7. ISP-Go slave server
Install second (slave) ISP-Go server. Make sure that isp-go-api is launched on the master server only. All requests to the API should be sent to the master server.
To prevent isp-go-api launch on the slave server and block requests proxying, execute commands:
service isp-go-api stop
update-rc.d isp-go-api disable
rm -f /etc/nginx/sites-enabled/isp-go-api
service nginx restartConfigure replication between Redis instances. To do this, you need to allow the main server to listen at network addresses other than 127.0.0.1 by setting the bind parameter in /etc/redis/redis.conf to 0.0.0.0.
bind 0.0.0.0or, if needed, you can set it to an IP or IPs of the server
bind 127.0.0.1 192.168.5.100 10.0.0.100To apply new settings restart Redis on the master server:
service redis-server restartYou should restrict access to port TCP/6379 on the master server which is used by Redis to listen. The port should be closed using iptables and stay accessible only for the loopback interface (needed for isp-go-dnsproxy and isp-go-blockpage) and the slave server. An attacker, having access to the Redis server via TCP, could change any setting of any user, or even worse, force Redis to take up all available memory.
Consider an example where the master server has an IP address of 192.168.5.100 and the slave server has an IP address of 192.168.5.200. In this case, security on the main server is ensured by this iptables rule:
iptables -A INPUT ! -s 192.168.5.200 -p tcp --dport 6379 ! -i lo -j DROPTo save this rule, so that it recovers after a reboot, run the command:
service netfilter-persistent saveAdd to the configuration file /etc/redis/redis.conf on the slave server following parameters at the end of the document:
slaveof <masterip> <masterport>Then restart Redis on the slave server to apply the settings:
service redis-server restart