New GPWA database and forum servers being deployed

[MichaelCorfman]

I had announced some time ago that we had ordered several new servers to support the GPWA website. We are currently planning to perform the migration to the new hardware beginning at 8am EST tomorrow morning, Monday, 26 January 2015. The forums will be down during the migration, but the rest of the site will remain operational. If everything proceeds smoothly, the migration should take less than an hour.

The new hardware includes a replacement MySQL database server to power the GPWA forum. The current MySQL server used by the GPWA website has 4GB of memory with an Intel Xeon E5430 processor. The new server uses the more powerful E5-2650 v2 processor and has an initial configuration of 16GB of memory. You can see a comparison of the two processors here:

cpuboss.com/cpus/Intel-Xeon-E5430-vs-Intel-Xeon-E5-2650-v2

We are also migrating the forum and the rest of the GPWA website to a pair of load-balanced web servers, to improve performance, to avoid temporary disruptions for activities like the rebooting of servers, and to improve resilience to hardware failures.

Hopefully the new hardware will translate into our members experiencing a better performing GPWA website.

In addition to providing better performance, we are also migrating to the new servers to deal with a recent hacking of the GPWA web server. Since the current server has been compromised, we decided the safest approach was to promptly move the site to the new server, which is one where we have paid special attention to further reducing vulnerabilities. The specific instance of recent hacking to which I refer is documented in the following thread that was started six days ago: GPWA is hacked!!!


Michael

[Gamer]

Omg.... 16GB of memory.... wow! GPWA rocks!
Good Luck with the migration and to attract more platinum sponsors!

[Roulette Zeitung]

"Good Luck with the migration and to attract more platinum sponsors!"

The best would be to protect to good of the existing ones instead of more.

Not every year must end under any circumstances with a higher profit. I know, that is the American system, but deep in our heart we still have a social aptitude, and not every sponsor who is leaving the stage, shall be replaced by another one.

Sometimes less is more

Leopold

[MichaelCorfman]

The migration to the new servers was completed a few moments ago. Hopefully the site will be a little zippier now.

We tried to do a good job of testing, but migrations do sometime introduce issues that need to be resolved. If anyone encounters any issues using the site, please let us know so we can investigate.

Michael

[Pmig]

16Gb of ram is "reasonable" but I cant understand why is needed a load balancer here.

Maybe if you switch fromMicrosoft-IIS/8.5 to a *nix destribution and use nginx and/or varnish you dont need that headache/cost.
This is also true about your PHP version who is outdated and slow. (PHP/5.4.24), You should consider move that to 5.5 or 5.6 who have a lot of performance impovements.

At terms of CPU cost you could have opted in for a E3-1245 V2, its fairly similar and is almost a third of the price ( http://cpuboss.com/cpus/Intel-Xeon-E...Xeon-E3-1245V2 ).

But well, good job.

[TheGooner]

The migration to the new servers was completed a few moments ago.

Well done Michael - always a nervous time to be down - but it was painless ... I didn't notice a thing!

[universal4]

Using any NIX installation on a single server would still allow for a single point of failure whereas any load balanced solution would not!

Looks as if the migration went smooth, but I was fairly confident as I had been doing some testing.

Rick
Universal4

[Pmig]

You can have a linux cluster without a load balancer But well It's your decision, is not right or wrong. I'm just saying I do things on a diferent way, with same security and less costs.

[universal4]

You can cluster windows without a load balancer also, but that isn't really the point.

A load balanced solution is very robust and allows for very granular port mapping and natting, through the load balancing devices.

I am a strong advocate of web servers doing ONE thing, serving websites and nothing else. Not mail, not sql, not nat nothing else when at all possible.

What this does is basically (in general terms) only pass port 80 and ssl traffic to the web servers, while monitoring which if both (or more) web servers are up and distributing the traffic to multiple web servers, and ONLY passing web traffic to them and nothing else.

Sure you could do that with nix installs, but that would mean the natting would take place on the web servers, in the above scenario the web servers handle ONLY web traffic) or you would have to have a cluster of nix boxes in front of the webs to do the natting and splitting up of the traffic to the nodes behind it. (also the nix boxes would have to run load balancing software)

In almost all cases the single function load balancers will be running a linux kernal and will take care of all packet inspection and dostribute the traffic (Only using the ports allowed by the admins) to the nodes behind it.

Now I am personally a fan of Load Masters from Kemp Technologies, although I do not know if Michael is using those or maybe the Baracuda equipment or other.

Once load balancers are set up and configured properly, you could in essence unplug or shut down one of the servers and the load balancer would detect it was down and then send 100% of the firewalled (using that temr loosely) traffic to the remaining web server. Thus, in cases like Michael stated earlier, if either server is rebooted or suffers a hardware failure, the other server is already serving the traffic.

Before you ask if the load balancers can be a single point of failure, yes they can, but if you have a pair in high availability mode then they run in tandom in a master slave setup so if one fails the other takes over.

Normally in the situations described above, the only single point of failure for webs is the public switch. (the switch that handles and distributes public traffic between the upstream router or provider's switch and the servers, load masters and other devices that need public traffic)

In the scenario above, web servers do not have public ip's bound to them and are not exposed directly to the public as all traffic must pass through the load balancer first before reaching a web server. (at least any load balancers I have looked at all do nat)

I understand my post went pretty far into the tech side, and I did try and use more general terms a little while staying fairly accurate but I think it helps show how robust of a solution Michael and his team have put into place and in the long term I think they will see even the attacks will subside to a degree since only the front end devices will see the port scans etc and only traffic they define will be getting through which will make monitoring invalid logon attempts etc easier to track.

I do not know the exact topology of what Michael has designed, but I hope the details I posted were accurate enough and may help some understand a little more about how load balancing works, and how these kinds of solutions help the long term high availability.

Rick
Universal4

[Pmig]

No problem at all with tech side

If you like the single responsability services (as I do) (not only single responsability server but also on sevice levels) you can abstract/virtualize with docker https://www.docker.com/ .

Take a look at https://coreos.com/ or http://www.projectatomic.io/

This is how "big boys" do things on now days. The load balancer solution is a little obsolete, is expensive to scale and as you describe appear the main job there is firewall"ish" behaviour.

[universal4]

I have not looked at those you mention.

I am (here and there with limited time resources) looking for a bare metal type of virtual environment.

I have looked closely and seriously considered proxmox, but have not finalized an opinion.

In my opinion, large scalable solutions usually need something on the front end for nat and traffic distribution, and a solid LB is a great choice.

By the way, I do not put dns or mail behind these, only the webs.

Rick
Universal4

[MichaelCorfman]

I described the general functioning of our configuration using load balancers for redundancy some time ago when it was first implemented to support the GPWA seal program. You can see that description in the following thread:

New Fault-Tolerant GPWA Seal Service.

Michael

[Pmig]

I have not looked at those you mention.

I am (here and there with limited time resources) looking for a bare metal type of virtual environment.

I have looked closely and seriously considered proxmox, but have not finalized an opinion.

In my opinion, large scalable solutions usually need something on the front end for nat and traffic distribution, and a solid LB is a great choice.

By the way, I do not put dns or mail behind these, only the webs.

Rick
Universal4

I use proxmox a couple of years ago, was not bad but on now days there is better ways to deploy vm's.

Take a serious look at docker, is fair better than openvz (proxmox) aproach. Docker permits to have several OS's on same install (even several versions of same OS).

With proxmox everytime you want to deploy a new vm you have to install the full OS wasting machine resources, with docker you share the core, so you can have 100's of, lets say, centos with only one centos instalation.

[universal4]

Thanks, that is a good point, although I do not mind fresh installs too much.

I will be, predominantly at least, be running virtual windows servers as well as possibly an install or two of windows 7 and likely one install of windows xp. (specific application need)

Rick
Universal4

[Pmig]

On your case as you will virtualize windows docker is not the solution, so sticking with proxmox and KVM's I think its the better free way to go.

[universal4]

Thanks for the link to the topology you had posted previously, I had forgotten about that.

It reminded me of the fact that one of these days I wanna sit down and pick Alan's brain on a few questions I have about that setup.

Maybe I should pop in and do so in person since I would understand it better....I could possibly plan a visit one of my trips to PA.....but I have no intention of doing that while that silly white stuff is falling from the sky....last time I was involved in that I was sick in bed for two weeks....lol (looks to be about a 5 hour drive)

Rick
Universal4