Is a server farm abstracted on both sides? - web-farm

I am trying to understand how a solution will behave if deployed in a server farm. We have a Java web application which will talk to an FTP server for file uploads and downloads.
It is also desirable to protect the FTP server with a firewall, such that it will allow incoming traffic only from the web server.
AT the moment since we do not have a server farm, all requests to the FTP server come from the same IP (web server IP) making it possible to add a simple rule in the firewall. However, if the application is moved to a server farm, then I do not know which machine in the farm will make a request to the FTP server.
Just like the farm is hidden behind a facade for it's clients, is it hidden behind a facade for the services it might invoke, so that regardless of which machine from the farm makes the request to the FTP server, it always sees the same IP?
Are all server farms implemented the same way, or would this behavior depend on the type of server farm? I am thinking of using Amazon Elastic CLoud.

It depends very much on how your web cluster is configured. If your cluster is behind a NAT firewall, then yes, all outgoing connections will appear to come from the same address. Otherwise, the IP addresses will be different, but they'll almost certainly all be in a fairly small range of addresses, and you should be able to add that range to the firewall's exclude list, or even just list the IP address of each machine individually.

Usually you can enter cnames or subnets when setting up firewall rules, which would simplify the maintenance of them. You can also send all traffic through a load balancer or proxy. Thats essentially how any cloud/cluster/farm service works.
many client ips <-> load balancer <-> many servers

Related

DigitalOcean Droplet Inbound / Outbound (What is what?)

I am still new to DigitalOcean and Ubuntu servers, so I hope one of you can explain to me the difference between Inbound and Outbound traffic. I tried reading through DigitalOcean's information, but it still doesn't inform exactly what i can count as inbound and outbound.
As far as i can see, it is only the outbound traffic that is being billed. So my question is, what is counted as outbound traffic?
Is it outbound traffic when i log into my server and run "npm install" while creating docker containers, or is that inbound?
Is it outbound or inbound when i run "git clone"?
I hope one of you can give me an explanation of what is categorised as inbound and outbound.
First off, you're highly unlikely to hit your bandwidth limit on DigitalOcean even if you are on the lowest of the low end droplet with no other bandwidth-boosting services.
That said, there are four types of traffic on DigitalOcean when it comes to droplets: outbound local, inbound local, outbound remote, and inbound remote. Any transaction will do some of both, but likely will be skewed in the direction of one or the other.
Case in point: I have a droplet that runs a Neo4j database server, and another droplet that queries that server with Neo4j (graph database) drivers. When my client server makes a request to the database, it sends a database query through the driver, which is a small outbound remote from the client POV (the servers are in separate projects, so it's not "internal traffic" like if they were using internal IPs in the same project) and a small inbound remote for the database server. The actual substantive data transfer is the query response, which in the case of my workloads tends to be a few hundred MB at minimum, which shows up as remote outbound for the database server and remote inbound for the client.
To sum up: any transfer outside of DigitalOcean resources in the same virtual network counts as outgoing when you send data (ev like curl or wget) and a likely much larger inbound when you receive it. Vice versa if you're responding to requests with a lot of data.

can the different hosts (not ip) forwarding to the same port externally?

Im just wondering, can 2 or more different external hostname/DNS redirect to multiple local servers but same port?
Let's see, I have 2 DNS internet domain for an example, myserver1.com and myserver2.com, and both I have same A record to my forwarded server IP (e.g: 102.123.123.123). Under my server which only has 102.123.123.123 IP address has 2 application servers but instead of trying to make they work, I use different port for each server applications for an example, serverApp1 listening to 0.0.0.0:2010, serverApp2 listening to 0.0.0.0:2020
My point is, is there any way or how to forward my myserver1.com:2000 to serverApp1 (port 2010), and myserver2.com:2000 to serverApp2 (port 2020) but both myserver1.com and myserver2.com has a same A record?
Im quite sure either it is in iptables or /etc/hosts or BIND issues, but guide me if I missed something. And by the way, the servers and DNS records are accessible from the internet which is the firewalls are configured properly. Thanks.
I don't have much experience in that, but I think you will need a third server/firewall/proxy listening for the incoming host and route it accordingly.
Again, I don't have much experience in that, so I'm not sure if the firewall is able to do that.
I think you can use redirection servers like apache.
In my application we want to access lot of intranet servers from internet. So what we did, we configured a apache with all the mappings in httpd.
So when ever a request to apache comes, it will be redirected appropriately.
For example - I have two servers or hostname in intranet : 1) abc.com:7300/context1
2) xyz.com:8900/context2
We configured a apache with host name abcxyz.com:9000. When a request like
abcxyz.com:9000/context1 comes it will be redirected to abc.com:7300/context1 and when a request like abcxyz.com:9000/context2 comes it will be redirected to xyz.com:8900/context2.
In your case since the requests are going through the single server (102.123.123.123), you can use redirection.
Hope it helps.

How to set up http server on iPhone behind firewall

I want to develop an iPhone app with a simple IM feature. I am thinking about setting up an HTTP server on an iPhone. If the iPhone is using wifi and is behind a firewall, how can I make sure that other iPhone clients can connect to it?
It's not the firewall that will disturb the connection as much it is the NAT.
When you are connected through wireless router to connect the internet you are surfing via NAT. it means you dont really have an extenral IP but once you initiate connection the router will map your intenral IP to one of his externatl ports and for certain time window he will pass connections to you if he will get it to the right port.
That being said, there is no actual way of setting a server behind a NAT unless you can configure port forwarding in the router and internal static IP.
Hope i was clear enough, good luck
I do not really think that you need to get an HTPP server up and running on iPhone to make an application that can send and receive messages (IM). The idea of making one iPhone user to directly connect to one another does not seem right to me since the users will need to know IP addresses of one another to do that.
Interconnectivity between different users of the chat can be solved by making your application communicate via a dedicated TCP port. It is generally advisable to choose ports with a number higher than 1024 since those below are generally found on the list of so-called well-known ports and are used for Web (like port 80), FTP (port 21), SSH (22), DNS (53), etc., it will be the responsibility of the user to make sure the port used by your application is open on the firewall. In order to solve this problem you can actually use port 80 for communication if you find that the port you have selected is blocked. You can do this because you know that this port will not be blocked in most cases. Indeed Yahoo Messenger is reported to use this technique when the firewall blocks the port it uses for communication.
The port should be used by your application to connect to the Web-server that will actually store user credentials, perform authentication, message transmission, etc., and the server should reside on capable hardware to be able to support large number of simultaneous connections. I can suggest using either a VPS (like the one provided by Linode) or a cloud (like Amazon EC2, Google Application Engine, Rackspace).

Can I run/access localhost server thru ip and subnet?

Is it possible for me to run a webserver on my computer (shared ip) and access it remotely using my ip + subnet or at least some way that doesn't involve having the IT guys make changes to the machine(s) currently running our virtual servers and/or routing our subnet?
Rationale:
I'm on a computer at work, and I'm making changes to a plugin for Google Website Optimizer. I want GWO to be able to access localhost (i.e. my development environment) so that I don't have to deploy every change to the production server while I'm feeling out the system. (lots of changes; tedious deployment takes up most of the time)
I can't just supply my IP to GWO because that points to our production server (all of our computers at work are on the same IP). If I could construct a URI that points just to my computer, then I suppose I could let GWO view a page on my development environment and interact therewith.
Not only would achieving this purpose be helpful in present circumstances, but it would aid me immensely in that I could let my boss look at what I've got in dev, from his own machine, at his leisure, without deploying changes to production.
I'm not familiar with the Google Website Optimizer, or how/where a plugin for it that you might write would be executed. So I'm going to summarize what I understand about your problem (including some guesses) and go from there, please correct me if I'm wrong.
Your company has one public IP address.
Your workstation and all the hosts on your network are source NAT'ed to the internet.
Port 80 (http) on your public IP address is destination NAT'ed to your production webserver which is hosted as a virtual machine.
You have a development webserver that is hosted on your workstation.
You have reservations about involving your "IT guys" to making routing or system admin changes.
You want your development environment to be accessible from the internet.
First up (assuming everything above is correct):
access it remotely using my ip + subnet - No. Not possible.
Second up:
I could let my boss look at what I've got in dev - Easy, get him to point his browser at your workstation's IP address on your internal network.
Possible solutions for remotely accessible:
Talk to your "IT guys" about getting your dev environment made externally accessible.
Use name-based virtual hosts on your production webserver. Requires setting up a DNS record for the dev site (e.g. dev.your-company) and pointing it to your company's IP address. If SSL is in use this is harder to achieve. You could then:
Proxy requests for a different site name to your workstation (readily achievable with apache).. or
Host your development environment on your production server
Proxy a particular URL path to your workstation. (e.g. /dev/)
Get an unused port (e.g. 8080) on your public IP destination NAT'ed to port 80 on your workstation. Your dev environment URL might then be http://www.your-company:8080/

Restrict the server access from LAN only

Recently we got a new server at the office purely for testing purposes. It is set up so that we can access it from any computer.
However today our ip got blocked from one of our other sites saying that our ip has been suspected of having a virus that sends spam emails. we learned this from the cbl http://cbl.abuseat.org/
So of course we turned the server off to stop this. The problem is the server must be on to continue developing our application and to access the database that is installed on it. Our normal admin is on vacation and is unreachable, and the rest of us are idiots(me included) in this area.
We believe that the best solution is to remove it from connecting to the internet but still access it on the lan. If that is a valid solution how would this be done or is there a better way? say blocking specified ports or whatever.
I assume that this server is behind a router? You should be able to block WAN connections to the server on the router and still leave it open to accepting LAN connection. Or you could restrict the IPs that can connect to the server to the development machines on the network.