ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

CSF Cluster - Master configuration sending blocks to all slaves and vice versa

https://mail.forum.configserver.com/viewtopic.php?t=9012

Page 1 of 1

CSF Cluster - Master configuration sending blocks to all slaves and vice versa

Posted: 10 Oct 2015, 16:59
by zmjwong
Hello,

I'm working on a setup that ideally would allow a single master to send blocks to all servers.

The setup i'm trying to achieve is this;

Slave(s) send all blocks to cluster master, and then the master sends it to the cluster slaves.
This way i can configure all slaves to SEND/RECEIVE from master IP and then the Master IP forwards all blocks to SLAVES.

As it stands right now, slaves send to Master but Master is not forwarding to other slaves.

All servers are amble to communicate with the master. Blocks are being sent.

Slaves have this config;

CLUSTER_SENDTO = "10.0.0.1"
CLUSTER_RECVFROM = "10.0.0.1"
CLUSTER_MASTER = "10.0.0.1"
CLUSTER_BLOCK = "1"
CLUSTER_CONFIG = "1"

Master has;

CLUSTER_SENDTO = "10.0.0.2,10.0.0.3,etc.."
CLUSTER_RECVFROM = "10.0.0.2,10.0.0.3,etc.."
CLUSTER_BLOCK = "1"

Based on this config it leads me to believe that slaves are sending to master and master should send to slaves but it seems to only block on master.

The main problem is that as my cluster grows adding the new IPs to SEND/REC on each slave becomes unbearable.

having the option to download a list would be ideal, using the mechanisms of GLOBAL_ALLOW would facilitate my tasks.

Does anyone have any suggestions? I'm using Ansible for deployments and it would be possible to add the IP's using template and the setup module to pull the ips.

Re: CSF Cluster - Master configuration sending blocks to all slaves and vice versa

Posted: 12 Oct 2015, 16:02
by zmjwong
My only solution so far was to use the GLOBAL_DENY option on the master node.

Master node copies its /etc/csf/csf.deny every minute to a public accessible directory and running nginx on that folder. Then allowing all slaves to download the GLOBAL_D/A lists from there.

Also ideally force the GeoLite dbs to be fetched from the master and any other lists.
We will also mirror the BLs we use on the master.

Re: CSF Cluster - Master configuration sending blocks to all slaves and vice versa

Posted: 12 Oct 2015, 21:36
by zmjwong
Downfall of this config is temp ban is not being honoured. It forces it as a perm ban in this config.

-- update

it was a false positive, temp bans are not being set into csf.deny

Re: CSF Cluster - Master configuration sending blocks to all slaves and vice versa

Posted: 17 Oct 2015, 06:23
by zmjwong
Just to update this post;

The only solution i came up with was every slave posts to master and master has a cron to copy the csf.deny every X minutes to /var/share/nginx/html/fw/csf.deny and have slaves update their GLOBAL_DENY rules and then have LFD fetch the files every 6 minutes.

This seems to be working, just not sure if temp bans from the slaves accumulate in the same way to convert them into a permban that would add them to csf.deny.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited