Views: 1548
Last Modified: 15.09.2022

How to protect the web cluster

Web cluster uses additional services (centralized caching, synchronization) and is launched, usually, at groups consisting of several computers. Let's overview the specifics for web cluster data security.

Load balancing and DDoS attack protection

It's recommended to open public access for the load balancer port 80 and limit external access to computers (nodes) web cluster HTTP ports. This will securely protect the nodes, hidden behind the balancer, from overload (for example, which occurred during internet ad campaign), as well as significantly reduce effectiveness of DDoS attacks.

Clustered cache

It's necessary to limit public access to memcached servers (tcp port 11211), and open access to them from web cluster nodes. One of solutions is to config the firewall.

Service for synchronization cluster nodes content

If the 'csync2' utility is used for content synchronization, you need to close its services from public access (tcp port 30865), by opening access to them from web cluster nodes.

Example of firewall config

For web cluster node:

  • 22 (tcp; ssh) - open for admin subnetwork;
  • 80 (tcp; http) - open for web cluster subnetwork;
  • 443 (tcp; https) - open for web cluster subnetwork;
  • 3306 (tcp; mysql) - open for web cluster subnetwork;
  • 11211 (tcp; memcached) - open for web cluster subnetwork;
  • 30865 (tcp; csync2) - open for web cluster subnetwork.

For load balancer:

  • 80 (tcp; http) - open for everyone;
  • 443 (tcp; https) - open for everyone.


Courses developed by Bitrix24