Author Topic: x86 Down?!  (Read 14657 times)

0 Members and 7 Guests are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #30 on: December 05, 2006, 02:38:37 pm »
I'm not satisfied, you can do what you want but I'd like to stress to anyone interested that this setup is a horrible and inefficient way to run a website, don't use it in any production application ever.

And if for some reason you do decide to use virtual machines in a production environment, do NOT use vmware, use virtuozzo or something similar.
Yeah, all these "DMZs" and stuff is just crazy.  What the hell were those security guys thinking when they explained the proper way to set up a firewall, anyways?  Obviously you know way more than years of security researchers. 

I know of many places where VMWare is used for hosting, the most important place being the Government of Manitoba's hosting centre.  It's used for security and separation of privilege.  And believe me, they wouldn't have spent $30,000 on virtualizing their environment for fun, getting the funding for it took over a year of research and testing (done by my peers).  But I'm sure you know more than they do.

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #31 on: December 05, 2006, 02:40:22 pm »
I'd love to, but posting benchmarks of vmware is against the law, and every benchmark I've read about has been pulled under legal threats.  The overhead for vmware esx (i hope to god he's using esx) compared to virtuozzo and similar programs is notable at the least, anyone who's used both can tell you that...  Get some (any?) experience in this matter and then post your oh-so-valuable opinions...

Regardless of all this virtualization nonesense and back to the original point, he shouldn't be running the forum webserver on a different port, he should be load balancing/redirecting the traffic after it enters his network.

I don't even know or care where manitoba is on the globe much less how they run their network.

All I am concerned about is how this website is hosted, you can run your network however you want, I could care less.  I didn't say anything about not using a firewall, VMWare definitely isn't the only firewall out there...  Also, my post was strictly pertaining to web hosting, sorry I didn't mention that.
« Last Edit: December 05, 2006, 02:46:40 pm by Ersan »

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #32 on: December 05, 2006, 02:45:25 pm »
I'd love to, but posting benchmarks of vmware is against the law,
Where's it say that?

The overhead for vmware esx (i hope to god he's using esx)
Why would I use an old, unsupported version?  I use "VMWare Server", which is the current version that deprecated ESX.


Regardless of all this virtualization nonesense and back to the original point, he shouldn't be running the forum webserver on a different port, he should be load balancing/redirecting the traffic after it enters his network.
How do you suggest I multiplex the traffic at the network level with a single IP?


I don't even know or care where manitoba is on the globe much less how they run their network.
You're obviously an idiot.  You shouldn't be proud of your ignorance. 

Offline Furious

  • Hero Member
  • *****
  • Posts: 1833
  • I hate rabbits
    • View Profile
Re: x86 Down?!
« Reply #33 on: December 05, 2006, 02:45:44 pm »
I'd love to, but posting benchmarks of vmware is against the law, and every benchmark I've read about has been pulled under legal threats.  The overhead for vmware esx (i hope to god he's using esx) compared to virtuozzo and similar programs is notable at the least, anyone who's used both can tell you that...  Get some (any?) experience in this matter and then post your oh-so-valuable opinions...

Regardless of all this virtualization nonesense and back to the original point, he shouldn't be running the forum webserver on a different port, he should be load balancing/redirecting the traffic after it enters his network.

I don't even know or care where manitoba is on the globe much less how they run their network.

It's in Canada der.
Quote
[23:04:34] <deadly7[x86]> Newby[x86]
[23:04:35] <deadly7[x86]> YOU ARE AN EMO
[23:04:39] <Newby[x86]> shush it woman

Quote
[17:53:31] InsaneJoey[e2] was banned by x86 (GO EAT A BAG OF FUCK ASSHOLE (randomban)).

Quote from: Ergot
Put it this way Joe... you're on my Buddy List... if there's no one else on an you're the only one, I'd rather talk to myself.

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #34 on: December 05, 2006, 02:54:16 pm »
http://www.run-virtual.com/?p=123

How do you suggest I multiplex the traffic at the network level with a single IP?
virtual hosting, xml-rpc, load balancing, policy routing, transparent proxy, use your brain...
« Last Edit: December 05, 2006, 02:57:27 pm by Ersan »

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: x86 Down?!
« Reply #35 on: December 05, 2006, 04:28:53 pm »
Also, my post was strictly pertaining to web hosting, sorry I didn't mention that.
That's not even a fair restriction.  iago isn't using VMWare primarily as a web hosting solution...

Quote from: Ersan
http://www.run-virtual.com/?p=123
Here is the section that refers to in the current EULA of VMWare Server:

Quote
3.3   Restrictions.  You may not (i) sell, lease, license, sublicense, distribute or otherwise transfer in whole or in part the Software or the Software License Key to another party; (ii) provide, disclose, divulge or make available to, or permit use of the Software in whole or in part by, any third party (except Designated Administrative Access) without VMware’s prior written consent; or (iii) modify or create derivative works based upon the Software.  Except to the extent expressly permitted by applicable law, and to the extent that VMware is not permitted by that applicable law to exclude or limit the following rights, you may not decompile, disassemble, reverse engineer, or otherwise attempt to derive source code from the Software, in whole or in part.   You may use the Software to conduct internal performance testing and benchmarking studies, the results of which you (and not unauthorized third parties) may publish or publicly disseminate; provided that VMware has reviewed and approved of the methodology, assumptions and other parameters of the study.  Please contact VMware at benchmark@vmware.com to request such review.
Seems pretty obvious that it is ok as long as you use standard benchmarking techniques. You linking us to an authorized review is not the same as you (an unauthorized 3rd party) disseminating benchark results that you did not personally test.
« Last Edit: December 05, 2006, 04:32:05 pm by unTactical »

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #36 on: December 05, 2006, 06:14:56 pm »
http://www.run-virtual.com/?p=123

How do you suggest I multiplex the traffic at the network level with a single IP?
virtual hosting, xml-rpc, load balancing, policy routing, transparent proxy, use your brain...
Virtual hosting lets you host more than one sites on the same machine.  That's not what I want to do,  I want them to be actually separated.

Could you explain how xml-rpc, load balancing, policy routing, and a transparent proxy will help me logically separate machines? They all sound to me like buzz-words that aren't going to solve my problem. 

I do do policy routing: port 80 = website, port 81 = forum.  What do you suggest?

Using my brain ... no, that's right out.

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #37 on: December 05, 2006, 07:28:10 pm »
Transparent proxying is what most people would use in this situation, because it is the simplest.

You can use virtual hosting to forward requests to a different physical machine, running the same http server, in lighttpd you can even use directories for it (pcre), I believe apache is restricted to FQDN's (HTTP_HOST header), so it will work if you want to use forums.x86labs.org

XML-RPC will let you use a script to connect to another machine on the internal network and request data in the form of XML (i.e. the chunk of html that composes this page), this is only useful if you know PHP quite well.

Load Balancing is a term that pretty much encompasses all of these methods, as well as several I have not named.

Policy-based routing (and traffic shaping) can be a lot more complicated than just "this port goes here", we use it to examine mime headers and redirect traffic for certain file types, as well as requests with certain data in them, and direct outbound traffic to a specific interface.  We use pfSense for this, but I'm guessing that your router isn't that advanced and you have no plans to replace it.

As for transparent proxying: http://wiki.squid-cache.org/SquidFaq/ReverseProxy says it better than I can.

Here is the section that refers to in the current EULA of VMWare Server:
Yes, the article I posted summarizes this.  Prior to June of 2006 posting benchmarks at all was a violation of the EULA, now VMWare gets to censor benchmarks that aren't in their favor?  I fail to see how this is any better?  I couldn't find any authorized benchmarks, if you do let me know.
« Last Edit: December 05, 2006, 10:29:15 pm by Ersan »

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #38 on: December 05, 2006, 10:20:12 pm »
I looked, and couldn't find a way to forward different virtual hosts to different systems on the network.  If you can figure out how to do that, then I have no problem running them on the same port. 

XML-RPC isn't at all what I'm trying to do.  But thanks for explaining XML to me, these new-fangled technologies are so difficult. 

From what I understand, load balancing is a network setup which ensures that different servers (mirrors) have similar loads by dividing requests between them.  I don't think that's got anything to do with anything.  But thanks for not listing others, you might have got poor ol' me all confused.

And you're right, my router isn't very advanced.  It's only worth about $1000.   I suppose you weren't reading it when I told you that my VMWare server also routes traffic?  I set up IPTables on it (I posted the script I wrote from scratch on the forum somewhere), which can do anything you're suggesting.  But I'd rather avoid having my firewall make decisions based on layer-7 data, I suppose you also missed it when I asked for a way to do it at the network layers. 

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #39 on: December 05, 2006, 10:59:03 pm »
You said nothing of using VMWare as a router, you said it was a firewall.  And no, any $1000 router isn't sufficient, advanced policy-based routing features that will do what you want are found more expensive routers like the M/T series from juniper and cost $2400 or more.

You obviously don't know how XML-RPC works or you would understand that it can do what I'm suggesting.

Quote
From what I understand, load balancing is a network setup which ensures that different servers (mirrors) have similar loads by dividing requests between them.
Then you have a very rudimentary understanding of how network load balancing works, while that may be the primary implementation of it, load balancing applications route traffic, which is what you're trying to accomplish, so generic load balancing techniques can be applied to this situation.  There isn't anything designed specifically to route a directory of a website to a different web server because that's pretty idiotic to begin with.

Use squid like I said, since you still insist on using multiple virtual servers, it's even more efficient than network-level routing because it dynamically cache's content.

Quote
I suppose you also missed it when I asked for a way to do it at the network layers.
Better policy routing.
« Last Edit: December 06, 2006, 12:55:06 am by Ersan »

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: x86 Down?!
« Reply #40 on: December 05, 2006, 11:19:03 pm »
He's not setting up a server to sell off to clients.  It serves a single website.  I think his router setup is past sufficient.

Stop being condescending because you know of an alternative way to do something.

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #41 on: December 05, 2006, 11:32:42 pm »
Yes, it serves a single website, and it takes 3 virtual servers to do so.

I really don't care how you guys host this site, you can make it as inefficient/insecure as you want.  Some people like to keep an open mind, and I don't want anyone new thinking this is the best way to do things, or even a good way.  I think I've made my point and I'm done with this thread, iago you can IM me if you want.

Sorry for being condescending/pompous/whatever, it's been a bad week.  I'll make an effort to be nicer in the future.
« Last Edit: December 06, 2006, 12:28:32 am by Ersan »

Offline Furious

  • Hero Member
  • *****
  • Posts: 1833
  • I hate rabbits
    • View Profile
Re: x86 Down?!
« Reply #42 on: December 06, 2006, 12:32:28 am »
It's just a discussion - stop taking it to heart.
Quote
[23:04:34] <deadly7[x86]> Newby[x86]
[23:04:35] <deadly7[x86]> YOU ARE AN EMO
[23:04:39] <Newby[x86]> shush it woman

Quote
[17:53:31] InsaneJoey[e2] was banned by x86 (GO EAT A BAG OF FUCK ASSHOLE (randomban)).

Quote from: Ergot
Put it this way Joe... you're on my Buddy List... if there's no one else on an you're the only one, I'd rather talk to myself.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #43 on: December 06, 2006, 09:25:04 am »
You said nothing of using VMWare as a router, you said it was a firewall.  And no, any $1000 router isn't sufficient, advanced policy-based routing features that will do what you want are found more expensive routers like the M/T series from juniper and cost $2400 or more.
It actually does both, a proper-configured firewall does route traffic.  And incidentally, a $2400 router is essentially a pretty interface over pretty much the same thing I'm using.

You obviously don't know how XML-RPC works or you would understand that it can do what I'm suggesting.
I did a project on it on my last year of University, but I still don't see how it'll solve my problem, unless I want to write a script on the first computer that queries the second computer.  In which case, I don't even need XML-RPC, I can just do it by downloading the remote site and displaying it.  And I considered doing it that way, but it wouldn't work out for things like images, so I decided against it.

Then you have a very rudimentary understanding of how network load balancing works, while that may be the primary implementation of it, load balancing applications route traffic, which is what you're trying to accomplish, so generic load balancing techniques can be applied to this situation.  There isn't anything designed specifically to route a directory of a website to a different web server because that's pretty idiotic to begin with.
They don't really route traffic, they divvy it up.  If you are making rules for certain applications/ports to be load-balanced to different places, then you aren't load balancing, you're routing.  And I don't care whether it's the directory or a subdomain, both work fine.

Use squid like I said, since you still insist on using multiple virtual servers, it's even more efficient than network-level routing because it dynamically cache's content.
Why would I want the forum cached?  And I still don't think using a proxy makes sense. 

Quote
I suppose you also missed it when I asked for a way to do it at the network layers.
Better policy routing.
All right, it looks like you know what you're doing here, so maybe you can explain this to me.  I have two different subdomains on x86labs.org, forum and www.  They run on the same port, 80, on different computers on my internal network.  The user sends a packet remotely, which arrives at my router.  It goes through some chains, eventually getting to the "prerouting" chain in the "nat" table, which is where the routing decision is made.  At the moment, I make the decisions like this:
Code: [Select]
        if($protoport =~ m/^([a-zA-Z]+)\/([0-9]*)$/)
        {
            my $protocol = $1;
            my $port = $2;
   
            my $ip = $DMZ_ALLOWED_INCOMING{$protoport};
   
            print "  -> NATing external port '$port' on '$protocol' to DMZ ip '$ip'\n";
            `$IPTABLES -t nat -A PREROUTING -p $protocol $FROM_INET --dport $port $LOG forwarded: `;
            `$IPTABLES -t nat -A PREROUTING -p $protocol $FROM_INET --dport $port -j DNAT --to-destination $ip`;
        }
As you can see, I'm identifying it by protocol and port, then making the routing decision (for my current set of firewall rules, written 100% by me, see rc.firewall).  Now, without layer-7 inspection, which I don't think can identify different domains anyways, how would you suggest I make the routing decision? 

Even in a general case: you're running some routing software, and those two sites are set up: what do you check to make the routing decision? 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #44 on: December 06, 2006, 09:29:28 am »
Yes, it serves a single website, and it takes 3 virtual servers to do so.
It only takes one special-purpose server: the forum.  I use the database server for other systems (like personal projects on my laptop), and I use the web server for other web sites. 

I really don't care how you guys host this site, you can make it as inefficient/insecure as you want.
You're an idiot. 

Like I said, none of my Linux systems use the CPU more than 5% of the time.  Each one thinks it's running on its own physical machine, and behaves that way.  There's no slow-down, and it's a hell of a lot cheaper than buying your own machines. 

And have you ever wondered why databases are servers?  I promise it's not to make things tricky, databases are designed to be run remotely.  In a properly set-up network, the databases for all servers is on one central server.  Why?  For security. 

Can you name ONE security flaw with my set up?  And if you were intent on breaking into my Trusted LAN (where the most important stuff is), how would you do it?  Feel free to browse my firewall rules in my last post to figure out how.


Some people like to keep an open mind, and I don't want anyone new thinking this is the best way to do things, or even a good way.
I'd be more worried if they listened to you.  At least I have a couple years experience with large-scale networking/security from working in government.