Question

Nginx Loadbalancer with private Network (Firewall Rules)

Posted July 11, 2014 4.9k views

Dear Digital Ocean Community

I am currently setting up our new hosting environment which includes 2 nginx load balancers and 2 nginx webserver. My setup looks like this so far:

Amazon Route 53 -> Load Balancer 1 (Public IP : 128.199.160.xxx) -> Web1 (Private IP: 10.130.224.xxx) & Web2 (Private IP: 10.130.221.xxx)

Amazon Route 53 -> Load Balancer 2 (Public IP : 128.199.150.xxx) -> Web1 (Private IP: 10.130.224.xxx) & Web2 (Private IP: 10.130.221.xxx)

On both Webserver I configured the following Firewall Rules:
[ 2] 80 ALLOW IN 10.130.224.xxx (Private IP Load Balancer1 )
[ 3] 80 ALLOW IN 10.130.221.xxx (Private IP Load Balancer2)

On both Load Balancers I opened only port 80 from anywhere.

I would like to limit permissions to the 2 web server so only the Load Balancers have access to them. Is this setup correct? I am not exactly sure how the nginx load balancing works as so far I only used ELB from aws.

Will clients every talk directly to the web servers or will all traffic go trough the loadbalancers at all time?

Would really appreciate your help on this to be sure that this configuration will work.

Thank you in advance.

Add a comment
info650411
By:
info650411
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

3 answers
kamaln7 July 11, 2014

Is this setup correct?

Looks like it is. Make sure your firewall denies all other requests by default, otherwise you will need to explicitly block all traffic to port 80 from anything that isn’t your load balancers.

Will clients every talk directly to the web servers or will all traffic go trough the loadbalancers at all time?

No, the clients will only talk to the load balancers. The connections are proxied through the load balancers to your webservers, so only the load balancers will connect to your webservers.

Basically, it would look something like this:

                                     +-----------------------+           
                                     |                       |           
                                     |                       v           
                                     |  +--------------+ +---+----------+
                                     |  | Web Server 1 | | Web Server 2 |
                                     |  +---+------+---+ +----------+---+
                                     |      ^      ^                ^    
                                     |      |      |                |    
                +-----------------+---------+      |                |    
             +->+ Load Balancer 1 |  |             |                |    
+---------+  |  +-----------------+--+             |                |    
| Visitor +--+                                     |                |    
+---------+  |  +-----------------+----------------+                |    
             +->+ Load Balancer 2 |                                 |    
                +-----------------+---------------------------------+
Reply Report
info650411 July 11, 2014

Hi Kamal

Thank you very much for your quick response and the great answer ;-)

May I ask you another question? I saw many replies from you in other threads and it looks like you know what you’re doing ;-)

On which server should I configure compression (gzip) and expire rules? So far I always used the h5bp nginx config (https://github.com/h5bp/server-configs-nginx)

Does it make sense to apply the same configuration to the loadbalancers and the webservers or is it enough to set compression, caching and expire rules only on one of the servers? In case only one server which should it be? The load balancer or the webserver?

Thank you again for your efforts! Really appreciate it ;-)
Menelik

ps: how can I change my display name in the community? Instead of my name only the first part of my email “info” is shown . Tried to find it in the control panel but no luck so far.

Reply Report
  • kamaln7 July 11, 2014

    I’m not sure, to be honest. It doesn’t hurt to enable it on both ends, but it will mostly likely not make a difference so I think enabling it only on the load balancers should be enough.

    how can I change my display name in the community?

    Unfortunately, that’s not possible currently.

    Reply Report
info650411 July 12, 2014

Hi Kamal thanks again for taking the time to answer my questions. I will configure the same settings on both servers.

Have a great weekend ;-)

Reply Report
Submit an Answer

Looking for something else?

Ask a new question Search for more help