Results 51 to 75 of 88
Thread: How does haproxy failover work?
-
01-18-2012, 06:20 PM #51Intangible Asset Appraiser
- Join Date
- Mar 2009
- Location
- Austin Tx
- Posts
- 2,007
I hear ya. I think the misunderstanding there is the definition of "failover", as in there is some mechanism (in reference to RR load balancing) that actively removes a down IP from a pool, and fails over to the next, and excludes the IP from the pool until it is again reachable. It does "move to the next IP" eventually, but only via a connection timeout and natural handling of multiple A resource records, But, that IP is still going to come around again in random order, so it has not actually been "failed", just..."ignored"...for a while...at best.
I'm recanting even leaning towards browsers, modern or otherwise, automatically trying the next A resource record upon connection failure *without a refresh* and just happening, automatically, within a session without user intervention. Especially this notion that it "remembers" the bad IP and won't try it again. Not finding anything that supports that.
Sure, they are capable of caching all resource records published for said domain, but...that's about it. I can't re-create it with any browser. If it hits the "bad" IP, it times out on that session, and I have to hit enter, hit refresh, open a new browser...and it sure ain't "remembering" the IP is bad. Unless it has a memory like my old Aunt Ester.This is the best signature in the world....Tribute!
(It is not the best signature in the world, no. This is just a tribute)
-
01-18-2012, 09:23 PM #52******* Unleaded
- Join Date
- Feb 2004
- Posts
- 3,849
But, wget is not a client browser used by humans. It is a single purpose tool with many knobs that can be fine tuned for network behaviour. And humans definitely do have a problem with spinning their wheels while network connection attempts timeout.
Now as far as round-robin is concerned, failover capable dns is not mutually exclusive with round-robin. There is nothing that prevents the use of failover capabilities to remove a known failed endpoint from the set of returned records. This aids the client in achieving a connection on the first try as much as possible.edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com
-
03-30-2012, 05:43 AM #53Web Hosting Evangelist
- Join Date
- Mar 2003
- Posts
- 470
I am sorry for somewhat reviving this thread. I don't think it's that old yet.
I have read it from start to finish and I agree on the consensus that DNS Round Robin "somewhat" works if you are OK with half of your visitors having some downtime.
And, you can somewhat "improve" it if you remove the down IP as you detect it so new site visitors will no longer see the dead IP.
Am I correct in this assumption?
While I agree that DNS RR is a poor man's failover. The clear winner for production use is using a load balancer like HAProxy.
Now my question is, what is the minimum setup required for this to work for data center failover?
For instance, how do you setup 2 VPS located on 2 geographically separated data centers?
I am correct to assume that you need additional 2 VPS (both installed with HAProxy) to act as load balancer, therefore you actually need 4 VPS (2 HAProxy + 2 Mirrored Server).
Then you use DNS Failover (like DNS Made Easy wherein your failover between your 2 HAProxy servers)?
-
03-30-2012, 07:07 AM #54Web Hosting Master
- Join Date
- Apr 2000
- Location
- Brisbane, Australia
- Posts
- 2,602
That's basically what I do for centminmod.com except i install haproxy on each web server (backend) as well. So each haproxy server load balancer's each web server backend and serve a dual purpose instead of having dedicated haproxy only servers. Cuts down costs as a poor mans alternative. So for 2x VPS haproxy load balanced each VPS has haproxy on port 80 and apache/nginx or litespeed web server backend on port 89 or something.
But I only have one active haproxy primary server and use dnsmadeeasy for DNS/IP failover to backup haproxy servers, so if haproxy primary server fails, dnsmadeasy switches to secondary IP for haproxy #2 server, and if haproxy #2 fails, haproxy #3 kicks in and so forth. Dnsmadeeasy allows for up to 5 fail over IP sets. Works very well.
Note, this isn't round robin at haproxy level as only one haproxy server is active at a time while round robin at haproxy level would have more than one haproxy server active. But it is round robin at web server backend level within haproxy.: CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
: Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
: Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack
-
03-30-2012, 07:42 AM #55Web Hosting Evangelist
- Join Date
- Mar 2003
- Posts
- 470
@eva2000 - Thanks. I get the picture.
I just have one question that I forgot to ask.
I guess it goes without saying that another server is required for data replication/mirroring?
-
03-30-2012, 12:16 PM #56Intangible Asset Appraiser
- Join Date
- Mar 2009
- Location
- Austin Tx
- Posts
- 2,007
You don't necessarily have to have a dedicated server for replication, just pick one...usually the one you consider most stable, and deem it "master".
All other servers receive data from it, either pushed or pulled.
On the original question, if the goal is just failover, and one web/app server is sufficient, you can attain the same goal by just using real DNS failover service with low TTLs. I use 90s, works great, has for almost a decade now.
If you truly need haproxy to spread the load, then you can use either, or, best, a combination of the two. Depending on the customer, I've used a mix of almost everything discussed (I've been setting up custom LB apps for along time, we'll say..), and I prefer to use haproxy/www on the same server, but only as a true backup. I try to not serve www off the same server unless all other nodes are down. For true failover, though, yes, your minimum is 2 servers with DNS failover. If your primary haproxy goes down, then you need a way to direct to something else. But, that won't "do" if one server is incapable of keeping up with your requests -
If one box can not handle the load of your app, then at least 3 servers are suggested - one dedicated www, two haproxies using the other and dedicated www as the backends, with haproxy using localhost as www should the two backends fail. But, you also need DNS failover (real, not RR) to redirect to the good haproxy should one go down. That way, you still have two servers to handle the load.
First step should be discerning how many www servers you require at any given time to minimally server your web/apps. That will allow you to plan accordingly...you don't want a plan that ultimately falls back to one haproxy serving www from itself if 3 backends are required to keep up with your traffic, for instance. I wouldn't consider HA to be HA if the failovers worst instance couldn't serve your apps.This is the best signature in the world....Tribute!
(It is not the best signature in the world, no. This is just a tribute)
-
03-30-2012, 01:06 PM #57Web Hosting Evangelist
- Join Date
- Mar 2003
- Posts
- 470
@mugo - Thank you very helpful.
When you say "real DNS failover" you mean to use DNS Failover like what DNS Made Easy offers?
-
03-30-2012, 01:35 PM #58Intangible Asset Appraiser
- Join Date
- Mar 2009
- Location
- Austin Tx
- Posts
- 2,007
Yes, I've personally used them for years, in a corporate enviro and for my personal HA hosting biz. In 8-9 years, they've had one issue, I don't know of anyone else that can do what they do for the same price point.
The failover has always worked flawlessly, and you can go 5 IP levels deep with failover, which really helps in disaster planning.
Your last few failovers can be stand alone servers, etc. With HAProxy, DNS Failover, and spreading sites around geographically (always use separate hosts, too), it can literally take 10-20 simultaneous failures to take you down 100%.
What happens if DNSME goes down? I also keep secondary DNS elsewhere, just in case....which removes any single point of failure. There are other "worst case" plans for DNS, in case they are nuked for a sustainable time, which we hope to never use, but, I've learned to have the worst scenario plans on hand...just in case.This is the best signature in the world....Tribute!
(It is not the best signature in the world, no. This is just a tribute)
-
03-30-2012, 01:55 PM #59Web Hosting Evangelist
- Join Date
- Mar 2003
- Posts
- 470
@mugo - I've heard that indeed DNSME experience only one downtime in 8 yrs.
Now that you mentioned it, how do you actually use a secondary DNS, do you mean you actually have 2 authoritative DNS server?
-
03-30-2012, 02:13 PM #60Intangible Asset Appraiser
- Join Date
- Mar 2009
- Location
- Austin Tx
- Posts
- 2,007
They appear rock solid, from my view...so I love 'em.
For secondaries, with the domain in question, you need to first, select a service, or setup yourself, a secondary DNS server for that and/or your other domains.
In DNSME, or whatever DNS you use, you can give the IP to allow xfers to, which is the secondary DNS servers IP. In your secondary, you then tell that server to go to your primary and pull the record for the zone(s) in question. Since you've allowed this at your primary, it pulls the record and serves up the zone.
Last but not least, make sure to add that secondary DNS server to your domain's DNS servers at the registrar level, or no one will ever go query should your primary be down.This is the best signature in the world....Tribute!
(It is not the best signature in the world, no. This is just a tribute)
-
03-30-2012, 03:22 PM #61Web Hosting Evangelist
- Join Date
- Mar 2003
- Posts
- 470
@mugo - Thanks.
On a slightly off-topic... I am all sold with DNSME except for one thing in their TOS: If DNS Made Easy is under a DDoS attack due to a client’s domain(s) then all associated costs with fighting the attack will be passed on to the client.
This seems quite a bit unfair since the client will never know an attack will happen to them. Is this standard practice in all DNS providers? Why don't they just simply shutdown the account rather than charge. It could potentially cost a client a fortune. This is quite a deal breaker IMO.
Unless this is standard, it's kinda weird that a DNS service will charge for a DDoS attack.
-
04-01-2012, 08:13 AM #62Web Hosting Master
- Join Date
- Apr 2000
- Location
- Brisbane, Australia
- Posts
- 2,602
hey mbr, i honestly didn't realise that part of their TOS, so concerned I emailed DME support and didn't really like their response although I do understand their point of view.
Basically, DME's stance and belief is that every domain client who gets DDOS attacked on their DME network knows or suspects they will be DDOS attacked thinking they can get DDOS protection on DME network for $30-60/yr compared to $10,000s per month from DDOS mitigation providers.
So DME put that clause into their DME TOS so they can recover the costs of DDOS attacks from those clients. They recently had a 200Gbps DDOS attack on their network and they claim that client knew they were getting DDOS attack so moved their domains to DME paying $30/yr. The 200Gbps DDOS attack according to DME would over 35hrs duration cost them $600,000 which they will attempt to recover from the client. If you get DDOS attacked, DME don't want you as a customer basically.
Basically DME TOS clause is in there to catch those who know they are subject to DDOS attacks. I can understand that. DME says all DNS providers will do the same to recover costs and don't provide free DDOS attack protection on low cost plans (unless your a DDOS protected DNS provider charging alot more $$$) just not so transparent in their TOS like DME has - they've been upfront about it. DME says go and specifically ask other DNS providers they stance on such.
The only problem I have is their view that all clients getting DDOS attacked know or suspect they will be DDOS attacked. I sure there are a few who didn't know and that's where I am concerned like you.
It's true most folks won't get DDOS attacked, but the uncertainty of it all is concerning.
Would love to hear mugo and other readers thoughts on thisLast edited by eva2000; 04-01-2012 at 08:20 AM.
: CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
: Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
: Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack
-
04-01-2012, 01:56 PM #63Web Hosting Evangelist
- Join Date
- Mar 2003
- Posts
- 470
@eva2000 - I'd rather manually update my DNS or even setup my own DNS server than potentially be liable for $600,000. That is just insane.
I guess you can say at least they were upfront about it but it is still a deal breaker for me.
I also emailed them if they have DDoS protection that we can buy, they did say anything about it.
-
04-01-2012, 02:07 PM #64Web Hosting Master
- Join Date
- Apr 2000
- Location
- Brisbane, Australia
- Posts
- 2,602
Yeah, I'm emailing a bunch of DNS providers just to ask about their stance too. Also asking them about what they posted on their DME twitter account at https://twitter.com/#!/DNSMadeEasy/s...53359534653440 referring to some form of policy for protection ?
posted on twitter:
@sharpjs Your blog would not be a target of a DDoS.:-) Open a ticket for more information.We have the policy to protect users like yourself: CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
: Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
: Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack
-
04-01-2012, 02:33 PM #65Web Hosting Evangelist
- Join Date
- Mar 2003
- Posts
- 470
@eva2000 - That's interesting kindly update us about the policy about protection when you hear from them.
-
04-01-2012, 03:28 PM #66Web Hosting Master
- Join Date
- Apr 2000
- Location
- Brisbane, Australia
- Posts
- 2,602
just searching around while waiting on DME's reply and found an older thread where it seems it is standard practice that customers pay for cost of DDOS attacks http://www.webhostingtalk.com/showth...78#post6580578
guess some DNS providers aren't that clear in their TOS: CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
: Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
: Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack
-
04-02-2012, 02:57 AM #67Web Hosting Evangelist
- Join Date
- Mar 2003
- Posts
- 470
Well, let's say I'm using "ordinary" DNS services which comes by default with domain registrars like Godaddy, etc.. so does this mean Godaddy will charge customers if our sites are attacked with DDoS?
Last edited by mbr; 04-02-2012 at 03:02 AM.
-
04-02-2012, 09:44 AM #68Web Hosting Master
- Join Date
- May 2007
- Posts
- 2,042
wow what an interesting thread : haproxy + mugo + DNSME + DDOS + eva's input, hard to beat
-
04-02-2012, 11:33 AM #69Web Hosting Evangelist
- Join Date
- Oct 2007
- Posts
- 455
Guys..... your idea on what happens during a DDoS is confusing to me. DNS Made Easy is actually being upfront and honest. And they are the ONLY company I have ever met that will waive a month or of queries if it is a small DDoS.
It seems like just because DNS Made Easy is honest and mentions DDoS that you guys think they are doing something crazy. All providers do this.
UltraDNS will shut you down and charge you.
Dynect will shut you down and charge you.
All of your hosting providers will shut you down and charge you.
Here is what Dyn (Dynect) uses for their DDoS (you can verify with a phone call).
http://dyn.com/legal/dyn-services-agreement/
d. Data Preservation.
i. In the event of a Suspension. In the event of a suspension by Dyn of Your access to any Service for any reason, during the period of suspension: (i) Dyn will not take any action to intentionally erase any of Your data stored on the Services and (ii) any and all service fees will continue to accrue.
-
04-02-2012, 11:54 AM #70Web Hosting Master
- Join Date
- Apr 2000
- Location
- Brisbane, Australia
- Posts
- 2,602
Yeah i understand and agree DME is being honest and have to limit their potential costs, just a wake up call for some of us as customers who also want to limit our potential costs incurred and that we're all exposed to some potential crazy $$$ in terms of costs if we ever get DDOS.
Guess DDOS protection is looking more and more like travel insurance, without it you're screwed when something goes wrong. But with it, you hope you never have to use it LOL: CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
: Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
: Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack
-
04-02-2012, 03:12 PM #71Web Hosting Evangelist
- Join Date
- Mar 2003
- Posts
- 470
I've now email Godaddy regarding their policies.
On a side note, how come BurstNET can offer DDoS protection on their budget VPS that cost around $5/mo? Or is it a completely different story when it comes to DNS?
-
04-02-2012, 03:27 PM #72Web Hosting Master
- Join Date
- Apr 2000
- Location
- Nevada, US
- Posts
- 5,550
SmartHost™ - Intelligent Hosting! - Multiple Locations - US/EU! - Ultra-Fast NVME SSD VPS!
http://www.smarthost.net - sales@smarthost.net - Resale/Affiliate Programs
Cloud Hosting - VPS Hosting - Dedicated Servers - Colocation - Flux Capacitors
-
04-02-2012, 06:13 PM #73Web Hosting Evangelist
- Join Date
- Oct 2007
- Posts
- 455
If BurstNET is offering DDoS protection for $5 per month then sign me up! I have a client that was getting about 8 Gbps attack to their website. If I could fight that for $5 per month.... I'm in!
I'm sure DNS Made Easy would have loved to push their 200+ Gbps on them as well for $5 per month. BurstNET might get a lot of business out of this!
True DDoS protection is not null-routing. You can not null-route a DNS service and stay up.
-
04-02-2012, 06:14 PM #74CISSP-ISSMP, CISA
- Join Date
- Aug 2002
- Location
- Seattle
- Posts
- 5,525
If a company prices a DDoS upgrade low enough, it is possible that enough customers will subscribe to pay for the cost of the mitigation system. The problem is that once you start receiving real, consistent attacks you become a risk and impact the other customers.
-
12-27-2012, 01:27 PM #75Junior Guru
- Join Date
- Oct 2007
- Posts
- 237
Sorry to revive this old thread but I'm really interested in this method aka using the webserver and haproxy on the same server, I got really confused on how this works. Can anyone or mugo explain this better?
Similar Threads
-
VPS and Failover - how does it work?
By advv in forum VPS HostingReplies: 4Last Post: 08-05-2011, 03:29 AM -
[Very Urgent] OVH Failover IPs failed to work. Need expert advice/help
By kohkindachi in forum Systems Management RequestsReplies: 17Last Post: 12-04-2010, 05:15 AM -
HAproxy + failover on same nodes as apache?
By 1EightT in forum Hosting Security and TechnologyReplies: 2Last Post: 11-19-2010, 03:54 PM -
Seems wikipedia's DNS failover fails to work shortly
By NelsonT in forum Web Hosting LoungeReplies: 0Last Post: 03-26-2010, 08:49 PM -
haproxy help
By artificialman in forum Dedicated ServerReplies: 4Last Post: 08-16-2008, 01:28 PM