...
SeamlessAccess HAproxy Upgrade
Monitor
Server
| Name | Location | Env |
|---|---|---|
| monitor.ntx.sunet.eu.seamlessaccess.org | STO1v2, Safespring | Production |
Descripton
This is a monitor server which runs Nagios4 to monitor the health and operations of the virtual servers in Production, Beta and Staging. The GUI is here https://monitor.seamlessaccess.org/.
...
No proper guide is available. It is usually upgrade when there's a newer version of Nagios available when we upgrade the OS of the server.
Demo Application
Server
| Name | Location | Env |
|---|---|---|
| sp-test.seamlessaccess.org | STO1v2, Safespring | Mixed |
Descripton
This server runs Demo SP (service provider) applications for both Production and Beta. They are exposed in respectively https://demo.seamlessaccess.org/ and https://demo.beta.seamlessaccess.org.
...
We use them in below servers.
| Servers | Purpose |
|---|---|
| HAproxy Load balancers | For authentication with Fastly |
| Aggregators & Publishers | For authentication with thiss-mdq servers |
We monitor the expiry of these certificates in https://monitor.seamlessaccess.org/
...
Read about Fleetlock, https://wiki.sunet.se/pages/viewpage.action?pageId=147522142.
Firewall Restrictions
The rules are implemented in the servers using nftables. The same rules are mirrored in security groups of Safepsring's openstack platform and in AWS.
Some of the nftable rules are implemented through this puppet manifest https://github.com/TheIdentitySelector/thiss-ops/blob/master/global/overlay/etc/puppet/modules/thiss/manifests/firewall_rules.pp
| Server type | Rules |
|---|---|
| All | SSH via SUNET's designated jump hosts |
| All | NRPE to monitor.seamlessaccess.org & nagiosxi.nordu.net |
| All | Egress/ougoing packets from all ports |
| HAproxy Load Balancer for thiss-js | HTTPS to internet TCP 8404 (HAproxy stats port) to vpn1.sunet.se & monitor.seamlessaccess.org |
| HAproxy Load Balancer for thiss-mdq | HTTPS to internet TCP 8404 (HAproxy stats port) to vpn1.sunet.se & monitor.seamlessaccess.org |
| thiss-js | HTTP to HAproxy Load Balancer for |
| thiss-mdq for Production & Beta | HTTP to HAproxy Load Balancer for |
| thiss-mdq for staging | HTTPS and HTTP to SUNET Load Balancers |
| Aggregator & publishers for Production & Staging | HTTPS to |
| Aggregator & publishers for Beta | HTTPS to |
| Monitor | HTTPS to vpn1.sunet.se HTTP to internet (for ACME challenges to renew Let's Encrypt certificate) |
| Demo Application | HTTPS to internet |
Staging Metadata Service
SUNET only hosts the MDQ thiss-mdq service for staging which is https://md-staging.thiss.io. It is served by SUNET load balancers.
...