Hello,
my question is about proposed implementation of high available and secure FrontEnd to WebApps behind a firewall. The components of the network and their relationships are as follows:
- 2 WebApps servers behind a firewall (BackEnd), denoted by GUI1 and GUI2, running Web Applications
- 2 machines LB1 and LB2 in DMZ configured with floating IP in active/standby mode for redundancy. Their task is
- to give an additional layer of security serving as proxy (they are performing NAT on packiets comming from GUI)
- to handle the traffic basing on inspection of cookies (in fact the only requirment is to achieve cookie-based session persistence, not sophisticated LB techniques)
Security requirments:
- The only accpetable comuninaction method with GUI that is allowed (clearly through FireWall) is via reverse SSH tunnel.
- The traffic incoming to FrontEnd is most often https (and some http)
The question is: what kind a software (open source) could be implemented on frontend machines LB1 and LB2, to realize these goals? Recall, in short:
- SSL termination** (as necessary for inspecting cookie)
- Cookie Based LB
- active/standby mode*
I have no practical experience in this field, however it seems that NginX on LB1 and LB2 (to solve SSL and cookies issue) together with HearBeat (to achieve the desired redundancy property) should work.
Im aware that the proposed architecture is somehow similar to HAproxy or LVS, however I need a solution that deals with all described tasks indeed (I have heard that, for instance, HAproxy does not support SSL termination).
Any comments and suggestions are welcomed. Thanks!
