/[mon-modules]/README.test_with_bounce
This is repository of my old source code which isn't updated any more. Go to git.rot13.org for current projects!
ViewVC logotype

Contents of /README.test_with_bounce

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.1 - (show annotations)
Mon Sep 2 15:08:44 2002 UTC (21 years, 7 months ago) by dpavlin
Branch: MAIN
Nice document how to check your services from Internet

1
2 Are my servers available to people on Internet?
3 -----------------------------------------------
4 2002-09-02 Dobrica Pavlinusic <dpavlin@rot13.org>
5
6
7 That same question bothered me for a long time. My situation is not unique:
8
9
10 Internet <--> DMZ <--> internal network and server running mon
11
12
13 I could check servers which are on my internal network, in DMZ or on
14 Internet, but none of that checks actually helped me to know if external
15 user somewhere on Internet could reach my services.
16
17
18 After a while, I developed several methods for answering my question:
19
20 1. test if internal services are available
21
22 2. test outside IP addresses (which are unavailable from internal
23 network directly) using socks proxy located in DMZ (using
24 socksch.monitor for that)
25
26 3. install probes on various hosts on Internet which try to connect to
27 my services and report success or failures.
28
29
30 While first approach is required and second one is good good (and it doesn't hurt to check it), third one is really "Joe surfer" experience.
31
32 So, let's see how to setup such a thing...
33
34
35
36 Typical example of such probe is:
37
38 ----- webmail.cgi -----
39
40 #!/bin/sh
41
42 echo Content-type: text/plain
43 echo
44
45 exec wget -O /dev/null http://webmail.foo.bar 2>&1
46
47 -----------------------
48
49
50 What would I get if I tried to access webmail.cgi URI? Well, I would get
51 output of wget which (if successful) would say that it saved page to
52 /dev/null. I will use that to check if service is available using
53
54
55 monitor lwp-http.mon -d /~dpavlin/test/webmail.cgi -r '(saved|302 Found)'
56
57
58 I'm adding "302 Found" to valid regex so that I can accept redirects to
59 secure http servers (https) with wget without ssl support.
60
61
62 Now that I solved that, all I had to do is to sit and wait if my probes are
63 working. However, soon one of my "probe servers" on Internet failed and I got
64 numerous alerts because one server, outside my responsibility, wasn't
65 available. What now?
66
67 I decided to add multiple probe servers on Internet for same service and to
68 modify some mon monitors to return success if at least one of those servers is
69 available.
70
71 At this moment, that new option (-o) is available in:
72
73 lwp-http.mon
74 anon_ftp.mon
75
76 [It's implemented in anon_ftp.mon because anonymous ftp servers report
77 error if there is too much users connected at the same time, and that
78 doesn't actually mean that the server is not working].
79
80 So, I have following architecture:
81
82
83 Internet DMZ internal network
84
85 host A [webmail.cgi]----+
86 >--------o------------------ mon host
87 host B [webmail.cgi]----+
88
89
90 This way, one of hosts can fail and if other one responds, I'm still safe.
91

  ViewVC Help
Powered by ViewVC 1.1.26