[OOTB-infra] Live showcase
Martin Cosgrave
martin at ocretail.com
Fri Oct 17 18:24:26 BST 2014
OK, that makes a lot of sense. Of course it does preclude running other
services like alfresco's smtp and ftp servers on more than one box, but
until we need something like that I'm happy with your architecture. If
and when we need something else we can order more IPs. Or is it better
to order them now while the budget is there? (and the v4 IPs for that
matter!)
On 17/10/14 19:17, Heiko Robert wrote:
> Martin,
>
> my suggestion would be to make all VMs accessable via HTTP/HTTPS from
> one public IP.
> We can register as much subdomains as we want and create CNAME entries
> to the one real one A-HOST. 80/443 will be forwarded to a minimal
> reverse-proxy VM running a hardened apache. Every subdomain has its
> own virtual host and mod_proxy_ajp config. Resolution is then done
> from one apache by hostname/subdomain. We are running > 20 testsystems
> that way at a time. If you want to access another VM we just need to
> make an DNS entry, copy the virtual host config and change subdomain
> name/VM-IP. If you have only one access point / one reverse proxy it's
> much easier to make it secure, bann attacks etc.
>
> If direct SSH access is required we could forward SSH on ports like
> 9122, 9222,9322 etc. or better we use VPN for that. If we use VPN we
> are save here also and don't need to monitor every VM.
>
> So my suggestion is:
>
> Order
> * 1 EX4 box with remark "prepared with ESX 5.1 (to run with the
> Realtec card)"
> * 2nd IP can be ordered/activated when hardware is seen in the Admin
> interface
>
> When everything is set up we can order a second machine and devide VM
> in a manner: productive/official systems like website, blog, demos run
> on the first server and all testing, develop/build/stressing VMs can
> be moved to the second server.
> We can automatically create online VM snapshots from one host to the
> other. This makes backup / desaster recovery very easy.
>
>
> Am 16.10.2014 um 18:46 schrieb Martin Cosgrave:
>> Not sure I'm following the logic; we probably want the VMs to be
>> independently addressable from the internet even if they go through
>> 1:1 NAT in pfsense
>
More information about the OOTB-infra
mailing list