Software appliances – The good, the bad and the ugly

by | Sep 12, 2009 | Linux

As a part of my work I have to design and plan Hardware, Systems and Software deployment, and as many of you guys know sometimes it’s not that easy. Dimensioning hardware for specific roles can be a pain, sometimes you don’t even have the software as it’s being “produced” by the development team and still you have to tell how many machines, routers, switches and all the small things the project will take.
But some other projects aren’t this difficult and you don’t need such an amount of flexibility to do them, you don’t need a custom based firewall cluster, you don’t need a web server or database cluster, you just need a simple, reliable and out of the box setup that make things work in the smallest amount of time.
When you need something like this many sys admins have an excellent way to things in a tested and production prof way (specially if they are open mined to use open source);

The Software Appliances

The appliances are really helpful  but before you start using them you need to know a few things, so lets start by the bad:

  1. Lack of flexibility
  2. Hardware choices are often hard due to  the lack of drivers/modules available

The lack of flexibility is probably the biggest problem with appliances, usually they aren’t inflexible but to master the appliance you’ll have to put a big effort on the manuals, this should’ t be a problem if you stick to a few appliances but if you use a lot of them then you’ll probably take more time to master them than to study the OS and all the applications your need (apache, samba, iptables, and so on). About hardware choices, appliances are suited to run on most hardware out there (after all they use a linux kernel, at least most of them do) but if you run cutting edge hardware you may find it hard to make it work with your appliance, specially if your appliance version as more than 6month-1year.

Let’s go to the good now:

  1. Easy installation.
  2. Fewer skills required.
  3. Dedicated support, sometimes paid, usually free from the community.
  4. Performance boost (In the cases where the appliance comes with it’s how hardware).
  5. Security.

So in conclusion appliances can be a great help, but they need extensive planning and testing before going to a production environment. Think not only about the present needs of your client but also about the future and expected ones. Bellow I’m going to write about my favorite software appliances and what are they for.

  1. dd-wrt – This is a great appliance for a bunch of Linksys, Asus, and another brand router, access point, home gateways, etc.
  2. Endian FW – Probably the appliance I use the most, you need firewall with a proxy server with content filtering? Do you need a VPN server or an antivirus scanner for your internet connection? Try this one.
  3. SME server – Do you need a windows domain server, a smtp server, pop server? Do you need to setup a small office in 2 hours? Choose SME server.

There are a lot of other appliances I’ve used since I’ve started working below a few honor mentions:

  1. GeexBox – For multimedia content displaying
  2. IPcop – Similar to endian (but endian has more features)

I’m done with appliances today, but you may wonder… what about the ugly? Well I didn’t find any that goes in this category, but the word goes well on the title 🙂 .

Cheers,

Pedro Oliveira

Apache2 reverse proxy (with http https virtualhosting)

by | Jun 29, 2009 | Linux

This weekend I was updating and reconfiguring my apache2 installation, I run a server with multiple domains both with http and https, they are sitting behind a firewall. I also had some tomcat installations running on port 8080 on my server. In my previous configuration in the firewall I had port 80,443 and 8080 forwarded to my apache server and it worked perfectly. but as you know it’s easy to educate users to use both http(port 80) and https(port443) but not that easy to tell them to write https://yourserver:8080/blabla to redirect them to the tomcat server.

Having this I decided to change the way things work but using a reverse proxy this way I can have all the users using just http and https and at the same time redirect the traffic to the t0mcat behind the the firewall.

How did I do it?

First you have to enable the following modules on your apache2 server (I won’t explain how to do it as you can do it multiple ways and even use your distro tools to help you):

proxy_module

proxy_http_module

rewrite_module

I also recommend you to use virtualhosts for doing this as you’ll be able to serve multiple domains with ease:

and edit your virtual host to look like this:

<VirtualHost *:80>
ServerAdmin xxx@yourdomain.com
ServerName www.yourdomain.com
DocumentRoot /srv/www/htdocs
ServerSignature On
DirectoryIndex index.php index.html index.htm
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://your.internalserver.local:8080/
ProxyPassReverse / http://your.internalserver.local:8080/
</virtualhost>
<proxy>
Order deny,allow
Allow from all
</proxy>

or if you are using https your virtualhost config file might look like:

<IfDefine SSL>
<IfDefine !NOSSL>
<VirtualHost *:443>
ServerName www.yourdomain.com
DocumentRoot "/srv/www/htdocs"
ErrorLog /var/log/apache2/error.log
TransferLog /var/log/apache2/access.log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/certs/www.yourdomain.com.crt
SSLCertificateKeyFile /etc/apache2/certs/www.yourdomain.com.key
SSLCertificateChainFile /etc/apache2/certs/www.yourdomain.com_intermediate_bundle.crt
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/srv/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache2/ssl_request_log   ssl_combined
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://www.your_domain.local:8080/
ProxyPassReverse / http://www.your_domain.local:8080/
</VirtualHost>
</IfDefine>
</IfDefine>

Well hope this is helpful to someone.

Cheers,

Pedro M. S. Oliveira

UPDATE:
Found this article about APACHE2 as a OWA proxy which I really liked 🙂 bellow there are some excerpts that I frequently use. I’m copying them for my reference:

<VirtualHost *:443>

DocumentRoot "/var/www/owa"
ServerName mail.mycompany.com:443
ServerAdmin support@mycompany.com
DirectoryIndex index.html index.php

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

SSLProxyEngine on

RewriteEngine On
RewriteRule	^/$	/exchange	[L,R]

RequestHeader set Front-End-Https On
ProxyRequests On
ProxyPreserveHost On
ProxyVia full

<Proxy *>
	Order deny,allow
	Allow from all
</Proxy>

    ProxyPass        /exchange https://mxbsas.example.local/exchange
    ProxyPassReverse /exchange https://mxbsas.example.local/exchange

    ProxyPass        /exchweb https://mxbsas.example.local/exchweb
    ProxyPassReverse /exchweb https://mxbsas.example.local/exchweb

    ProxyPass        /public https://mxbsas.example.local/public
    ProxyPassReverse /public https://mxbsas.example.local/public

    ProxyPass        /exchangerng https://mxrng.example.local/exchangerng
    ProxyPassReverse /exchangerng https://mxrng.example.local/exchangerng

    ProxyPass        /Microsoft-Server-ActiveSync https://mxbsas.example.local/Microsoft-Server-ActiveSync
    ProxyPassReverse /Microsoft-Server-ActiveSync https://mxbsas.example.local/Microsoft-Server-ActiveSync


</VirtualHost>
Click to access the login or register cheese