7. ISP-Go slave server
Install second (slave) ISP-Go server. Make sure that isp-go-api
is launched on the master server only. All requests to the API should be sent to the master server.
To prevent isp-go-api
launch on the slave server and block requests proxying, execute commands:
service isp-go-api stop
update-rc.d isp-go-api disable
rm -f /etc/nginx/sites-enabled/isp-go-api
service nginx restart
Configure replication between Redis instances. To do this, you need to allow the main server to listen at network addresses other than 127.0.0.1 by setting the bind
parameter in /etc/redis/redis.conf
to 0.0.0.0.
bind 0.0.0.0
or, if needed, you can set it to an IP or IPs of the server
bind 127.0.0.1 192.168.5.100 10.0.0.100
To apply new settings restart Redis on the master server:
service redis-server restart
You should restrict access to port TCP/6379 on the master server which is used by Redis to listen. The port should be closed using iptables and stay accessible only for the loopback interface (needed for isp-go-dnsproxy
and isp-go-blockpage
) and the slave server. An attacker, having access to the Redis server via TCP, could change any setting of any user, or even worse, force Redis to take up all available memory.
Consider an example where the master server has an IP address of 192.168.5.100 and the slave server has an IP address of 192.168.5.200. In this case, security on the main server is ensured by this iptables rule:
iptables -A INPUT ! -s 192.168.5.200 -p tcp --dport 6379 ! -i lo -j DROP
To save this rule, so that it recovers after a reboot, run the command:
service netfilter-persistent save
Add to the configuration file /etc/redis/redis.conf
on the slave server following parameters at the end of the document:
slaveof <masterip> <masterport>
Then restart Redis on the slave server to apply the settings:
service redis-server restart