/[mon-modules]/README.test_with_bounce
This is repository of my old source code which isn't updated any more. Go to git.rot13.org for current projects!
ViewVC logotype

Contents of /README.test_with_bounce

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.2 - (show annotations)
Thu Feb 6 17:26:55 2003 UTC (16 years, 3 months ago) by dpavlin
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +2 -1 lines
misc fixes before new release

1
2 Are my servers available to people on Internet?
3 -----------------------------------------------
4 2002-09-02 Dobrica Pavlinusic <dpavlin@rot13.org>
5
6
7 That same question bothered me for a long time. My situation is not unique:
8
9
10 Internet <--> DMZ <--> internal network and server running mon
11
12
13 I could check servers which are on my internal network, in DMZ or on
14 Internet, but none of that checks actually helped me to know if external
15 user somewhere on Internet could reach my services.
16
17
18 After a while, I developed several methods for answering my question:
19
20 1. test if internal services are available
21
22 2. test outside IP addresses (which are unavailable from internal
23 network directly) using socks proxy located in DMZ (using
24 socksch.monitor for that)
25
26 3. install probes on various hosts on Internet which try to connect to
27 my services and report success or failures.
28
29
30 While first approach is required and second one is good good (and it doesn't
31 hurt to check it), third one is really "Joe surfer" experience.
32
33 So, let's see how to setup such a thing...
34
35
36
37 Typical example of such probe is:
38
39 ----- webmail.cgi -----
40
41 #!/bin/sh
42
43 echo Content-type: text/plain
44 echo
45
46 exec wget -O /dev/null http://webmail.foo.bar 2>&1
47
48 -----------------------
49
50
51 What would I get if I tried to access webmail.cgi URI? Well, I would get
52 output of wget which (if successful) would say that it saved page to
53 /dev/null. I will use that to check if service is available using
54
55
56 monitor lwp-http.mon -d /~dpavlin/test/webmail.cgi -r '(saved|302 Found)'
57
58
59 I'm adding "302 Found" to valid regex so that I can accept redirects to
60 secure http servers (https) with wget without ssl support.
61
62
63 Now that I solved that, all I had to do is to sit and wait if my probes are
64 working. However, soon one of my "probe servers" on Internet failed and I got
65 numerous alerts because one server, outside my responsibility, wasn't
66 available. What now?
67
68 I decided to add multiple probe servers on Internet for same service and to
69 modify some mon monitors to return success if at least one of those servers is
70 available.
71
72 At this moment, that new option (-o) is available in:
73
74 lwp-http.mon
75 anon_ftp.mon
76
77 [It's implemented in anon_ftp.mon because anonymous ftp servers report
78 error if there is too much users connected at the same time, and that
79 doesn't actually mean that the server is not working].
80
81 So, I have following architecture:
82
83
84 Internet DMZ internal network
85
86 host A [webmail.cgi]----+
87 >--------o------------------ mon host
88 host B [webmail.cgi]----+
89
90
91 This way, one of hosts can fail and if other one responds, I'm still safe.
92

  ViewVC Help
Powered by ViewVC 1.1.26