- relayd and HAProxy can both be used for load balancing on pfSense, but HAProxy is more powerful, flexible, and reliable as a true proxy.
- An example setup demonstrated configuring relayd and HAProxy for load balancing multiple web servers, with HAProxy able to offload SSL and use ACLs to route requests based on hostname.
- Let's Encrypt certificates can be automated for HAProxy using a Lua script and the ACME package to validate via HTTP.
Webinar topic: ISP Load Balancing with Mikrotik ECMP
Presenter: Achmad Mardiansyah
In this webinar series, We are discussing ISP Load Balancing with Mikrotik ECMP
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
Recording is available on Youtube
https://youtu.be/pUy6-EOy2mM
There are many ways to run high availability with PostgreSQL. Here, we present a template for you to create your own customized, high-availability solution using Python and for maximum accessibility, a distributed configuration store like ZooKeeper or etcd.
Logging is important for troubleshooting a DNS service. Conveniently with BIND 9, almost all problems will show up somewhere in the log output, but only if the logging is enabled and configured correctly.
In this webinar, we’ll discuss the BIND 9 logging configuration and best practices in searching through large log-files to find the entries of interest. In addition, we’ll release log-management tools used by Men & Mice Services.
Webinar topic: ISP Load Balancing with Mikrotik ECMP
Presenter: Achmad Mardiansyah
In this webinar series, We are discussing ISP Load Balancing with Mikrotik ECMP
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
Recording is available on Youtube
https://youtu.be/pUy6-EOy2mM
There are many ways to run high availability with PostgreSQL. Here, we present a template for you to create your own customized, high-availability solution using Python and for maximum accessibility, a distributed configuration store like ZooKeeper or etcd.
Logging is important for troubleshooting a DNS service. Conveniently with BIND 9, almost all problems will show up somewhere in the log output, but only if the logging is enabled and configured correctly.
In this webinar, we’ll discuss the BIND 9 logging configuration and best practices in searching through large log-files to find the entries of interest. In addition, we’ll release log-management tools used by Men & Mice Services.
Postgresql 12 streaming replication holVijay Kumar N
This is a step by step hands on lab for PostgreSQL 12 , setup of replication, replication slot, failover (promoting) to standby as new master cluster and also covering the scenario where old master has to be reinstated using the utility "pg_rewind"
Make an IPSEC VPN which will be a redundant one with two VyOS firewalls per site.
I made this document so that people who check for vpns/ipsec has a place to implement a free router/firewall appliance virtually on any hardware and have the necessity going on.
VyOS is a fork from Vyatta which happily runs on a Intel Atom based hardware with at least 256 MB RAM and a HDD with 500 GB storage.
It supports dot1q VLANs, IPSec Site-to-Site/Remote Access VPNs over GRE for B2B connectivity. It supports RIP/OSPF/BGP dynamic protocols. It has support for both interface based and zone based firewalls.
High Availability Content Caching with NGINXNGINX, Inc.
On-Demand Recording:
https://www.nginx.com/resources/webinars/high-availability-content-caching-nginx/
You trust NGINX to be your web server, but did you know it’s also a high-performance content cache? In fact, the world’s most popular CDNs – CloudFlare, MaxCDN, and Level 3 among them – are built on top of the open source NGINX software.
NGINX content caching can drastically improve the performance of your applications. We’ll start with basic configuration, then move on to advanced concepts and best practices for architecting high availability and capacity in your application infrastructure.
Join this webinar to:
* Enable content caching with the key configuration directives
* Use micro caching with NGINX Plus to cache dynamic content while maintaining low CPU utilization
* Partition your cache across multiple servers for high availability and increased capacity
* Log transactions and troubleshoot your NGINX content cache
When one server just isn’t enough, how can you scale out? In this webinar, you'll learn how to build out the capacity of your website. You'll see a variety of scalability approaches and some of the advanced capabilities of NGINX Plus.
View full webinar on demand at http://nginx.com/resources/webinars/nginx-load-balancing-software/
Build enterprise wireless with CAPsMANGLC Networks
MUM Yogyakarta Oct 2018 topic: Build enterprise wireless with CAPsMAN
Presenter: Achmad Mardiansyah
In this MUM series, We are discussing Build enterprise wireless with CAPsMAN
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
This talk explores PostgreSQL 15 enhancements (along with some history) and looks at how they improve developer experience (MERGE and SQL/JSON), optimize support for backups and compression, logical replication improvements, enhanced security and performance, and more.
This technical presentation by EDB Dave Thomas, Systems Engineer provides an overview of:
1) BGWriter/Writer Process
2) Wall Writer Process
3) Stats Collector Process
4) Autovacuum Launch Process
5) Syslogger Process/Logger process
6) Archiver Process
7) WAL Send/Receive Processes
Josh Berkus
You've heard that PostgreSQL is the highest-performance transactional open source database, but you're not seeing it on YOUR server. In fact, your PostgreSQL application is kind of poky. What should you do? While doing advanced performance engineering for really high-end systems takes years to learn, you can learn the basics to solve performance issues for 80% of PostgreSQL installations in less than an hour. In this session, you will learn: -- The parts of database application performance -- The performance setup procedure -- Basic troubleshooting tools -- The 13 postgresql.conf settings you need to know -- Where to look for more information.
Reverse proxy & web cache with NGINX, HAProxy and VarnishEl Mahdi Benzekri
Discover the very wide world of web servers, in addition to the basic web deliverance fonctionnality, we will cover the reverse proxy, the resource caching and the load balancing.
Nginx and apache HTTPD will be used as web server and reverse proxy, and to illustrate some caching features we will also present varnish a powerful caching server.
To introduce load balancers we will compare between Nginx and Haproxy.
Kea DHCP – the new open source DHCP server from ISCMen and Mice
This webinar will highlight the differences between the old ISC DHCP and new Kea DHCP (database support, dynamic reconfiguration, performance wins, scripting hooks) and will showcase the Men & Mice Suite as a graphical front-end to both ISC DHCP and Kea to ease the migration.
Postgresql 12 streaming replication holVijay Kumar N
This is a step by step hands on lab for PostgreSQL 12 , setup of replication, replication slot, failover (promoting) to standby as new master cluster and also covering the scenario where old master has to be reinstated using the utility "pg_rewind"
Make an IPSEC VPN which will be a redundant one with two VyOS firewalls per site.
I made this document so that people who check for vpns/ipsec has a place to implement a free router/firewall appliance virtually on any hardware and have the necessity going on.
VyOS is a fork from Vyatta which happily runs on a Intel Atom based hardware with at least 256 MB RAM and a HDD with 500 GB storage.
It supports dot1q VLANs, IPSec Site-to-Site/Remote Access VPNs over GRE for B2B connectivity. It supports RIP/OSPF/BGP dynamic protocols. It has support for both interface based and zone based firewalls.
High Availability Content Caching with NGINXNGINX, Inc.
On-Demand Recording:
https://www.nginx.com/resources/webinars/high-availability-content-caching-nginx/
You trust NGINX to be your web server, but did you know it’s also a high-performance content cache? In fact, the world’s most popular CDNs – CloudFlare, MaxCDN, and Level 3 among them – are built on top of the open source NGINX software.
NGINX content caching can drastically improve the performance of your applications. We’ll start with basic configuration, then move on to advanced concepts and best practices for architecting high availability and capacity in your application infrastructure.
Join this webinar to:
* Enable content caching with the key configuration directives
* Use micro caching with NGINX Plus to cache dynamic content while maintaining low CPU utilization
* Partition your cache across multiple servers for high availability and increased capacity
* Log transactions and troubleshoot your NGINX content cache
When one server just isn’t enough, how can you scale out? In this webinar, you'll learn how to build out the capacity of your website. You'll see a variety of scalability approaches and some of the advanced capabilities of NGINX Plus.
View full webinar on demand at http://nginx.com/resources/webinars/nginx-load-balancing-software/
Build enterprise wireless with CAPsMANGLC Networks
MUM Yogyakarta Oct 2018 topic: Build enterprise wireless with CAPsMAN
Presenter: Achmad Mardiansyah
In this MUM series, We are discussing Build enterprise wireless with CAPsMAN
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
This talk explores PostgreSQL 15 enhancements (along with some history) and looks at how they improve developer experience (MERGE and SQL/JSON), optimize support for backups and compression, logical replication improvements, enhanced security and performance, and more.
This technical presentation by EDB Dave Thomas, Systems Engineer provides an overview of:
1) BGWriter/Writer Process
2) Wall Writer Process
3) Stats Collector Process
4) Autovacuum Launch Process
5) Syslogger Process/Logger process
6) Archiver Process
7) WAL Send/Receive Processes
Josh Berkus
You've heard that PostgreSQL is the highest-performance transactional open source database, but you're not seeing it on YOUR server. In fact, your PostgreSQL application is kind of poky. What should you do? While doing advanced performance engineering for really high-end systems takes years to learn, you can learn the basics to solve performance issues for 80% of PostgreSQL installations in less than an hour. In this session, you will learn: -- The parts of database application performance -- The performance setup procedure -- Basic troubleshooting tools -- The 13 postgresql.conf settings you need to know -- Where to look for more information.
Reverse proxy & web cache with NGINX, HAProxy and VarnishEl Mahdi Benzekri
Discover the very wide world of web servers, in addition to the basic web deliverance fonctionnality, we will cover the reverse proxy, the resource caching and the load balancing.
Nginx and apache HTTPD will be used as web server and reverse proxy, and to illustrate some caching features we will also present varnish a powerful caching server.
To introduce load balancers we will compare between Nginx and Haproxy.
Kea DHCP – the new open source DHCP server from ISCMen and Mice
This webinar will highlight the differences between the old ISC DHCP and new Kea DHCP (database support, dynamic reconfiguration, performance wins, scripting hooks) and will showcase the Men & Mice Suite as a graphical front-end to both ISC DHCP and Kea to ease the migration.
(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...BIOVIA
AEP 9.0 will see several changes to the core infrastructure which will require changes to the way the server is managed as well as new deployment options that may affect the ways that protocol developers deliver content to their users. We will cover the addition of Tomcat as a new side by side service with Apache, new administration features: exporting and importing server configurations, maintenance mode, and new deployment options: HTTPS and HTTP only modes, deploying behind reverse proxies, and HTTP load balancing.
Walks through the basics of the HTTP protocol, URLs, cookies and caching, with tricks and tips that can be used by web developers. From a Geek.class I did on Oct 6, 2011 for Meet the Geeks.
In the context of parallel computing, Load Balancing is the distribution of a set of tasks over different computing units (or related resources), to make the overall process easier to execute and much more efficient. Ensuring no single server bears too much of demand and evenly spreading the load, it improves the responsiveness and availability of applications or websites for the user.
Scaling out on the cloud is easy. Especially, if you have a software provisioning system that helps you to deploy your environment wherever you want. This session will give you an overview of the fantastic new features of HAProxy V 1.5, and how you can integrate it into your environment to build a high available environment, using open source software. Starting with a single-webserver + mysql setup provisioned via chef, we will deploy an HA Proxy Cluster in front and scale out your nginx and mysql database backend.
The need to scale is in high demand in an age where everything is moving to the cloud. Though the standard Apache configuration could handle a website with moderate traffic, the minute it gets slash dotted or twitted multiple times could spell an embarrassing crash landing! If you are the administrator of such a website then good luck finding another job! On the other hand you value high availability in the midst of popularity then read on. On this one day workshop, we will show you how to scale your website and webapps to scale to handle thousands of simultaneous sessions the right way. The topics covered will include:
- Setting up Apache and NGiNXM
- Setting up a sample LAMP web app
- Benchmarking Apache performance
- Fine tuning Apache to improve performance
- Fine tuning NGiNX to improve performance
- Discussion about code level improvements when developing custom webapps using PHP
NGINX Plus is often deployed in a cluster, and the new features in R16 help our customers working in a clustered environment. New features include global rate limiting, a cluster-aware key-value store, Random with Two Choices load-balancing algorithm, and more.
Join this webinar to learn:
- About the new cluster-aware features in NGINX Plus R16: global rate limiting, key-value store, and Random with Two Choices load balancing
- How to use key-value stores in use cases such as DDoS mitigation and dynamic bandwidth limiting
- About enhanced UDP load balancing, AWS PrivateLink support, and additional new features
- How the NGINX Plus R16 features behave in action, in a live demo
https://www.nginx.com/resources/webinars/whats-new-nginx-plus-r16-emea/
NGINX: Basics & Best Practices - EMEA BroadcastNGINX, Inc.
On-demand recording: nginx.com/resources/webinars/nginx-basics-best-practices-live-emea
You have heard of NGINX and the benefits it can provide to your web application, but maybe you are not sure how to get started. There are a lot of tutorials online, but they can be outdated and contradict each other – making things more challenging.
This webinar will teach you how to:
* Install NGINX and verify it’s properly running
* Create NGINX configurations for reverse proxy, load balancing, and more
* Improve performance using keepalives and other NGINX directives
* Debug and troubleshoot using NGINX logs
Similar to Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017 (20)
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
2. Project Notes
●
pfSense 2.3.4-RELEASE-p1
– Security/Errata release with an important update for OpenVPN
– If you have not already updated to 2.3.4-p1 or updated OpenVPN as mentioned last month, update immediately
– https://www.netgate.com/blog/pfsense-2-3-4-p1-release-now-available.html
● FreeRADIUS 2.x EOL, has security issues
– Uninstall it, install the FreeRADIUS 3.x package
– Same features (and more), configuration will carry over
● 2.4 progressing
– Evaluating remaining tickets
– Release Highlights: https://www.netgate.com/blog/pfsense-software-version-2-4-release-highlights.html
● FreeBSD 11, new installer, ZFS, OpenVPN 2.4.x
●
No more NanoBSD or i386 support
●
SG-1000 ARM device support, more platforms coming (SG-3100!)
– RC very soon!
● NRDM demo during on-site training, coming soon to the France, UK, Germany, and Russia
– https://www.netgate.com/training/
● Advanced Class “pfSense Supplementals I” coming soon as well
– Higher-level topics such as snort, RADIUS, DNSBL, and HAProxy
3. About this Hangout
● Server Load Balancing using relayd and HAProxy
– Primarily focused on HAProxy as it is more capable and reliable
– Coverage of relayd will be skimmed, no major changes from last hangout
– Advantages and disadvantages
– Assumes web servers are already in place, including DNS entries
● SSL Offloading in HAProxy
● ACME Integration for Let’s Encrypt certificate automation
● Redirecting requests by hostname using HAProxy ACLs
4. About relayd and HAProxy
● relayd is built into the pfSense software base installation
– Originally from OpenBSD
– Meant to work with pf directly
– Simple service for specific tasks
● HAProxy is an add-on package for pfSense
– Very powerful/flexible
– True proxy
– More capabilities, but uses more resources
5. Comparison of relayd vs HAProxy
● How they Operate
– relayd works using NAT and pf, like a “super” port forward
– HAProxy is a true proxy, accepting client connections and making new connections to servers
● Connection Handling
– relayd does not inspect the contents of packets, it forwards based on packet headers
– HAProxy can look inside the request and can act on headers
●
For example, HAProxy can route requests to specific servers based on requested hostname
– This also works, in a limited way, with non-offloaded SSL using SNI
● Service Types
– Both can handle arbitrary TCP services
– The features in HAProxy are geared toward HTTP/HTTPS, but can work with other protocols
6. Comparison of relayd vs HAProxy
●
Client Addresses
– relayd shows the client IP address to the server, so the server sees the real address
– By default, HAProxy connections appear to originate from the proxy itself
● HAProxy can add X-Forwarded-For which may be used by the web server
– Apache, nginx, and others can easily log X-Forwarded-For instead of the proxy address
– Web applications can see X-Forwarded-For as well, but support varies by package
●
HAProxy also has a Transparent Client IP setting to pass through the actual client address, similar to relayd
●
Reporting
– relayd only reports up/down status and uptime percentages
– HAProxy tracks detailed statistics about usage and distribution of traffic/requests
● Reliability
– For more than simple/basic tasks, relayd is unreliable, especially with high loads
– HAProxy is more much robust and reliable, but does consume more resources in the process
7. Comparison of relayd vs HAProxy
● Daemon/Service Binding
– Because relayd works using NAT, relayd does NOT bind to a virtual server IP address and port
– HAProxy must bind to the IP address and port specified for a Frontend virtual server
●
If the GUI or GUI redirect is running on a port to be used by HAProxy, it must be moved
● Balancing Methods
– relayd on pfSense can only use round-robin style load balancing
– HAProxy supports several balancing algorithms
● Round robin, Static Round Robin, Least Connections, Source, and more
● Client/Server Relationships
– relayd, even using Sticky, has issues maintaining client-server relationships
– HAProxy can maintain client-server relationships in several ways, such as by source address or cookie values
● SSL Offloading
– HAProxy is capable of SSL Offloading, relayd is not, due to the fact that only HAProxy is actually a proxy
8. Example Demonstration Environment
● Test setup used for this demo of relayd and HAProxy includes:
– One firewall to act as a load balancer
– Multiple web servers
– DNS entries set so www.example.com resolves to a VIP address on
WAN, along with other test hosts (example.com, blog.example.com)
– Test client on WAN
● Virtual server for relayd will be on port 8080, HAProxy on
80/443, so they can both be run at the same time for this demo
9. Example relayd setup
● Full walk-through available on the Wiki:
https://doc.pfsense.org/index.php/Inbound_Load_Balancing
● Before setting up servers, configure monitors as needed
– This example uses basic HTTP for simplicity, but a custom HTTP
monitor can check a specific URI to ensure the web server is
operational
● Ensure the target servers are on-line and operational
10. Example relayd setup
● Setup Load Balancing Pool (actual web servers that exist on the internal network)
– Services > Load Balancer, Pools tab, Add
– Name = MyServers, or something short (no spaces or special characters)
– Mode = Load Balance
– Port = 80
●
This is the port that the ACTUAL web servers are listening on, NOT the public port!
– Retry = 5, how many times to test before declaring the server dead
– Monitor = HTTP, or whichever monitor is desired
– Enter one of the actual internal web server IP addresses, then click Add to Pool, repeat as needed
until all servers are present in the Enabled column.
● If there is a separate “maintenance” or static page server to use as a fall back if all of the
above servers are down, create a separate Pool and add that server
11. Example relayd setup
●
Setup a Virtual Server entry (Public-facing address and port for the web site)
– Services > Load Balancer, Virtual Server tab, Add
– Name = MyWebSite, or something similar (short, no special characters, etc)
– IP Address = The WAN address (typically public!) on which the site is to be hosted
● If this is not the WAN address, it may need a Virtual IP address defined
● Must be hardcoded, but can be a host alias if it needs to be dynamic
– Port = 80 (or 8080 for this example), the port on which clients will connect from the outside
● Typically 80 for HTTP and 443 for HTTPS
– Virtual Server Pool = The pool defined previously (e.g. MyServers)
– Fall Back Pool = none, or choose one if one was defined previously
– Relay Protocol = TCP
12. Example relayd setup
● Visit the Settings tab (optional)
– Timeout: Milliseconds before a health check is failed, defaults to 1000ms (1 second)
– Interval: Seconds between health checks. Default is 10 seconds.
– Prefork: Not used for TCP
– With the default timers, it could be a full minute before a down server is detected.
Tuning is strongly advised!
● Add firewall rules to pass traffic to a destination of the Internal IP
addresses of the actual web servers and their ports. In this example,
pass to 10.2.0.8, 10.2.0.9 on port 80
– Aliases are handy for this!
13. Example relayd setup
● Clients on LAN cannot access servers on LAN without manual
outbound NAT rules to mask the traffic
– Interface = LAN, Source = LAN subnet, Destination = Web Servers,
Destination Port = Server Port, Translation = Interface Address
● Status is at Status > Load Balancer
– Uncheck a server and click Save to manually remove it from service
● Aim a web browser at it, e.g. http://www.example.com:8080
● When testing, use private browsing mode, close/reopen browser, etc.
14. Example HAProxy setup
● To use port 80 on HAProxy with the GUI on another port,
disable redirect on System > Advanced
● If HAProxy will use the same port as the GUI, move the GUI to
another port on System > Advanced
● Install the HAProxy package from System > Packages,
Available Packages tab
● Once installed, HAProxy is available under Services >
HAProxy
15. HAProxy – Add Backend
● Services > HAProxy, Backend tab, Add
● Name = MyWebServers (or similar)
● Servers = Add each of the actual internal web servers along with the port on which they are listening internally
– Example: Active, serverX, Address+Port, 10.2.0.x, 80, unchecked, blank
● Balance = Round Robin
● Health Check Method = HTTP
● Transparent ClientIP = Your choice
● Stick tables – (Optional – left out of this example, to show balancing from a single client)
– Stick on Existing Cookie Value
– Cookie Name = PHPSESSID
– Length = 64
– Expire = 3h
– Size = 100k (max # of concurrent clients)
● Review other settings, set as needed
16. HAProxy – Add Frontend
● Services > HAProxy, Frontend tab, Add
● Name = MyWebSite
● Status = Active
● External Address
– Listen address = WAN address (IPv4)
● The PUBLIC facing IP address of the service, to which the DNS entries resolve
● Could use an IP Alias or CARP type VIP here
– Port = 80, the PUBLIC facing port for the service
●
To run HAProxy on an alternate port, enter it here and then use a port forward to redirect traffic as needed
● Type = HTTP / HTTPS (offloading)
● Default Backend = MyWebServers
● Use 'forwardfor' option (optional) = checked, adds X-Forwarded-For header with true client IP address
● Use 'httpclose' option (optional) = httpclose, disables keep-alive, ensures X-Forwarded-For is accurate
17. HAProxy – Global Settings & Testing
● Setup HAProxy global settings
– Services > HAProxy, Settings tab
– Enable HAProxy = checked
– Maximum Connections = 1000 per backend (tune to suit available resources and
load!)
– Internal Stats Port = 2200
– Review other options & Save
● Stats tab shows server status and stats, can manually disable servers
● Add firewall rules to pass traffic to the Frontend listen IP address and port
● Aim a web browser at it, e.g. http://www.example.com
● When testing, use private browsing mode, shift+click reload or ctrl+F5
18. SSL Offloading
● SSL Offloading means that HAProxy on the firewall will handle SSL/TLS Negotiation
and encryption/decryption
– This will greatly increase the CPU burden on the firewall!
– Use hardware with AES-NI to help with crypto operations
– Decreases CPU burden on the web servers
– Communication between HAProxy and web servers can be HTTP or HTTPS
● While using HTTPS to the backend servers will consume even more resources, the best practice is to
encrypt all communications if the setup will be handling financial, medical, or other sensitive data.
● Add the CA/Cert for HAProxy to use
– Import CA, any Intermediates, and Server Cert into the Cert Manager on pfSense
– Alternately, use Let’s Encrypt with the ACME package
19. SSL Offloading
● Frontend Settings:
– Select SSL Offloading for the External Address
– SSL Offloading Section (Appears once the SSL Offloading is checked)
● Pick the server Certificate to use
● Check to add ACL for the SAN
● If there are multiple certificates for different hostnames, use “Additional Certificates” to pick them
● Backend Settings
– Exact settings depend on preferences
– For HTTP to servers, disable SSL on Server List entries, set to port 80, etc
– To also do SSL/TLS to servers, check SSL and optionally setup additional parameters
20. ACME Integration
● Let’s Encrypt lets you obtain free domain-validated SSL
certificates
– ACME Package on pfSense handles the request/processing needed
– See the April 2017 hangout on Let’s Encrypt for details
● Using ACME with HAProxy
– DNS methods work great and need no special handling in HAProxy
– For HTTP, the best method is to use a LUA script (next slide)
21. ACME Integration
● Add LUA Script to HAProxy
– Source posted with this hangout
– Or download from https://github.com/janeczku/haproxy-acme-validation-plugin/releases
– In HAProxy, Files tab, add entry “acme-http01”, “LUA Script”, paste contents of script
● Add a simple HTTP frontend that uses the script:
– Type: HTTP
– ACL: “url_acme_http01”, “Path Starts With”, “/.well-known/acme-challenge/”
– Action: “http-request lua service”, “METH_GET url_acme_http01”, lua-function: “acme-http01”
●
In the ACME Package, create cert entry, in Domain SAN List, set it to:
– Method: webroot local folder
– Root Folder: /tmp/haproxy_chroot/.well-known/acme-challenge/
22. Using HAProxy ACLs
● As shown in the ACME example, ACLs can be used to match a
request and then take an action based on that match
● Common Examples:
– ACL to match a hostname, action that matches that ACL, directs to
another backend
– ACL to match a specific path, action that directs to a different backend
– ACL to match a specific source address, add an HTTP header, deny
access, etc.
23. Using HAProxy ACLs - Example
● One public IP address, multiple web servers with different hostnames
● DNS: www.example.com and blog.example.com both resolve to your public IP Address
●
Backend:
– www.example.com is hosted on x.x.x.2 defined as backend “www”
– blog.example.com is hosted on x.x.x.3 defined as backend “blog”
● Frontend:
– ACL: host_www, Host Matches, www.example.com
●
Additional condition: host_www, Host Matches, example.com
– ACL: host_blog, Host Matches, blog.example.com
– Action: Use Backend, host_www, backend: www
– Action: Use Backend, host_blog, backend: blog