nginx + a backend with a dynamic IP (e.g. AWS ELB)

Recently, I wrote about the dynamic resolution of upstream servers in nginx which was achieved by quite an intrusive patch to the core nginx module. The patch was invented a while ago and was working very well up until recent nginx versions were released.

With the release of nginx 1.10 it was noticed that the patch crashes some workers under heavy load and this was unacceptable for the production load, hence a new approach was implemented.

The beauty of the new solution is that it is non-intrusive and works with any services that communicate via sockets.

In a nutshell read time 9 min.

Dynamic resolution of upstream servers in nginx

UPDATE: This approach was superseded by the proxying through systemd-socket-proxyd approach.

Many of my clients are running application stacks consisting of nginx plus some kind of scripting engine behind it (be it PHP, Ruby, or something else).

The architecture I designed for this kind of workload involves at least two load balancers:

  • an external, frontend load balancer that serves the web requests from visitors; and
  • an internal, backend load balancer that distributes load between the backends.

Everything looks great when you implement this using “in-house” infrastructure where you control most of the networking aspects.

However, the tendency is that most read time 1 min.

Transparent SSH host-jumping (Expert)

26 July 2016

A while ago in the Transparent SSH host-jumping (Advanced) post I described a technique on how one could jump quite effortlessly through a chain of intermediate hosts. However, there was a catch: the user names and ports across the whole chain should be the same and there was no easy way to change that.

Given that I recently paid quite a lot of attention to the ProxyCommand directive I decided to look into the implementation of the helper script that will allow one to tweak parameters for the hosts in the chain.

You can read the original post for the read time 3 min.

Offloaded on ssh

SSH: Interactive ProxyCommand

25 July 2016

I was involved in the creation of the sshephalopod project, which was an attempt to build an enterprise level authentication framework for SSH authentication using the SSH CA feature.

The project is based on a wrapper script that signs a user via a SAML identity provider and gets user’s public key signed for the further usage.

In one of the discussions I pointed out that such a wrapper script is not good for the end user experience and I proposed to provide the users with an excerpt for their ssh config file, so the functionality of sshephalopod would be read time 5 min.

Offloaded on ssh

2 / 4