I want to set up a Riak Cluster for a Web project.
However, I want to secure this cluster so that only My Web Server(s) can access Riak Cluster. Basically, I will have one or more Web Servers and 4 Riak servers (in a cluster).
I want to use Shorewall or other firewall app to secure communications between the Web Server and the Riak Clusters so that no other servers can access the clusters but my own. Being the Riak is completely open on the server-side, this is essential before I take my servers into production.
I assume I will have to:
- Install Shorewall on each of the Riak Servers
- Lock down all ports initially
- Open Port 4369 (epmd) and Port 8099 (handoff listener) on all Riak Servers + the range of ports defined in my app.config file
- Open port 8098 and 8097 (for client) on all Riak Servers
- Individually restrict access of one Riak server to the IP addresses of the other Riak Servers in the cluster + the IP address(es) of my Web Server(s). Repeat for other Riak servers in the cluster
I can install Shorewall, but I'm not familiar with how to configure shorewall to do the above. I would appreciate some assistance.
Thanks in advance.
I’ve dabbled in Shorewall a bit, you will need to add rules in the Shorewall rules file to forward the relevant ports to the Riak servers behind the firewall. However, because it’s a cluster this is more easily said than done; as you are aware, you will need to manually lock down ports on each server on the cluster, open ports to enable web server access, and remember to do this again when servers are restarted or are added/removed from the cluster, if you add more instances of the web server, etc. There is a lot of room for human error, beyond the complexity of the configuration. I would suggest looking into something like an Ubuntu firewall management service, which can handle all the closing/opening of ports automatically with a central UI. These services typically work with the basic IPtables firewall that comes with Ubuntu, so you don’t need an additional solution like Shorewall. HTH