Mirtov Alexey 33d0bd4365 add english | 2 anos atrás | |
---|---|---|
.. | ||
images | 3 anos atrás | |
main | 3 anos atrás | |
prepare | 3 anos atrás | |
README.md | 2 anos atrás | |
README_RU.md | 2 anos atrás |
Purpose of the demo: Install PT Web Application Firewall (hereinafter, PT WAF) in Yandex.Cloud in a fault-tolerant configuration.
Steps to be completed during the workshop:
Fault tolerance is provided by:
BYPASS
.It is assumed that in Yandex.Cloud, the client has already deployed an unsafe external scenario of publishing a VM, that is, a VM running web applications in two availability zones. It also runs an external network load balancer.
To implement the entire diagram from scratch, use the playbook in the from-scratch folder
terraform init
terraform import yandex_lb_network_load_balancer.ext-lb $(yc load-balancer network-load-balancer list --format=json | jq '.[].id' | sed 's/"//g')
terraform apply
app-sg
to the VM app-a and app-b.##
Video instructions:
ssh -L 22001:192.168.2.10:22013 -L 22002:172.18.0.10:22013 -L 8443:192.168.2.10:8443 -L 127.0.0.2:8443:172.18.0.10:8443 -i ./pt_key.pem yc-user@$(yc compute instance list --format=json | jq '.[] | select( .name == "ssh-a")| .network_interfaces[0].primary_v4_address.one_to_one_nat.address '| sed 's/"//g')
This opens the SSH terminal (broker machine) — leave it open.
ssh -p 22001 -i pt_key.pem yc-user@localhost -o StrictHostKeyChecking=no
sudo wsc -c 'password list'
Execute the cluster autoconfiguring script:
/home/pt/cluster.sh
Connect to ptaf-b:
ssh -p 22002 -i pt_key.pem yc-user@localhost -o StrictHostKeyChecking=no
Set the DB password from the previous step:
sudo wsc -c 'password set <master password>'
(it must be the same as the password on the master node)
Execute the cluster autoconfiguring script:
/home/pt/cluster.sh
First, run synchronization on the Slave server using the commands:
ssh -p 22002 -i pt_key.pem yc-user@localhost -o StrictHostKeyChecking=no
sudo wsc
Enter 0
config commit
Wait for the message on the Slave server: TASK: [mongo | please configure all other nodes of your cluster]
. After that, switch to the Master server and start syncing with similar commands:
ssh -p 22001 -i pt_key.pem yc-user@localhost -o StrictHostKeyChecking=no
sudo wsc
Enter 0
config commit
If the config commit command fails on the Master, apply the command again.
Next, the configuration on the Master node stopped at the message: TASK: [mongo | wait config sync on secondary nodes]
. Manually execute the command on the Slave node: config sync
.
On the Slave, run:
config sync
On the Master, run:
config sync
On the Master, run:
mongo --authenticationDatabase admin -u root -p $(cat /opt/waf/conf/master_password) waf --eval 'c = db.sentinel; l = c.findOne({_id: "license"}); Object.keys(l).forEach(function(k) { if (l[k].ip) { delete l[k].ip; l[k].hostname = "yclicense.ptsecurity.ru" }}); c.update({_id: l._id}, l)'
Open in the browser: https://127.0.0.1:8443
Enter the standard login admin and password positive, change the password, for example, to P@ssw0rd
.
Open the tab Configuration → Network → Gateways by clicking on the pencil icon (Edit).
On each of the gateways, select the Active option.
On each of the gateways, on the Network tab, define the aliases mgmt
, wan
, lan
for the eth-ext1
interface.
Create an upstream on the tab Configuration → Network → Upstreams:
Name: internal-lb
Backend Host: enter the address of the Yandex.Cloud internal load balancer
Backend port: 80
Create a service on the tab Configuration → Network → Services:
Name: app
Net interface alias: wan
Listen port: 80
Upstream: internal-lb
Edit an existing Any web application on the Configuration → Security → Web Applications tab:
Service: app
BYPASS
applies and the traffic switches over directly to the internal load balancer.In this model, you can use Yandex Application Load Balancer.
There are detailed instructions on enabling a virtual hosting (including integration with Certificate Manager to manage SSL certificates).