https://github.com/ozturkeniss/enterprise-load-balancer
This project implements a comprehensive high-availability load balancing system with Web Application Firewall (WAF), SSL/TLS encryption, and advanced monitoring capabilities.
https://github.com/ozturkeniss/enterprise-load-balancer
configuration linux load-balancer monitoring nginx rate-limiting ssl waf
Last synced: 10 months ago
JSON representation
This project implements a comprehensive high-availability load balancing system with Web Application Firewall (WAF), SSL/TLS encryption, and advanced monitoring capabilities.
- Host: GitHub
- URL: https://github.com/ozturkeniss/enterprise-load-balancer
- Owner: ozturkeniss
- License: gpl-3.0
- Created: 2025-08-23T23:06:46.000Z (10 months ago)
- Default Branch: main
- Last Pushed: 2025-08-23T23:09:20.000Z (10 months ago)
- Last Synced: 2025-08-24T10:26:58.462Z (10 months ago)
- Topics: configuration, linux, load-balancer, monitoring, nginx, rate-limiting, ssl, waf
- Language: Shell
- Homepage:
- Size: 28.3 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# High Availability Load Balancer with WAF and Monitoring
This project implements a comprehensive high-availability load balancing system with Web Application Firewall (WAF), SSL/TLS encryption, and advanced monitoring capabilities.
## System Architecture
```mermaid
graph TB
subgraph "Internet"
Client[Client Browser]
Attacker[Malicious Requests]
end
subgraph "Load Balancer Layer"
LB[NGINX Load Balancer
Port 80/443]
SSL[SSL/TLS Termination]
WAF[Web Application Firewall
ModSecurity]
RL[Rate Limiting
DDoS Protection]
end
subgraph "Backend Servers"
B1[Backend Server 1
Port 8001]
B2[Backend Server 2
Port 8002]
B3[Backend Server 3
Port 8003]
end
subgraph "Monitoring Stack"
Prom[Prometheus
Metrics Collection]
Graf[Grafana
Dashboards]
NE[Node Exporter
System Metrics]
end
subgraph "Security Features"
FW[Firewall Rules]
SSL_Cert[SSL Certificates]
Headers[Security Headers]
end
Client --> LB
Attacker --> LB
LB --> SSL
SSL --> WAF
WAF --> RL
RL --> B1
RL --> B2
RL --> B3
B1 --> Prom
B2 --> Prom
B3 --> Prom
Prom --> Graf
NE --> Prom
WAF --> FW
SSL --> SSL_Cert
RL --> Headers
style LB fill:#e1f5fe
style WAF fill:#fff3e0
style Prom fill:#e8f5e8
style Graf fill:#f3e5f5
```
## Project Structure
```
nginx-loadbalancer/
├── configs/ # Configuration files
│ ├── nginx.conf # Main load balancer config
│ ├── nginx_ssl.conf # SSL-enabled load balancer
│ ├── nginx_selfsigned.conf # Self-signed SSL config
│ ├── nginx_waf.conf # WAF configuration
│ ├── nginx_rate_limit.conf # Rate limiting config
│ ├── modsecurity.conf # ModSecurity WAF rules
│ ├── backend1.conf # Backend server 1
│ ├── backend2.conf # Backend server 2
│ ├── backend3.conf # Backend server 3
│ ├── prometheus.yml # Prometheus configuration
│ ├── prometheus.service # Prometheus systemd service
│ └── node_exporter.service # Node Exporter systemd service
├── scripts/ # Monitoring and test scripts
│ ├── health_check.sh # Basic health check
│ ├── ssl_health_check.sh # SSL health check
│ ├── waf_test.sh # WAF testing
│ ├── rate_limit_test.sh # Rate limiting test
│ └── monitoring_dashboard.sh # Comprehensive monitoring
├── logs/ # Log files
├── ssl/ # SSL certificates
└── README.md # This file
```
## Installation and Setup
### 1. NGINX Installation
```bash
sudo apt update
sudo apt install nginx
```
### 2. SSL Certificate Setup
```bash
# Install Certbot
sudo apt install certbot python3-certbot-nginx
# Create self-signed certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/nginx-selfsigned.key \
-out /etc/ssl/certs/nginx-selfsigned.crt \
-subj "/C=US/ST=State/L=City/O=LoadBalancer/OU=IT/CN=localhost"
```
### 3. WAF (ModSecurity) Installation
```bash
# Install ModSecurity WAF module
sudo apt install libnginx-mod-http-modsecurity -y
```
### 4. Monitoring System Setup
```bash
# Basic monitoring tools
sudo apt install htop iotop nethogs
# Prometheus installation
wget https://github.com/prometheus/prometheus/releases/download/v2.48.0/prometheus-2.48.0.linux-amd64.tar.gz
tar -xzf prometheus-2.48.0.linux-amd64.tar.gz
sudo mv prometheus-2.48.0.linux-amd64 /opt/prometheus
# Node Exporter installation
wget https://github.com/prometheus/node_exporter/releases/download/v1.6.1/node_exporter-1.6.1.linux-amd64.tar.gz
tar -xzf node_exporter-1.6.1.linux-amd64.tar.gz
sudo mv node_exporter-1.6.1.linux-amd64/node_exporter /usr/local/bin/
# Grafana installation
wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
echo "deb https://packages.grafana.com/oss/deb stable main" | sudo tee /etc/apt/sources.list.d/grafana.list
sudo apt update
sudo apt install grafana
```
### 5. Configuration File Setup
```bash
# Copy configuration files
sudo cp configs/nginx_waf.conf /etc/nginx/nginx.conf
sudo cp configs/modsecurity.conf /etc/nginx/
sudo cp configs/backend*.conf /etc/nginx/sites-available/
sudo cp configs/prometheus.yml /opt/prometheus/
sudo cp configs/prometheus.service /etc/systemd/system/
sudo cp configs/node_exporter.service /etc/systemd/system/
```
### 6. Service Startup
```bash
# Reload systemd
sudo systemctl daemon-reload
# NGINX
sudo systemctl reload nginx
# Prometheus
sudo systemctl start prometheus
sudo systemctl enable prometheus
# Node Exporter
sudo systemctl start node_exporter
sudo systemctl enable node_exporter
# Grafana
sudo systemctl start grafana-server
sudo systemctl enable grafana-server
```
### 7. Backend Server Startup
```bash
python3 -m http.server 8001 &
python3 -m http.server 8002 &
python3 -m http.server 8003 &
```
### 8. Testing
```bash
# Test WAF
./scripts/waf_test.sh
# Test rate limiting
./scripts/rate_limit_test.sh
# Test monitoring dashboard
./scripts/monitoring_dashboard.sh
```
## Security Features
### SSL/TLS Security
- **TLS 1.2 and 1.3** support
- **Strong encryption** algorithms
- **HSTS** (HTTP Strict Transport Security)
- **HTTP → HTTPS** automatic redirection
- **Self-signed certificate** (for testing)
### Web Application Firewall (WAF)
- **ModSecurity** integration
- **SQL Injection** protection
- **XSS (Cross-Site Scripting)** protection
- **Path Traversal** protection
- **Security headers** implementation
### Rate Limiting
- **Multiple zones** for different endpoints
- **DDoS protection** with connection limiting
- **Configurable thresholds** per endpoint
- **Custom error pages** for blocked requests
### Security Headers
```nginx
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;
```
## Monitoring System
### Monitoring Tools
- **Prometheus**: Metric collection and storage
- **Grafana**: Visual dashboards
- **Node Exporter**: System metrics
- **htop/iotop/nethogs**: Real-time system monitoring
### Collected Metrics
- CPU usage
- RAM usage
- Disk usage
- Network traffic
- SSL certificate status
- Load balancer performance
- Backend server statuses
### Monitoring Dashboard
```bash
./scripts/monitoring_dashboard.sh
```
## Rate Limiting Configuration
### Rate Limiting Zones
- **Main page**: 10 requests/second (burst: 20)
- **Login**: 1 request/second (burst: 3) - Brute force protection
- **API**: 20 requests/second (burst: 30)
- **Admin**: 5 requests/second (burst: 5)
### Connection Limiting
- Maximum concurrent connections per IP
- Configurable thresholds per endpoint
## How It Works
1. **Load Balancer (Port 80)**: Redirects HTTP requests to HTTPS
2. **HTTPS Load Balancer (Port 443)**: SSL-enabled load balancing
3. **WAF Layer**: ModSecurity filters malicious requests
4. **Rate Limiting**: DDoS protection and request throttling
5. **Backend Servers**: Run on ports 8001, 8002, 8003
6. **Monitoring**: Continuous monitoring with Prometheus + Grafana
7. **Health Check**: Monitors each backend server status
8. **Failover**: Continues service if one server fails
## Testing
### HTTP Test
```bash
curl -I http://localhost:80
# 301 Moved Permanently → HTTPS redirection
```
### HTTPS Test
```bash
curl -k https://localhost:443
# -k: Ignore self-signed certificate warning
```
### WAF Test
```bash
./scripts/waf_test.sh
```
### Rate Limiting Test
```bash
./scripts/rate_limit_test.sh
```
### Monitoring Test
```bash
# Prometheus
curl http://localhost:9090
# Node Exporter
curl http://localhost:9100/metrics
# Grafana
curl http://localhost:3000
```
## Web Interfaces
- **Prometheus**: http://localhost:9090
- **Grafana**: http://localhost:3000 (admin/admin)
- **WAF Status**: https://localhost:443/waf-status
- **Rate Limit Status**: https://localhost:443/rate-limit-status
## Performance Metrics
The monitoring system collects:
- **System Performance**: CPU, RAM, Disk, Network
- **Load Balancer Performance**: Response time, throughput
- **Security Metrics**: SSL handshake, failed requests, WAF blocks
- **Backend Health**: Health check, availability
- **Rate Limiting**: Blocked requests, DDoS attempts
## Next Steps
- **Real domain** with Let's Encrypt certificate
- **Alerting system** (Prometheus Alertmanager)
- **Log analysis** (ELK Stack)
- **Advanced load balancing** algorithms
- **IP whitelist/blacklist** functionality
- **Custom WAF rules** development
- **Backup and disaster recovery** plans
- **Performance optimization** and tuning
## Troubleshooting
### Common Issues
1. **502 Bad Gateway**: Backend servers not running
2. **SSL errors**: Certificate path issues
3. **WAF blocks**: Legitimate requests being blocked
4. **Rate limiting**: Too many requests from single IP
### Log Files
- NGINX: `/var/log/nginx/`
- ModSecurity: `/var/log/nginx/modsec_audit.log`
- Prometheus: `/opt/prometheus/`
- System: `/var/log/syslog`
## Contributing
This project demonstrates enterprise-grade load balancing, security, and monitoring. Feel free to extend it with additional features or optimizations.