I am trying to understand how a solution will behave if deployed in a server farm. We have a Java web application which will talk to an FTP server for file uploads and downloads.
我试图了解如果在服务器场中部署解决方案将如何表现。我们有一个Java Web应用程序,它将与FTP服务器通信以进行文件上载和下载。
It is also desirable to protect the FTP server with a firewall, such that it will allow incoming traffic only from the web server.
还希望用防火墙保护FTP服务器,这样它只允许来自Web服务器的传入流量。
AT the moment since we do not have a server farm, all requests to the FTP server come from the same IP (web server IP) making it possible to add a simple rule in the firewall. However, if the application is moved to a server farm, then I do not know which machine in the farm will make a request to the FTP server.
由于我们没有服务器场,因此对FTP服务器的所有请求都来自相同的IP(Web服务器IP),因此可以在防火墙中添加简单规则。但是,如果将应用程序移动到服务器场,则我不知道服务器场中的哪台计算机将向FTP服务器发出请求。
Just like the farm is hidden behind a facade for it's clients, is it hidden behind a facade for the services it might invoke, so that regardless of which machine from the farm makes the request to the FTP server, it always sees the same IP?
就像它的客户端隐藏在一个外观后面的农场一样,它是否隐藏在它可能调用的服务的外观后面,这样无论来自服务器场的哪台机器向FTP服务器发出请求,它总是看到相同的IP?
Are all server farms implemented the same way, or would this behavior depend on the type of server farm? I am thinking of using Amazon Elastic CLoud.
是否所有服务器场都以相同的方式实现,或者此行为是否取决于服务器场的类型?我正在考虑使用Amazon Elastic CLoud。
2 个解决方案
#1
It depends very much on how your web cluster is configured. If your cluster is behind a NAT firewall, then yes, all outgoing connections will appear to come from the same address. Otherwise, the IP addresses will be different, but they'll almost certainly all be in a fairly small range of addresses, and you should be able to add that range to the firewall's exclude list, or even just list the IP address of each machine individually.
这在很大程度上取决于您的Web群集的配置方式。如果您的群集位于NAT防火墙后面,那么所有传出连接似乎都来自同一地址。否则,IP地址会有所不同,但它们几乎肯定都在相当小的地址范围内,您应该能够将该范围添加到防火墙的排除列表中,甚至只列出每台机器的IP地址个别。
#2
Usually you can enter cnames or subnets when setting up firewall rules, which would simplify the maintenance of them. You can also send all traffic through a load balancer or proxy. Thats essentially how any cloud/cluster/farm service works.
通常,您可以在设置防火墙规则时输入cnames或子网,这样可以简化维护规则。您还可以通过负载均衡器或代理发送所有流量。这基本上是云/集群/农场服务的工作方式。
many client ips <-> load balancer <-> many servers
许多客户端ips < - >负载均衡器< - >许多服务器
#1
It depends very much on how your web cluster is configured. If your cluster is behind a NAT firewall, then yes, all outgoing connections will appear to come from the same address. Otherwise, the IP addresses will be different, but they'll almost certainly all be in a fairly small range of addresses, and you should be able to add that range to the firewall's exclude list, or even just list the IP address of each machine individually.
这在很大程度上取决于您的Web群集的配置方式。如果您的群集位于NAT防火墙后面,那么所有传出连接似乎都来自同一地址。否则,IP地址会有所不同,但它们几乎肯定都在相当小的地址范围内,您应该能够将该范围添加到防火墙的排除列表中,甚至只列出每台机器的IP地址个别。
#2
Usually you can enter cnames or subnets when setting up firewall rules, which would simplify the maintenance of them. You can also send all traffic through a load balancer or proxy. Thats essentially how any cloud/cluster/farm service works.
通常,您可以在设置防火墙规则时输入cnames或子网,这样可以简化维护规则。您还可以通过负载均衡器或代理发送所有流量。这基本上是云/集群/农场服务的工作方式。
many client ips <-> load balancer <-> many servers
许多客户端ips < - >负载均衡器< - >许多服务器