Discussion
· Oct 12, 2023

Private Web Server Architecture Suggestions??

I am trying to move us to Securing the Management Portal using Apache and the Web Gateway.

Our Development environment/namespace only has 1 server, but both Test and Production have failover/DR mirroring containing 3 servers for Test, and 3 additional servers for Production. 

  • Development - 1 server
  • Test -2 server's setup for Failover, and 1 Async DR Mirror
  • Production - 2 servers' setup for Failover, and 1 Async DR Mirror

In Test and Production, the mirroring is setup using an Arbiter and the VIP address is controlled at the Hardware level.

  • Should I have 1 centralized location for the Apache/Web Gateway to control the SSL/TLS connections for the Management Portal for the different environments?
    • How have others handled this?
    • Does anyone have Architecture examples?
  • Could I use the Arbiter for the Apache/Web Gateway?
  • How does the Web Gateway know which system to connect to in the mirror?
  • Do I setup 1 certificate/key specifically for the VIP in the Test and Production environments?
Discussion (4)1
Log in or sign up to continue

Hi Scott,

We are using IIS as our web server, the configuration is like this:-

The mirrored instances are separate VMs, and in each VM we have IIS + web gateway installed (except the arbiter).

Each web gateway is configured to talk to the local Health Connect instance, irrespective of it being primary, secondary or DR at any time.

So, when have to access the primary, we go via the VIP URL -> the request lands on the IIS for the primary instance and that is passed on to the local Health Connect instance.

This way we can connect to the management portal of each instance, irrespective of its state and we know if we are going via the VIP URL it will always land us on the primary instance.

On the certificate side, one cert with CN as the VIP is loaded on the instances and the SANs are the instance names / IPs.

Regards,

Deepak

How did you configure the web gateway to do this?

Each web gateway is configured to talk to the local Health Connect instance, irrespective of it being primary, secondary or DR at any time.

So, when have to access the primary, we go via the VIP URL -> the request lands on the IIS for the primary instance and that is passed on to the local Health Connect instance.

Hi Scott,

So rather than having one centralised location for webserver and web gateway, which could become your single point of failure, you install the webserver and web gateway alongside Healthconnect on the actual instances.

And when you configure the individual web gateway, for telling it which instance of HealthConnect it needs to connect, just specify it as localhost and your superserver port on that instance.

https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...

https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...

https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...

When you give the server access parameters, enter IP Address as localhost (127.0.0.1) and port as your superserver port of the instance and do not check "Configuration is Mirror Aware".

Regards,

Deepak