Knowledgebase
Knowledgebase: Cloud Server
Multiple Webservers, Dual MySQL and a Secure Jump Host
Posted by Diego Cousinet on 24 October 2013 08:45 AM

Introduction:

This multiple-server architecture would be useful where you require multiple web servers (with different content) backed with MySQL databases.

In this scenario the web servers pull double-duty as file servers, which is ideal for dynamic, CMS-driven sites such as Joomla and Wordpress. The Database processing is offloaded to a dedicated MySQL server, which is unreachable from the public internet. Finally, you can run two MySQL servers in master/slave replication to improve application performance and provide high availability.

  • With multiple webservers and database servers, you can configure your SSH, FTP, SMTP services to be accessible via one, secure server - commonly known as a Jump Host. This allows you and your administrators tightly-controlled access to your production environment.
  • This scenario uses five servers, but with just three public IP addresses; It's more cost-effective than using public IP addresses for all servers.
  • Running SSH on custom ports avoids the common brute-force attacks that target default ports.
  • Safer practice to avoid various attacks, as public IP and NAT rules can be changed very easily.
  • The MySQL server is unreachable from the internet, and only communicates with your webservers (other than SSH via a non-standard port, if required in production)

 

How to arrange your architecture:

This knowledgebase article assumes you have a working knowledge of webserver environments. Additionally:

  1. You already know how to set up Secure Shell (SSH) to one of your Servers. (Please see How to set up Secure Shell - SSH).
  2. You understand how to use various public-facing ports to point to different private servers (Please see Using one public IP address to connect to several cloud servers.).


In the example below we have three webservers with varied content being served from each (some deployments may call for a single website on each server, others may have multiple websites per server). These are backed by a MySQL Master and Slave pair, and all are accessible via SSH, FTP and SMTP through the Jump Host only. We have three public IP addresses, which serve web traffic to the three webservers respectively, and one of them also provides the SSH/FTP/SMTP route to the jump host.

 

Public IP Traffic:

  • Public IP address 112.1.1.1 port 80 points to 172.1.1.1 port 80 (also port 443 if using SSL)
  • Public IP address 112.1.1.2 port 80 points to 172.1.1.2 port 80 (also port 443 if using SSL)
  • Public IP address 112.1.1.3 port 80 points to 172.1.1.3 port 80 (also port 443 if using SSL)
  • Public IP address 112.1.1.2 port 1904 points to 172.1.1.4 port 22 (SSH - repeat with more ports for FTP, SMTP if req)

 

Internal, firewalled Traffic:

  • The Jump Host provides access to the three webservers and the two MySQL servers via SSH and FTP, and SMTP if required.
  • The two MySQL servers communicate with the webservers via MySQL traffic and SSH.


Note: Click Here to view or download a PDF of this diagram.

(16 vote(s))
Helpful
Not helpful

Comments (0)