Location: PHPKode > projects > SCOP Heartbeat Administration interface > scop-2.0/html/scop/help_e.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<h2>SCOP configuration FAQ</h2>


Anywhere you see a <img style="width: 16px; height: 16px;" src="images/help.gif" alt=""> you can
click it to be taken to the relevant section of this FAQ :<br>

You can always download the most recent set-up manuals from <a href="http://www.SCOP.org/">www.SCOP.org.</a><br>


<h3>Quick Command Reference</h3>

<span style="font-weight: bold;"> View Configuration</span><br>


<a href="#1">SCOP configuration file</a><br>
<a href="#42">SCOP configuration file (Layer 7 HAProxy)</a><br>
<a href="43">SCOP configuration file (SLL Termination Pound)</a><br>

<a href="#2">Heartbeat resources </a><br>

<a href="#3">Current network configuration&nbsp; <br>

</a><a href="#3a">Current routing table</a><br>


<span style="font-weight: bold;">Logical SCOP Configuration</span><br>


<a href="#4">Modify Logical Real Severs </a><br>
<a href="#38">Modify logical Real Servers (Layer 7 HAProxy)</a><br>

<a href="#5">Modify Logical Virtual Severs </a><br>

<a href="#5-1">&nbsp;&nbsp;&nbsp;&nbsp;Edit Virtual Server</a><br>

<a href="#5-1-1">&nbsp;&nbsp;&nbsp;&nbsp;Virtual Server Label </a><br>

<a href="#5-1-2"> &nbsp;&nbsp;&nbsp;&nbsp;Virtual Server</a><br>

<a href="#5-1-3"> &nbsp;&nbsp;&nbsp;&nbsp;Do you want Sticky
Connections? </a><br>

<a href="#5-1-4"> &nbsp;&nbsp;&nbsp;&nbsp;How long do you want
connections to be sticky?</a><br>

<a href="#5-1-5"> &nbsp;&nbsp;&nbsp;&nbsp;Scheduler </a><br>

<a href="#5-1-6"> &nbsp;&nbsp;&nbsp;&nbsp;Fallback Server </a><br>

<a href="#5-1-7"> &nbsp;&nbsp;&nbsp;&nbsp;Checktype </a><br>

<a href="#5-1-8"> &nbsp;&nbsp;&nbsp;&nbsp;Service to check </a><br>

<a href="#5-1-9"> &nbsp;&nbsp;&nbsp;&nbsp;Protocol </a><br>

<a href="#5-1-10"> &nbsp;&nbsp;&nbsp;&nbsp;Granularity (for
MegaProxies) </a><br>

<a href="#5-1-11"> &nbsp;&nbsp;&nbsp;&nbsp;File to check </a><br>

<a href="#5-1-12"> &nbsp;&nbsp;&nbsp;&nbsp;Response Expected </a><br>

<a href="#5-1-13"> &nbsp;&nbsp;&nbsp;&nbsp;Default forwarding method </a><br>

<a href="#5-1-18"> &nbsp;&nbsp;&nbsp;&nbsp;Feedback method </a><br>

<a href="#37">Modify Logical Virtual Severs (Layer 7 HAProxy) </a><br>
<a href="#39">&nbsp;&nbsp;&nbsp;&nbsp;Edit Virtual Server </a><a href="39">(Layer 7 HAProxy)</a><br>

<a href="#6">Modify Global Settings </a><br>


<span style="font-weight: bold;">Physical SCOP


<a href="#7">Modify the physical Virtual IP(s)</a><br>

<a href="#8">Modify the physical Real IP(s)</a><br>

<a href="#9">Modify the maintenance (holding) page of this
SCOP </a><br>

<a href="#12">Modify the physical network configuration</a><br>

<a href="#40">(SSL Termination Pound) </a><br>


<span style="font-weight: bold;">Security &amp; Maintenance<br>


</span> <a href="file:///var/www/html/scop/help.html#13">Initialise
statistics tracking database (rrdtool) </a><br>

<a href="file:///var/www/html/scop/help.html#14">Re-initialise
statistics tracking database.. </a><br>

<a href="#15">Change passwords..</a><br>

<a href="#16">Modify the firewall script of this SCOP </a><br>



<span style="font-weight: bold;">Backup &amp; Recovery</span><br>


<a href="#17">Make a configuration backup</a><br>

<a href="#18">Restore configuration from backup</a><br>

<a href="#19">Disaster Recovery Options</a><br>



<span style="font-weight: bold;">Services</span><br>


<a href="#20">Restart Heartbeat</a><br>

<a href="#21">Restart Ldirectord</a><br>



<span style="font-weight: bold;">Power Control</span><br>


<a href="#22">Shutdown and restart server</a><br>

<a href="#23">Shutdown and halt server</a><br>



<span style="font-weight: bold;">Advanced</span><br>


<a href="#24">Execute a shell command</a><br>


<h3><span style="font-weight: bold;">Maintenance</span></h3>


<a href="#25">Take a real server offline or online </a><br>



<a href="#26">Status</a><br>
<a href="#41">Status (Layer 7 HAProxy)</a><br>

<a href="#27">Traffic rate per second </a><br>

<a href="#28">Traffic Qty </a><br>

<a href="#29">Current Connections </a><br>

<a href="#30">Current Connections (resolve host name)</a><br>

<a href="#31">Graphical stats over time</a><br>



<a href="#32">Ldirectord </a><br>

<a href="help.html#33">SCOP</a><br>

<a href="#34">Heartbeat </a><br>

<a href="#35">Reset all packet counters to zero </a><br>

<a href="#36">Change the local time zone&nbsp;</a><br>






<a name="1" style="font-weight: bold;"></a><span style="font-weight: bold;">SCOP configuration file</span><br>

As it implies this link display the contents of&nbsp; <span style="font-style: italic;">/etc/ha.d/conf/ldirectord.cf</span> ,
this is a core configuration file of the SCOP.<br>

It is good practice to keep a hard copy of this file.<br>
<a name="42" style="font-weight: bold;"></a><span style="font-weight: bold;">SCOP configuration file (Layer 7 HAProxy)<br>

As it implies this link display the contents of&nbsp; <span style="font-style: italic;">/etc/haproxy/haproxy.cfg</span> ,
this is a core configuration file of the SCOP.<br>

It is good practice to keep a hard copy of this file.<br>
<span style="font-weight: bold;"><br>
</span><a name="43" style="font-weight: bold;"></a><span style="font-weight: bold;">SCOP configuration file (SSL Termination Pound)</span><br>

As it implies this link display the contents of&nbsp; <span style="font-style: italic;">/usr/local/etc/pound.cfg</span> ,
this is a core configuration file of the SCOP.<br>

It is good practice to keep a hard copy of this file.<br>

<a name="2" style="font-weight: bold;"></a><span style="font-weight: bold;">Heartbeat resources </span><br>

The Heartbeat resources file specifies the master node of the
SCOP cluster 'master' and one or more shared virtual ip

These ip addresses are activated on the master SCOP only.<br>


<a name="3" style="font-weight: bold;"></a><span style="font-weight: bold;">Current network configuration </span><br>

This is a dump of 'ifconfig' you can use this to check which ip
addresses the SCOP is currently using.<br>


<a name="3" style="font-weight: bold;"></a><span style="font-weight: bold;">Current routing table</span><br>

This is a dump of 'route -v' you can use this to ensure your default
gateway is correct.<br>



<span style="font-weight: bold;"><a name="4"></a>Modify Logical Real
Severs <br>

</span>This section allows you to specify which 'real servers' are
available from each 'virtual server', i.e. when the client PC requests
VIP:Port which RIP:Port will they be re-directed to ? <br>

Real servers can be specified with a relative weight i.e. 1 for a fast
real server and 10 for a slow real server.<br>

<span style="font-style: italic;">NB. Setting the weight to 0 will take
the real server offline.<br>
</span><span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="38"></a>Modify logical Real Servers (Layer 7 HAProxy)&nbsp; <br>
</span>This section allows you to specify which 'real servers' are
available from each 'Layer 7 virtual server', i.e. when the client PC requests
VIP:Port which RIP:Port will they be re-directed to? <br>

Real servers can be specified with a relative weight i.e. 1 for a fast
real server and 10 for a slow real server.<br>

<span style="font-style: italic;">NB. Setting the weight to 0 will take
the real server offline.</span><br>


<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="5"></a>Modify Logical Virtual Severs <br>

</span>This section allows you to specify which 'virtual servers' are
available and how they are configured. <br>

The Client PC can only access a real server if it has been configured
as an active member of a Virtual Server group AND the specified VIP is
configured as a physical shared ip address on the SCOP.<br>


<span style="font-weight: bold;"><a name="5-1"></a>Edit Virtual

</span>This form allows you to edit a virtual server.<br>


<span style="font-weight: bold;"><a name="5-1-1"></a>Virtual
Server Label </span><br>

The label is just a human readable name for the specified VIP i.e.


<span style="font-weight: bold;"><a name="5-1-2"></a>Virtual

</span>This is the address that clients will connect to before being
re-directed to the real servers in the group.<span style="font-weight: bold;"><br>

</span>The virtual server must either be specified as a combination of
IPAddress:Port ( or a Firewall Mark (1).<br>

The specified VIP must be in the haresources file (physical virtual ip
address) and active as an alias on the master SCOP.<br>

If using firewall marks the specified firewall mark must be present in
the rc.firewall script.<br>


<span style="font-weight: bold;"></span>Why is their not a drop down
port list ? It just seemed to confuse people here are some example port
numbers if your rusty or don't have access to Google for them..<br>


  <li>21 : FTP</li>

  <li>25 : SMTP</li>

  <li>80 : HTTP<br>


  <li>110 : POP</li>

  <li>143 : IMAP</li>

  <li>443 : SSL</li>

  <li>1443 : MS-SQL<br>


  <li>389 : LDAP</li>

  <li>119 : NNTP</li>

  <li>3389: Terminal Server<br>



<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="5-1-3"></a>Do you want Sticky Connections? <br>

</span>Sticky or persistent connections are required for FTP , kind to
clients when using SSL and unfortunatley sometimes required with HTTP
your web application cannot keep state between real servers.<br>

NB. If your real servers cannot keep session state persistent
themselves then all you will get from a SCOP is performance

<br style="font-weight: bold;">

<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="5-1-4"></a>How long do you want connections to be sticky?

</span>The persistence time is&nbsp; in seconds and is reset on every
connection i.e. 5 mins persistence will last for ever if you re-click
a link within that 5 minutes.<br>

<br style="font-weight: bold;">

<span style="font-weight: bold;"><a name="5-1-5"></a>Scheduler <br>

</span>What method to use when routing to the real servers :<span style="font-weight: bold;"><br>


  <li><b>wlc</b> - Weighted Least-Connection: assign&nbsp; more&nbsp;
jobs&nbsp; to&nbsp; servers<br>

with&nbsp; fewer&nbsp; jobs and relative to the real servers' weight.<br>


  <li>&nbsp;<b>rr</b> - Robin Robin: distribute jobs equally amongst
the&nbsp; available<br>

real servers.<br>


  <li><b>wrr</b>&nbsp; - Weighted Round Robin: assign jobs to real
servers propor-<br>

tionally to there real&nbsp; servers'&nbsp; weight.&nbsp; Servers&nbsp;
with&nbsp; higher<br>

weights&nbsp; receive&nbsp; new&nbsp; jobs first and get more jobs than

with lower weights. Servers with equal weights get an equal dis-<br>

tribution of new jobs. <i>This is the default.</i> </li>

  <li><b>lc</b>&nbsp; -&nbsp; Least-Connection:&nbsp; assign&nbsp; more
jobs to real servers with<br>

fewer active jobs.<br>


  <li><b>lblc</b> - Locality-Based Least-Connection: assign jobs
destined for<br>

the&nbsp; same&nbsp; IP&nbsp; address&nbsp; to&nbsp; the same server if
the server is not<br>

overloaded and available; otherwise assign jobs to servers&nbsp; with<br>

fewer jobs, and keep it for future assignment.</li>

  <li><b>lblcr</b> - Locality-Based Least-Connection with Replication:

jobs destined for the same IP address&nbsp; to&nbsp; the&nbsp;

node&nbsp; in&nbsp; the&nbsp; server set for the IP address. If all the
node in<br>

the server set are over loaded, it picks up a&nbsp; node&nbsp;
with&nbsp; fewer<br>

jobs in the cluster and adds it in the sever set for the target.<br>

If the server set has not been modified for the specified&nbsp; time,<br>

the most loaded node is removed from the server set, in order to<br>

avoid high degree of replication.</li>

  <li><b>dh</b> - Destination Hashing: assign jobs to servers through

up&nbsp; a&nbsp; statically&nbsp; assigned&nbsp; hash&nbsp; table by
their destination IP<br>


  <li><b>sh</b> - Source Hashing: assign jobs to servers through
up a<br>

statically assigned hash table by their source IP addresses.<br>




<span style="font-weight: bold;"><a name="5-1-6"></a>Fallback
Server <br>

</span>The server to route to if all of the real servers in the group
fail the health check.<br>

The default is (localhost) the local apache
installation (configured to always show the index.html page).<br>

You can configure the the fallback server to be a 'Hot Spare' if

<br style="font-weight: bold;">

<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="5-1-7"></a>Checktype <br>



  <li>Negotiate - Scan the specified page for the specified response<br>


  <li>Connect - Just do a simple connect to the specified service<br>


  <li>Off - All real servers are off</li>

  <li>On - All real servers are on (no checking)<br>


  <li>5 - Do 5 connect checks and then 1 negotiate<br>


  <li>10 - Do 10 connect checks and then 1 negotiate<br>



<p><b><span style="font-weight: bold;"><a name="5-1-14"></a></span>Check Port</b><br>

  If you want the Service to check to be say HTTPS but not on the default port 
  (443) then you can specify that here.</p>

<p> <b><span style="font-weight: bold;"><a name="5-1-15"></a></span>Virtualhost</b><br>

  If the real server will only respond to a URL or 'vitualhost' rather than an 
  ip address.<br>

  You can specify the virtualhost to request here.</p>

<p> <b><span style="font-weight: bold;"><a name="5-1-16"></a></span>Login</b><br>

  The login name to use for IMAP,POP3 or FTP accounts (negotiate ceck)</p>

<p><b><span style="font-weight: bold;"><a name="5-1-17"></a></span>Password</b><br>

  The password to use.</p>


<p><span style="font-weight: bold;"><a name="5-1-8"></a>Service to check 

  </span>The service to check should normaly match the virtual port no, if your 
  service is not present use 'none'.<br>

  <br style="font-weight: bold;">

  <span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="5-1-9"></a>Protocol <br>

  </span> </p>


  <li>tcp - This is the default</li>

  <li>udp - For DNS</li>

  <li>fwm - You must set this to use Firewall Marks<br>



<span style="font-weight: bold;"><a name="5-1-10"></a>Granularity
(for MegaProxies) <br>

</span>Don't worry about the mega proxy issue unless your servers&nbsp;
require persistence.&nbsp; And don't believe the marketing hype about
cookie persistence and SSL acceleration ALL OF THESE METHODS ARE
FUNDAMENTALY FLAWED. The ONLY solution is to have a proper sharred
sesssion state database for all of your web servers.<br>


Some large ISPs use clustered proxies this means that the clients
source ip address may keep changing<br>

If you require persistence of HTTP and this is causing a problem then
you can set a larger masq on the source ip address match for
i.e. for a whole class C subnet.<br>

NB. Single ip is the default.<br>

<span style="font-weight: bold;"><br style="font-weight: bold;">

</span><span style="font-weight: bold;"><a name="5-1-11"></a>File
to check <br>

</span>Specify the file to check if you are using 'negotiate'.<br>

You can specify either a single file in the web servers root i.e.&nbsp;
"checkfile.html" or specify a path "/test/database/isbackendup.php"<br>

<br style="font-weight: bold;">

<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="5-1-12"></a>Response Expected <br>

</span>This is the response that must be received for the negotiate to
be a success. The negotiate check will be OK if the response expected
i.e. "OK" is found anywhere in the response from thhe web server when
the <span style="font-style: italic;">File to check is </span>requested.<span style="font-weight: bold;"><br>

<br style="font-weight: bold;">

</span><span style="font-weight: bold;"><a name="5-1-13"></a>Default
forwarding method </span><br>

The method the SCOP uses to reach the real servers :<br>


  <li>gate - This is the default (Direct Routing)</li>

  <li>ipip - This is for WAN links (Tuneling)</li>

  <li>masq - This is for NAT (Network Address Translation)<br>



<span style="font-weight: bold;">Direct Routing</span> is the default
because it is easy to understand and implement with&nbsp; two load
balancers in failover mode (the sugested configuration for all
SCOP.org appliances). It only requires one external floating
virtual ip address on the same subnet as your web server cluster and
only 1 network card.<br>

Obviously it requires that you use your own firwewall and do your own
NATing of public ips to internal ips but I don't know why anyone would
risk using a SCOP as a firewall when they are not specialised
for it.<br>

Direct Routing just changes the MAC address of the packet to re-direct
it to a server in the cluster, so when it arrives at that server it
"hello I'm looking for VIP." The web server MUST PRETEND to be the VIP
but NOT TELL THE&nbsp; REST OF THE NETWORK ! This is called the ARP
problem but is very simple to solve by putting the VIP on the loopback
adapter of each web server. Please refer to&nbsp; the quick setup
documents at <a href="http://www.SCOP.org/">http://www.SCOP.org/</a><br>

The other advantage of Direct Routing is that each web server can reply
through its own defalt gateway at gigabit + speeds without needing the
packets to return through the SCOP.<br>


<span style="font-weight: bold;">Tuneling </span>has somewhat limited
use as it requires an ip tunnel between the SCOP and the real
server as the VIP is the target address many routers will drop the
packet assuming that it has been spoofed. However it IS usefull for
private networks with real servers on multiple subnets.<br>


<span style="font-weight: bold;">NAT</span> has the advantage that you
can load balance any device without having to deal with the ARP
problem. The real servers need their default gateway changed to be the
internal floating VIP of the SCOP. Because the SCOP
handles the return packet you will get more detailed statistics but
slower speed than DR or TUN. NAT can also be implemented witha single
NIC just use the firewall script to set up an alias on the eth0


<span style="font-weight: bold;"><a name="5-1-18"></a>Feedback method </span><br>

The method the SCOP uses to measure to performance of the real servers :<br>


  <li>agent - A simple telnet to port 3333 on the real server</li>

  <li>http - A simple HTTP GET to port 3333 on the real server</li>

  <li>none - No feedback (default setting)<br>




The SCOP expects a 0-99 integer response from the agent usually relating to the CPU idle
 i.e. a response of 92 would imply that the real servers CPU is 92% idle. The SCOP will then
use the formula (92/10*requested_weight) to find the new optimised weight.
Using this method an idle real server will get 10 times as many new connections as an overloaded server.
<span style="font-weight: bold;"><a name="37"></a>Modify Logical Virtual Severs (Layer 7 HAProxy) <br>
HAProxy is a free, very fast and reliable solution offering
	    high availability,
	    load balancing, and
	    proxying for TCP and HTTP-based applications. It is particularly suited for web
	    sites crawling under very high loads while needing persistence or Layer7
	    processing. HA Proxy features&nbsp;<b>poll</b>/<b>epoll</b> support for very large number of sessions, IPv6
	      on the client side, application cookies, hot-reconfiguration,
	      advanced dynamic load regulation, TCP keepalive,
	      source hash, and weighted load balancing.<br>
The functionality of HA Proxy is entirely seperate to the LVS based Layer 4 functionality of theSCOP.<br>
<span style="font-weight: bold; color: rgb(255, 0, 0);">IMPORTANT: Any configuration changes to HAProxy are not activated until you manually restart HAProxy.</span><br>
<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="39"></a>Edit Virtual Server (Layer 7 HAProxy) </span><br>
The layer 7 Virtual server must be specified in the usual <span style="font-style: italic;">ipaddress:port</span> format.<br>
The <span style="font-style: italic;">Fallback</span> server can be any server and you can also change the port if required (i.e. port re-direction)<br>
If the <span style="font-style: italic;">mode</span> of the virtual server is http and <span style="font-style: italic;">persistence</span>=yes
then the proxy will automatically insert a cookie for each sever in the
group and ensure that all requests with that cookie go to the correct
server. If the <span style="font-style: italic;">mode</span>=tcp then the persistence is based on source IP address.<br>


<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="6"></a>Modify Global Settings </span><br>

Three global settings for virtual servers are configured here :<br>


  <li>Check Interval - Number of seconds between health checks on real


  <li>Check Timeout - Number of seconds before a health check times out<br>


  <li>Quiescent - 'yes' means set weight to 0 when health check fails
'no' means completely remove real server</li>


<span style="font-style: italic;">

NB. If you are using persistent (sticky) connections and quiescent is
set to 'yes' when a real server goes down it will still receive
connections from clients.</span><br>


<span style="font-weight: bold;"><a name="7"></a>Modify the physical
Virtual IP(s)<br>

</span>This form allows you to modify the haresources file, this file
specifies which ip address resources the master SCOP node

When you add or remove shared ip addresses you must re-start heartbeat
for the changes to take effect.<br>

If you have two SCOPs you should ensure that the haresources
file is the same on both SCOPs.<br>

<span style="font-style: italic;">NB. providing the master knows the
slaves ip address all settings are auto replicated.</span><br>


<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="8"></a>&nbsp;Modify the physical Real IP(s)<br>

</span>The real ip address of the SCOP is the address that you
use for administration.<br>

Normaly you will only need a single interface <i>eth0</i> to be


If you can't modify your real servers to solve the ARP problem then you
can set up the SCOP to NAT connections<br>

between two seperate networks (like a firewall). In this case you will
want to set up <i>eth0</i> as the internal network and <i>eth1 </i>as
the external network.<br>

All of the Virtual and real servers then need to be told to use the
MASQ method rather than GATE.<br>

<i>NB. You will also need two floating VIPs and all the internal
servers will need their default gateway set to the internal floating


<span style="font-weight: bold;"></span><a name="9" style="font-weight: bold;"></a>&nbsp;<span style="font-weight: bold;">Modify
the maintenance (holding) page of this SCOP <br>

</span>When all of the real servers fail a health check the load
balancer will default to its local holding page, you can edit this page<br>

to say "Sorry web site closed for maintenance ." etc.<br>


<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="12"></a>&nbsp;Modify the physical network configuration <br>

</span>This form allows you to change&nbsp; :<br>


  <li>Hostname - Either 'master' or 'slave'<br>


  <li>Slave lad balancer - The ip address of the slave SCOP (used
for replication).<br>


  <li>Default Gateway - Access to the Internet from the SCOP.</li>

  <li>Force full slave sync - If ticked then imediatley transfer all configuration files to the slave SCOP.</li>

  <li>Domain Name Server - Default DNS server</li>


If you are setting up two SCOPs then make sure that they both
have the correct hostname and that the master knows the ip address of
the slave. Once this is setup all of your changes will be automaticaly
replicated from the master to the slave.<br>
<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="40"></a> (SSL Termination Pound) <br>

If Pound is a small fast reverse-proxy and&nbsp;an SSL wrapper: <em>Pound</em>
will decrypt HTTPS requests from client browsers and pass them as plain
HTTP to the back-end servers. TheSCOP uses Pound
to decrypt SSL traffic and pass it to HaProxy which can then insert
cookies for layer 7 persistence.<br>
The pound configuration consists of a Virtual IP address for incomming SSL traffic i.e. <span style="font-style: italic;">ipadress:443</span> and a Backend to pass the decrypted traffic to i.e. <span style="font-style: italic;">ipaddress:80 </span>these will usually be the same VIP with a different port.<br>
By default the SSL engine uses a self signed certificate in PEM format.&nbsp;<br>
<span style="font-style: italic;">NB. You will need to generate your own certificate using a trusted provider.</span><br>
<p><span style="font-weight: bold; color: rgb(255, 0, 0);">IMPORTANT: Any configuration changes to Pound are not activated until you manually restart Pound.</span></p>
<p>Make sure that the certificate file includes:</p>

  <li>(optional) a chain of certificates from a known certificate authority to
        your server certificate</li>
  <li>the server certificate</li>
  <li>the private key; the key may NOT be password-protected</li>

<p>      The file should be in PEM format. The OpenSSL command to generate a
      self-signed certificate in the correct format would be something like:
<pre>        openssl req -x509 -newkey rsa:1024 -keyout test.pem -out test.pem -days 365 -nodes<br></pre>


<span style="font-weight: bold;"></span><a name="13" style="font-weight: bold;"></a><span style="font-weight: bold;">Initialise
statistics tracking database (rrdtool) <br>

</span>This link will analyse the current virtual and real servers and
create a brand new rrdtool database and relevant cron jobs to produces
graphical statistics for active and inactive connections through the


<span style="font-weight: bold;"></span><a name="14" style="font-weight: bold;"></a><span style="font-weight: bold;">Re-initialise
statistics tracking database.. <br>

</span>If you make changes to your configuration this will
re-initialise the graphs without re-creating the database from scratch.<br>

<span style="font-style: italic;">NB. If you have added a VIP you will need to doa full initialise.</span><br>


<a name="15"></a><span style="font-weight: bold;">Change passwords..<br>

</span>This form allows you to create,edit and delete SCOP.org
web based interface users.<br>

You should change the super users (SCOP) password here.<br>

When you edit a user you can specify that they are :<br>


  <li>maint : Able to view reports and take real servers on or offline</li>

  <li>report : Only able to view reports</li>

  <li>config : Full super user access</li>


<a name="16"></a><span style="font-weight: bold;">&nbsp;Modify the
firewall script of this SCOP </span><br>

This form allows you to edit rc.firewall (<span style="font-style: italic;">be carefull!</span>).<br>

This can be used either for belt and braces security (you should also
configure your own firewall !)<br>

Or it can be used to create custom virtual server groupings using
firewall marks.<br>

For example instead of grouping on VIP:Port you could group on Fwmark
and define the mark as :<br>

# VIP2=""<br>

# /sbin/iptables -t mangle -A PREROUTING -p tcp -d $VIP2 -j MARK
--set-mark 2<br>

i.e. ANY packet destined for<br>


<span style="font-weight: bold;"><a name="17"></a>Make a
configuation backup<br>

</span>This link makes a snapshot of the current settings, it is wise
to do this before a major change in case of mistakes<br>


<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="18"></a>Restore configuration from backup<br>

</span>This link instantly restores the last snapshot (be carefull!)<br>

<span style="font-style: italic;">NB. You may need to restart heartbeat
and or ldirectord in some cases<br>


</span><span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="19"></a>Disaster Recovery

</span>This form allows you to make offline backups of the current
SCOP configuration.<br>

It is highly recomended that you do this once your cluster is


<a name="20"></a><span style="font-weight: bold;">Restart

</span>If you make any changes to haresources (Physical Virtual IP
Address) you need to restart heartbeat (on both nodes) for the changes
to take effect.<br>

If the slave is correctly configured it will restart heartbeat at the same time.<br>

<span style="font-style: italic;">

WARNING this may disable your VIP for a short time.</span><br>


<a name="21"></a><span style="font-weight: bold;">&nbsp;Restart

If you make an error while configuring the SCOP ldirectord
(the health checker) may terminate, it will auto restart after a short
time but you may wish to force it to restart. <br>

<span style="font-style: italic;">NB. The SCOP still carries on
with its job if ldirectord is down unless the configuration makes no
sense what so ever.</span><br>


<span style="font-weight: bold;"><a name="22"></a>Shutdown and
restart server<br>

</span>Restart the SCOP.org appliance.<br>


<a name="23"></a><span style="font-weight: bold;">&nbsp;Shutdown and halt

Shutdown the SCOP.org appliance (for maintenance).<br>

<span style="font-style: italic;">NB. The hardware will not power off it will just halt</span><br>


<span style="font-weight: bold;"><a name="24"></a>Execute a shell

This allows you to execute a shell command as super user on the
SCOP.org appliance (be carefull !) and view the output.<br>



  <li>free -m : to view memory usage</li>

  <li>ps -ef : to view process utilisation</li>

  <li>/etc/rc.d/init.d/sshd restart :&nbsp; to restart sshd if you
killed it by mistake <br>


  <li>uptime : To see the number of months/years of uptime and
processor load.<br>



<span style="font-weight: bold;"><a name="25"></a>Take a real server
offline or online </span><br>

This form allows you to take individual real servers offline or bring
them back online.<br>

This is usefull if you need to take a server offline for maintenance.<br>

The maintenance screen shows both the requested status i.e. ONLINE or
OFFLINE as well as the actual status ACTIVE or INACTIVE (which will be
effected by the real time server checks.)<br>

When you request a server to go online or offline it will normaly take
5 seconds to change the active status.<br>

<span style="font-style: italic;">

NB. If YOU request ALL the real servers to be OFFLINE then the fallback
server will NOT be activated.</span><br>


<span style="font-weight: bold;"><a name="26"></a>Status<br>

</span>This live report shows the current number of active and inactive
connections for each configured real server.<br>

It also shows the current weight of each real server.<br>

If the weight is 0 or&nbsp; the&nbsp; real server is not showing
(QUIESCENT=no) this means that the health checker has failed for that
real server, check the ldirectord log file to confirm if required. <br>
<span style="font-style: italic;">

NB. The maintenance screen clearly shows the real time status of
virtual and real servers using the raw data from this report.</span><br>
<span style="font-weight: bold;"><a name="41"></a>Status (Layer 7 HAProxy)</span><br>

 This report is provided by the stats instance of HAProxy which defaults to <span style="font-style: italic;">physicalipaddress:7777</span>.<br>
This web page contains the current live status of all of the configured layer 7 HAProxy virtual &amp; real servers.<br>

<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="27"></a>&nbsp;Trafic rate per second <br>

</span>This report shows the current connections per second and bytes
per second&nbsp; to each real server.<br>


<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="28"></a>&nbsp;Trafic Qty <br>

</span>This report shows the volume of traffic to each real server
since the counters were last re-set.<br>


<span style="font-weight: bold;"><a name="29"></a>&nbsp;Current
Connections <br>

</span>This report lists all TCP connections through the SCOP
showing source ip, virtual ip and real ip.<br>


<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="30"></a>&nbsp;Current Connections (resolve host name)<br>

</span>Same as above but also resolve the source ip host name.<br>


<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="31"></a>&nbsp;Graphical stats over time<br>

</span>The graphical stats are updated every 5 minutes and allow you to
analyse traffic patterns over days,weeks,months or even years. This is
all done using RRDTOOL so you can change the graphs as required. Just
send an email to <a href="mailto:hide@address.com">hide@address.com</a>
if you want advise on setting up new stats reports.<br>

&nbsp; <br>

<span style="font-weight: bold;"><a name="32"></a>Ldirectord <br>

</span>The ldirectord log shows the output from the health checking
daemon, this is usefull for checking how healthy your real servers are
or pinning down any configuration errors. The logging here can be quite
verbose but it clearly shows what the health checking daemon is doing.<br>


<span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="33"></a>Lbadmim<br>

</span>The SCOP log shows any changes made via the admin system.
Usefull to prove that someone has changed something that they should
not have done.<span style="font-weight: bold;"><br>


</span> <span style="font-weight: bold;"></span><span style="font-weight: bold;"><a name="34"></a>Heartbeat <br>

</span>The heartbeat log shows the status of the heartbeat between the
master and slave nodes. Don't worry about the various memory usage
messages in this log they are their to prove that that everything is
working fine.<span style="font-weight: bold;"><br>


</span><span style="font-weight: bold;"><a name="35"></a>Reset all
packet counters to zero </span><br>

<span style="font-weight: bold;"></span>As it says this resets the
packet counters to zero for the SCOP reports.<br>


<span style="font-weight: bold;"><a name="36"></a>Change the local time zone</span><br>

The SCOPs local clock is updated once a day using ntp, this
requires that your default gateway and DNS are set correctly.<br>

This form allows you to change the timezone that is reported in the logs.<span style="font-weight: bold;"><br>






Return current item: SCOP Heartbeat Administration interface