Use POUND as a reverse proxy.. It will accomplish the same result. the author is APSIS I believe

It's free.. Put it on a dedicated server.

Apache 2.2 is shipped with the mod_proxy_balancer module. If you are already familiar with Apache, there is not much you have to learn to get it working.

I want a hardware or software solution I can buy. I'm already overloaded handling all the Linux apps myself and prefer something our non-Linux tech can maintain. I'm already the person who has to handle problems 24/7 and want something others can maintain as well.

I personally like the Radware load balancers. You can usually find a good deal on ebay. The last one I bought was their gigabit model, layer 7, $450. It retailed for $8500 a few years ago. :)

Pretty easy to configure as well, no software needed as it comes with a built in web accessible GUI.

Chip-

I'm now looking at the Kemp Technologies LM-1500. It looks like it will suit my small company's needs without breaking the bank at $2,950. Its firewalling is a little lacking but I have a 1U server that can handle firewalling duties.

The Kemp unit isn't as fancy as the more expensive units out there but the feature list is more than enough for me. My biggest problem isn't bandwidth though we do use a lot (about 1 terabyte/month between all our web servers). The site's forums are huge and it CPU load that's been the problem. The database server load is fine (load averages about 0.20 on a dual CPU Opteron with 6 gigs of ram). The Kemp unit will allow me to throw more hardware on the front end and provide fail-over protection. Database fail-over isn't a problem... I have that handled via software monitoring and a slave Msqsl server.

I'll let you folks know how it works out.

By a dedicated firewall to put in front of that load balancer.

carguy84,

is there an inexpensive yet good hardware firewall you could recommend? thanks.

It might be cheaper to get a programmer to transfer some of the logic in the php scripts to the mysql servers.

Just a thought.

varora, something like the Sonicwall TZ170(about $375) would suit you just fine provided you aren't pushing more then 40MBits of data per second.

Also, sometimes hosts offer firewall services depending on the provider. It's typically a monthly cost if you don't want the upfront costs.

Chip-

There are some extremely good open-source Linux firewalls out there with very easy to use browser based interfaces. We've used one on the office T1 for 2 years.

A low end Sonicwall doesn't meet our needs because it doesn't have enough memory for the number of firewall rules. Our web servers have several hundred rules - blocking all of China, North Korea, and a few other countries.

Our market is almost entirely "western" (trucks and suvs). The USA, Canada, Austraila, parts of South America and western Europe make up 99.99% of our users. Of 350,000+ registered users less than 10 are from the countries we block. Blocking them has reduced bandwidth nearly 10% due to the number of blackhat crawlers, proxies, spammers and scrapers originating from them.

Our large set of firewall rules really helps keep server loads reasonable. Not only that, but the open source Linux alternatives are also more robust and feature rich. They can even auto update their versions if configured to do so.

The Kemp box is Linux based and uses iptables so it is possible to move my firewall rules to it if I need to. With 512 meg of ram it has plenty of power to handle them... and it can be upgraded to 1 gig ram.

The Kemp box arrived today and there is a 30 day money back guarantee so I'll be able to see if it'l do everything I need. I suspect it'll be able to handle all the firewall needs and we won't need to deploy an additional firewall.

I'll keep everyone updated. BTW, this Kemp system boots lightning fast since it uses flash memory for Linux instead of a hard drive!

Open source linux solution versus a dedicated specifically built firewall device?

What's the difference in TCO on that matchup, lol.

Chip-

Outsource the issues to professionals that deal with these problems everyday and get your life back :)

The open source firewall is a 10 minute install and 15 minute configuration. And it updates itself automatically. That's basically 1/2 hour of a tech's time... pretty good TCO since the setup of a Sonic or Zywall is just as much time. Plus it'll handle the number of firewall rules we need. Having used both a Sonic and Zywall I know first hand they won't handle more than 3 dozen or so rules. To get a commercial equivalent that'll handle the number of rules we need would cost us a whole lot more.

The Zywall is now doing firewall duties on my home network and the Sonic is sitting on a shelf... if that gives you an idea of how useful they are for our web server needs!

For most sites they are more than enough but not for us.

Had it been as simple to get a total balancer solution from open source I'd have done that as well. But no one open source package handled everything I needed and I don't want to spend a lot time configuring and maintaing a mixed open source solution.

Also, it you have more than 1 public IP address you'll have to pass on the low end Sonicwall. :(

The low end Sonicwall suggestion was for varora :)

The TZ170 can keep up with basic firewall duties up to 3Mbps(Intrusion prevention, Anti-Virus...) after that it throttles your bandwidth baaaad. Without TPS or Anti-Virus on, it's good for about 40Mbps regardless of what the "box" says.

The 1260 and up can all do much more, but you pay the price. Still cheaper then a Cisco, but...

I run a Radware 2G + 8FE load balancer, picked it up for ~$500ish on ebay last year. Layer 7 switching, gigabit throughput(if you need it) and it's been rock solid since I put it in. I run 3 web servers(2 web servers and 1 image server) all feeding the same domain. I mapped /images to the image server, but to the user it's transparent. Setup is done via a built in web server, which is much better then their old way(you had to have software installed on your PC).

Chip-

F5 Big IP works well with Cisco. However, that's going to be pricey. Maybe you could migrate your equipment to a datacentre that has these enterpise solutions?

The other option is to split out the current "webserver" into web server and application (with the PHP processing happening on the apps and the web server simply deals with the requests). This might be ok for you in the short term but I do accept that you might have to scale horizontally at some point.