| Re: Unable to set avatars in user CP [message #20112 is a reply to message #20070] |
Mon, 27 September 2004 01:19  |
jmccombs
Messages: 8
Registered: September 2004
Location: Northern Virginia
Karma:
|
Junior Member |
|
|
The forums system, since the images are 'dynamic' enough (avatar uploads, etc) is run entirely from the 'application' server.
The static content "web" server is used just for static web and images. The reason we do this, is twofold;
1. Plain old web servers aren't loading a ton of application modules (e.g. mod_perl, php, java connectors such as mod_caucho (for resin) or mod_jk for tomcat). Since the majority of the content we serve from our portal systems is static, we can fit more regular web servers on a single system since base-apache instances have a smaller memory foot-print than ones with all those modules loaded. Our base platform for a web server is a Sun V100, with 512MB and a single CPU, and that 1 box can serve a ton of pages. App servers are usually bigger boxes with more memory. Keeps our infrastructure costs manageable.
2. masking applications behind proxy servers located on private networks (that are firewalled to heck and back) decreases the security risks associated with poor code... we do the same for the databases too actually. The *only* thing allowed to talk on the application server network is web traffic. The *only* services those application servers have is apache. Only one system from a seperate 'management' tier is allowed to ssh into them, everything else is disallowed. We actually do the same for our postgres, mysql, and Oracle database servers. -- it's restrictive, true, and it makes administration a major pain, but it decreases the risk associated with problems because some dumb developer isn't escaping URIs properly, or there's a expoit in mod_perl/mod_php. -- Don't get me wrong, this isn't foolproof, but it does make life just a teensy bit harder for all the black hats out there - except for those that are determined to get in of course. 
-- as for the way they are laid out.. they're actually entirely seperate systems. While they do mount a NFS file system (across yet another seperate network) since in reality we have 3 each of web/app servers (everything is load balanced) the document root, server instances, even logs are in seperate directories. The two systems don't touch in any way.
You should be able to access the system now, sorry about that. Details in PM. I appreciate all your help on this, as I'm throughly stumped.
-j
Do pyromaniacs wear blazers?
[Updated on: Mon, 27 September 2004 01:26] Report message to a moderator |
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]