In this tutorial series, we are setting up a highly available WordPress web site from scratch. 

Part 1 – Introduction, Considerations, and Architecture
Part 2 – Ordering the VPSes 
Part 3 – Ansible
Part 4 – Gluster
Part 5 – WordPress install
Part 6 – MariaDB Multi-Master
Part 7 – Round-Robin DNS, Let’s Encrypt, & Conclusion (this article)

All right, folks, we’re in the final leg of our journey!  In this concluding part, we’ll setup the HA part of our HA setup.

Let’s start by getting Let’s Encrypt going.  This will provide a free HTTPS certificate.  One problem we have is that we have three web servers, all of which need to be able to answer with the lowend.party certificate.  How can that happen?  Gluster magic again.

On each node, stop nginx.

systemctl stop nginx

On node1, move the nginx and letsencrypt directories from /etc to our /gluster filesystem, and then create symlinks.

root@node1:/etc# mv nginx letsencrypt /gluster/
root@node1:/etc# ln -s /gluster/nginx /etc/nginx
root@node1:/etc# ln -s /gluster/letsencrypt /etc/letsencrypt

On nodes 2 and 3, we just remove the directories in /etc and make the links because the directories and files are already in /gluster from teh previous step.

root@node2:~# rm -rf /etc/nginx /etc/letsencrypt
root@node2:~# ln -s /gluster/nginx /etc/nginx
root@node2:~# ln -s /gluster/letsencrypt /etc/letsencrypt

Now I’ll go to my DNS provider (I’m just using Porkbun’s hosted DNS here) and create the A record for node1 (5.78.68.150).  For the moment, any browser (or certbot) going to www.lowend.party will just go to node1.

Let’s Encrypt Setup

Now let’s get our cert from Let’s Encrypt.

# certbot --authenticator webroot --installer nginx --webroot-path /web/www.lowend.party -d www.lowend.party
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for www.lowend.party

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.lowend.party/fullchain.pem
Key is saved at: /etc/letsencrypt/live/www.lowend.party/privkey.pem
This certificate expires on 2024-06-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for www.lowend.party to /etc/nginx/sites-enabled/www.lowend.party
Congratulations! You have successfully enabled HTTPS on https://www.lowend.party

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

And that certificate is installed in our /gluster filesystem, which means it’s on all three nodes, and all three nodes’ Let’s Encrypt is pointed at that shared filesystem.

Round Robin DNS

Round Robin DNS (RRDNS) is a DNS feature that allows us to create multiple records for the same name.  The way it works is that every time you query the name (www.lowend.party in this case), the DNS server returns all the records.  Nowadays, browsers are smart about RRDNS so they’ll try one randomly.  If it doesn’t respond, the browser will go on to a different result.

In our case, we’ll set RRDNS to return the three A records for our nodes.

# nslookup www.lowend.party
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: www.lowend.party
Address: 5.78.74.126
Name: www.lowend.party
Address: 5.78.68.150
Name: www.lowend.party
Address: 5.78.91.194

Now we are in HA mode.  If a browser queries www.lowend.party, decides to go to node1, and node1 is down, it’ll try node2 or node3, and this is transparent to the user.

Let’s try it:

Cool.  Next I added an article and browsed again:

At this point, we can create content on any node, and it’s served from any node.  Success!

I hope you enjoyed this tutorial.  I enjoyed updating it from the 2024 iteration, and now am running this as my production setup.

• Author
• Recent Posts

raindog308

Dread Lord of LowEnd Content at LowEndBox

I'm raindog308, techno polymath and long-time LowEndTalk community Administrator. My technical interests include all things Unix, perl, python, golang, shell scripting, vintage operating systems such as MVS, and relational database systems such as Oracle, PostgreSQL, and MySQL.

I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.

I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308

Latest posts by raindog308 (see all)

• The Social Media Police Bodycam Video Industry: Where the Vids Come From May Surprise You - April 30, 2024
• Save Big on Yearly VPS Offers from Hudson Valley Host! - April 29, 2024
• Global Phishing Attacks up 58% Year-Over-Year, Powered by Generative AI - April 29, 2024