Architectural Changes
Tim Lauridsen
tla at rasmil.dk
Sat Sep 8 15:07:14 UTC 2007
Mike McGrath wrote:
> As we talked about in the meeting yesterday we have a new sponsor
> (http://www.teliasonera.com/). There are a couple of others in the
> works (I don't want to officially announce until its finalized) but
> one thing is clear. Pretty soon we're going to have multiple proxy
> servers outside of PHX. The end goal here would be to use mod_geoip
> to re-direct people to their nearest location but we're going to take
> baby steps to get there. Here are the steps as I see them.
>
> 1) Finalize the caching stuff paulobanon has been working on.
> 2) VPN
> 3) Setup 1 remote proxy server and test
> 4) Get DNS setup properly to direct people to the proxy servers in a
> RR format
> 5) mod_geoip.
>
>
> 4) is still a little fuzzy in my mind. Right now we're using Bind for
> DNS and, AFAIK, the version we're using does not have support for
> geoip. So my thought is using mod_geoip to direct people to (for
> example) de1.fedoraproject.org or us2.fedoraproject.org. I'm still a
> little unclear on the best way to do this in our environment. Those
> keeping an eye on the commit logs will have noticed the odd commit for
> t.fedoraproject.org. So, for example:
>
> ping -c1 t.fedoraproject.org
>
> For me seems to do the right thing. I get basically a RR balanced IP
> between 3 addresses (fp.o, yahoo and google) I just picked two ip's
> that weren't ours to balance around. The thing, for me at least, is I
> get fp.o every time if I use FireFox. This is over many days on
> different computers. I've seen FF bring up the google ip once. So I
> ask those on the list to go to http://t.fedoraproject.org/ and just
> tell me what you get. Or, even better, explain to me what the heck is
> going on there, I have one theory about first requests to DNS vs named
> caching in FF and name caching elsewhere. But we've had different
> people get many different results (some get wget to RR, some with wget
> always get the same thing, same with curl, lynx, w3m, and HEAD) More
> investigation is needed.
>
> 2) is something I'm working on now. VPN will only be for external
> servers (not users). We've actually already had a few issues we've
> had to overcome in strange ways from external servers that could have
> been fixed by a VPN. (puppet and bacula backups immediately come to
> mind) We'll tightly control (iptables) what these boxes have access
> to on the vpn server (bastion). We'll keep the ttl on our load
> balanced products lower so that if something does go wrong with one of
> them, we can easily take it out of the mix.
>
> The reason for 2) is so we don't have to maintain multiple different
> proxy server types. If we use VPN we can treat each server the same,
> just like the ones we have now which keeps it maintainable.
>
> Questions / Comments / Suggestions?
>
> -Mike
>
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
I get fp.o with Firefox.
Tim
More information about the infrastructure
mailing list