn servers on Kurento/elasticRTC

Is it possible (or any hack) to configure multiple stun/turn servers on the WebRtcEndpoint.conf.ini or through our signaling servers? So that if one stun fails it falls back to another? If the feature is not available what would be the closest solution?
I am not sure if I am looking into the right location - I've seen that WebRtcEndpoint has methods for- getStunServerPort()/getStunServerAddress(). So a possible client side configuration?
Reason - We've been using kurento media server (6.0) and elasticRTC 6.5 (For the future development) on an AWS vpc. It was working fine by using one of the publicly available STUN servers. Suddenly it stopped working and we figured out the STUN server was not working anymore. So we switched to Google stun and it started working normally
I would suggest, instead of using a globally configured IP in WebRtcEndpoint.conf.ini, to use the methods that you mention in the WebRtcEndpoint. That way, you can use a CNAME and resolve the IP every now and then. You might have a separate scheduled task that checks the STUN server to see if it's still available, and then refresh it when it is no longer valid.

Nginx serving application and ExpressJS just as backend

I think it's pretty common to use nginx to proxy connections to ExpressJS, so all is done through ExpressJS.
I was thinking, why not use nginx to server the application since it's more simple to setup things like rewrites and let ExpressJS as backend only and then the application communicate to ExpressJS directly on 3000 port.
Is it a bad idea? If not, how often people does this ?
It's very common. But having your front end code directly talk to the node server adds complexity.
You have to handle CORS issues on the node server, including preventing cross site form submissions. See here Properly Understanding CORS with Same Host / Different Port & Security.
SSL is also going to be a bit more complicated. You'll need a wild card certificate.
However, there are some big advantages to using something like ngnix to host your assets. In addition to the ones you enumerated, it sets you up to go serverless. You can host your app out of an S3 bucket our through another content delivery network.

What would happen if I made a HTTP request to a server without Apache installed?

Doesn't have to be Apache, but that's just the only HTTP server I know of (Actually could you guys recommend alternatives that I could look into as well?)
Anyways, so I have been messing around with Amazon Web Services and I created an EC2 server instance with an Amazon Linux Image. On that, (Following guides and examples) I installed Apache and now when I make a GET request to my public IP, it returns to me the HTML files I created on my server.
My question is, what if I never installed Apache, and then made an HTTP request to my public IP? For no reason really, the question just came up in my head and I'm curious. I'd rather not figure out how to uninstall Apache or create a new instance to figure it out, so I was wondering if somebody could weigh in as well as tell me a little more about what it is exactly apache does on a server. My understanding is that it is a layer you can install on your server OS that will create a socket listener to port 80 (HTTP), and when a request is made on that port, Apache will return web pages? Also I think I read somewhere you could configure Apache to forward a port to something like a python server script?
Thanks in advance for your time!
could you guys recommend alternatives that I could look into as well?)
nginx is a popular alternative to apache. It's much more efficient.
what if I never installed Apache, and then made an HTTP request to my public IP?
Your browser would get a "connection reset" because there is nothing on port 80. Your browser would display a message (Chrome says "This webpage is not available"). You would NOT get a "404" because that requires an HTTP server to send HTTP codes.
If your server was firewalled instead, you'd bet a busy wait for a while, then a message about the server not responding.
Also I think I read somewhere you could configure Apache to forward a port to something like a python server script?
Yes, that is called "reverse proxy" mode. It's essential to any application website if you want to scale. The web server(s) can distribute traffic to one or more backends running the application. The web server is useful for filtering bad requests (since your backend in Ruby/Python will be 1000's of times slower than the reverse proxy.)
Well, if you want to test what will happen if Apache isn't installed, you can always just stop the Apache service by typing:
sudo service apache2 stop
or
sudo service httpd stop
depending on your version. Then if you visit your site's webpage you'll get a 404 error or something similar.
There are ways to use python scripts to run simple servers, but in general it's easier to just let Apache handle that and use a framework like Ruby on Rails or Django to control the display and creation of content for your server.

Weblogic Apache plugin and session stickiness

If two web servers are configured in between a load balancer and a weblogic cluster, will the two Apache server maintain session stickiness?
Say for example, the load balancer forwards the first request to the 1st apache and in turn 1st apache forwards to 1st WL managed instance. Even if the second req from the same user is forwarded by the load balancer to the second apache, will the second apache be able to forward it to the 1st WLManaged instance which served the first request rather than the second WLManaged instance which is not aware of the session information at all.
What should ideally be the behaviour of the weblogic apache plugin? The catch is I don't want to enable session replication on the wl server cluster.
According to the section "Failover, Cookies, and HTTP Sessions" of the Apache HTTP Server Plug-In:
When a request contains session information stored in a cookie or in the POST data, or encoded in a URL, the session ID contains a reference to the specific server instance in which the session was originally established (called the primary server) and a reference to an additional server where the original session is replicated (called the secondary server). A request containing a cookie attempts to connect to the primary server. If that attempt fails, the request is routed to the secondary server. If both the primary and secondary servers fail, the session is lost and the plug-in attempts to make a fresh connection to another server in the dynamic cluster list. See Figure 3-1 Connection Failover.
Note: If the POST data is larger than 64K, the plug-in will not parse the POST data to obtain the session ID. Therefore, if you store the session ID in the POST data, the plug-in cannot route the request to the correct primary or secondary server, resulting in possible loss of session data.
Figure 3-1 Connection Failover
In other words, yes, both Apache servers will be able to forward an incoming request to the "right" WebLogic instance as the session ID contains all the required information for that. Note that there is no real need to confirm this with testing but it would very easy though.
UPDATE: Answering the following comment from the OP
I think this document stands good for only one apache server. In my case I have two and the load balancer forwards the requests to both the servers in a 50:50 manner. I did test this and the weblogic plugin is not maintaining the stickiness.
I understood you are using two apache fontend and I'm not sure this document applies to configuration with one apache server only. As explained, the session ID contains a reference of the primary server (and the secondary server as well) so both apache should be able to deal with it. At least, this is my understanding. Actually, I've worked with a similar configuration in the past but can't remember if things were working as I think they should or if the load balancer was configured to handle stickiness too (i.e. forward to a given Apache server). I have a little doubt now...
Could post your plugin configuration (of both apache server if they differ)? Could you also confirm that things are working as expected when only one apache server is up (and test this with both apache if their configuration differ, which shouldn't be the case though)?
When you have 2 Apache instances with a TCP load balancer in front, the stateflow diagram is not applicable anymore, because the Apache instances do not share their states.
I guess that the WebLogic plug-in maintains a state with a directional mapping [IPAddress+Port -> JVMID]. If it receives a cookie with a JVMID it does not know yet (for instance, it has never sent a request to this server yet), it has no way to know which IPAdress+Port it refers to, so it will not be able to reuse these JVMID and it will reassign new primary/secondary ones, which will be identical for 2 instances (maybe swapped), and which might be different if there are strictly more than 2 instances.
I did not confirm it by running specific tests, but on paper it seems not to work in all cases.
The answer is yes. We've got a write up of this on our blog http://blog.c2b2.co.uk/2012/10/basic-clustering-with-weblogic-12c-and.html which provides step by step instructions on setting up web session failover in a cluster.
Essentially the jsessionid cookie encodes the primary and secondary weblogic servers. Mod-wl parses the cookie and routes the request to the primary server. In your case Managed Server 1. If it is down it will automatically route the request to the backup server Managed Server 2.
The diagram above holds true for 2 Apache servers connected to the same WL cluster. The cookie session info contains details on what WLS to connect to and the plugin will respect that. If the primary (the server it originally connected to) WL server ins't available, then the request would be sent to the secondary server (designated such at the time of the first request based on the rules defined in selecting a "Preferred Replication Group"). This secondary server maintains the same session state as the primary WLS server and should be able to handle the request.
If session replication isn't setup (I think this is OFF by default), then there would be no session copied to another server and if the original/primary WL server goes down, you lose the session.
The answer is NO. As you have 2 Apache webserver, you need to implement stickiness at both hardware and software loadbalancer level in order to achieve your requirement.
Means you already have sticky session implemented in Weblogic plug-in for Apache level, but you also need Source IP based stickiness at the hardware loadbalancer level. This will allow your hardware loadbalancer to send the subsequent request from same user to same apace web server.