Reverse proxy without a single point of failure
-
S [email protected] shared this topic
-
Keepalived to set up a floating IP between two proxy hosts. The VIP is where the traffic points to, the two hosts act as active/passive HA.
-
Congrats, you're officially at the point where you should probably looking at kubernetes. Highly available, failover, and load balancers. It's a steep learning curve, but if you're looking for this level of availability you're probably ready for it
-
-
-
-
-
For what OP is asking DNS has no part in DNAT, they need a load balancer.
Personally, asking about high uptime on a residential ISP is the larger issue here, but alas.
-
-
If your current router doesn't support static DNS entries or advanced management of them, you could run a DNS service, or just get a router that runs OpenWRT. GL.Inet makes solid devices for relatively cheap.
-
-
Yes. Your machines would have one main IP address, and one virtual IP address that would be assigned to either machine depending on the priority or health check status. That IP can be on the same physical interface, or a separate one. It’s very flexible, pretty standard config for high availability setups.
-
OPNsense and HAproxy might be a place to start, they work well together. You can define a backend pool of servers for roundrobinning, and if you buy a block of IPs you can roundrobin the incoming requests as well. I run OPNsense as a VM so that I can use Proxmox's high availability service for the router and it'll failover or manually livemigrate if I'm doing maintenance.
-
I use k3s as my base with istio to handle routing, so each node then has the same ports open and istio is the proxy. Internally there's a load balancer to distribute to whatever pod the traffic needs to go to. Outside the cluster DNS is my only single point of failure but it routes to multiple hosts. I doubt you'd have trouble finding a way to have a DNS that can do that. I don't think you can get that much more separated from single points
-
Additional SPoFs: Your upstream internet connection, your modem/router, electricity supply, your home (not burning, flooded, collapsed, etc.). And you.
-
So you have 2, or 3 spof, your home internet, your home router, and your reverse proxy container.
You can solve most of that with a second internet connection on its own router and some k3s/k8s
Current router points to one container then you have your second router point to the other container. You can use DNS load balancing to share the connections over your 2 internet connections.
Depending on your monitoring system you if a connection goes down you could then trigger a DNS update to remove the offline connection from DNS. You will have to set the ttl of the record to facilitate the change more rapidly.
-
You just described a load balancer. The router doesn't know about DNS but clients using your service use DNS. You can do some simple load balancing behind DNS. If you want to do it by IP address you want a load balancer though.
-
I feel like op is about to find out why businesses pay for cloud services.
-
No, the router being the SPOF (single point of failure) is totally avoidable.
At mny home (no SaaS services offered, but critical "enough" for my life services) i have two different ISPs on two different tecnologies: one is FTTC via copper cable (aka good old ADSL successor) plus a WFA 5G (much faster but with data cap). Those two are connected to one opnSense router (which, indeed, is a SPOF at this time). But you can remove also this SPOF by adding a second opnSense and tie the two in failover.
Of course, my two ISPs are setup in failover on the opnSense.
So the setup would be:
FTTC -> ISP1 router -> LAN cable 1 to port 1 of opnSense n.1
FTTC -> ISP1 router -> LAN cable 2 to port 1 of opnSense n.2
FWA -> ISP2 router -> LAN cable 1 to port 2 of opnSense n.1
FWA -> ISP2 router -> LAN cable 1 to port 2 of opnSense n.2Then in both opnSense i would setup failover multi-WAN and bridge them together so that one diyng will trigger the second one.
-
I do this with HAProxy and keepalived. My dns servers resolve my domains to a single virtual ip that keepalived manages. If one HAProxy node goes down, the other picks right up.
And this is one of the few things I’ve got setup with ansible, so deploying and making changes is pretty easy.
