Last Modified: 15.09.2022
How to protect the web cluster
Web cluster uses additional services (centralized caching, synchronization) and is launched, usually, at groups consisting of several computers. Let's overview the specifics for web cluster data security.
Load balancing and DDoS attack protection
It's recommended to open public access for the load balancer port 80 and limit external access to computers (nodes) web cluster HTTP ports. This will securely protect the nodes, hidden behind the balancer, from overload (for example, which occurred during internet ad campaign), as well as significantly reduce effectiveness of DDoS attacks.
It's necessary to limit public access to memcached servers (tcp port 11211), and open access to them from web cluster nodes. One of solutions is to config the firewall.
Service for synchronization cluster nodes content
If the 'csync2' utility is used for content synchronization, you need to close its services from public access (tcp port 30865), by opening access to them from web cluster nodes.
Example of firewall config
For web cluster node:
- 22 (tcp; ssh) - open for admin subnetwork;
- 80 (tcp; http) - open for web cluster subnetwork;
- 443 (tcp; https) - open for web cluster subnetwork;
- 3306 (tcp; mysql) - open for web cluster subnetwork;
- 11211 (tcp; memcached) - open for web cluster subnetwork;
- 30865 (tcp; csync2) - open for web cluster subnetwork.
For load balancer:
- 80 (tcp; http) - open for everyone;
- 443 (tcp; https) - open for everyone.