Jump to content

Self Destruct in High Availability


Azkabahn

Recommended Posts

Hi,

 

i was wondering is it possible to run Self Destruct in HA mode? The documentation only points out a possible issue with running PasswordState in HA. 

I have deployed a totally separate windows server in DMZ where I run Self Destruct.

Link to comment
Share on other sites

14 hours ago, Azkabahn said:

i was wondering is it possible to run Self Destruct in HA mode? The documentation only points out a possible issue with running PasswordState in HA. 

 

Sort of, if you have the load balancers capable of doing it.

Self Destruct uses its own SQL-Lite database where it stores the shared messages/credentials pushed to it by the main Passwordstate website.
We have our Self Destruct web sites installed on the same web nodes as Passwordstate, bound to a seperate IP address. Our load balancers then direct all traffic for the self destruct HA URL to node 1 unless that node is offline.

This way the self destruct messages are always available until the node is offline.
It's HA in an Active/Cold configuration. In a disaster we still maintain our Self Destruct capabilities - we just have to re-create self destruct messages since the load balancers will instead be redirecting self destruct traffic to node 2.
SQL-Lite supports replication, so hopefully in a future build there is Active/Active support for self destruct.

 

The same Active/Cold setup can be achieved with the browser based gateway, and in theory the reset portal - but I'm still working on the reset portal HA.

Link to comment
Share on other sites

I had a similar idea as well. Unfortunately, it doesn't work in our case since self destruct is places in DMZ zone and will be used to send out URLs outside organization. While the main PasswordState is placed in infra segment with no access to outside.

 

Another question, I haven't had time to test it, but what if we simply use round-robin dns technique? Would PasswordState understand and return the message content?

Link to comment
Share on other sites

14 hours ago, Azkabahn said:

Another question, I haven't had time to test it, but what if we simply use round-robin dns technique? Would PasswordState understand and return the message content?

 

No, the self-destruct message data is stored in a SQLLite database on the Self-Destruct web server, Passwordstate web server pushes data to it.
If you round robin to two nodes (or more), one of them will get the data (say, self-destruct server1) , while the one the user hits to access the data (self-destruct server2) won't have it.

 

All self-destruct data needs to go to a single node, hence why an Active/Cold setup works.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...