Redirecting sites via A Records

[analiesek]

I have a pretty technical question that I would love some input on. We have our own CMS, and we're currently working on transitioning out 700+ sites from our current servers to AWS. Most of these clients give us full control or access to their registrar, but we have about 50-75 who for whatever reason, refuse to give it to us and also refuse to change the DNS info to what we need to make this switch. We think we've found a workaround, but I'm worried that it may have some negative impact on the sites.

I had my IT Director send me the following to hopefully make sense of what we're trying to do.

Dr. K has a web site, drkwebsite.com, that has an A record: 1.2.3.4

Dr. K is an untrusting client who won’t let us have access to their zone file. When we move to AWS, we need the A record to 1.2.3.4 to be deleted and replaced with a CNAME that points to abc.gdw.com. Since we can’t make the change ourselves, and Dr. K is non-responsive, we need to leave a path for her clients to get to her web site.

When we move, the web server at 1.2.3.4 will be replaced with a proxy server that will redirect users to abc.gdw.com, passing all headers so when the site loads from AWS, end users won’t know they’ve been redirected. If you curl the URL you’ll see the hop from the proxy server to the new web server, but it’s otherwise not visible.

I'd love to know if anyone sees any glaring issues! I've spent time researching redirects and potential impacts, but can't find anything this specific.

 

[BrianMacKenzie]

A proxy server should hide the endpoint and not perform any redirect (via 3XX HTTP codes).

We use HAProxy in our infrastructure; it does not provide any method to explose the backend to an end user (technical or non-technical, unless we add a custom HTTP Response header to indicate the backend). We can switch the backend at any time without any downtime, and provide load balancing or high availability.

What proxy server is being suggested by your IT Director?

 

[analiesek]

Thanks for the response, Brian!

He said it's via HAProxy. I asked if he was using any of the 3XX redirect, and he sent me back that it would look like this:

 

[BrianMacKenzie]

You're welcome!

With that configuration, there is no 3XX redirect. HAProxy acts as a true proxy and the backend is unknown to the end user.

You're safe there, and there will not be any negative implications from and SEO perspective. In fact, if you implemented this for all of your clients you may see significant advantages (more on that later).

The main configuration I would change is the 4th line (unless you're explicitly using HTTP over HTTPS on the front end):

http-request add-header X-Forwarded-Proto http if !{ ssl_fc }
http-request add-header X-Forwarded-Proto https if { ssl_fc }

HAProxy is a very powerful proxy and load balancer. It can be used to:

• eliminate DDoS attacks on backends,
• filter out junk traffic and scanners,
• rate limit, tarpit and honeypot abusers,
• shape traffic and load balance,
• automatic implementation of HTTP/2, and
• implement Let's Encrypt with automatic renewal.

You can also set up multiple servers that share a Virtual IP Address for High Availability. If you have an employee capable of administering HAProxy and HA environments, you'll see many advantages over your CNAME method. If you're already planning to do this for one client, you may consider doing it for all.

Our infrastructure uses HAProxy servers in front of Varnish Cache Servers. This combination allows us to reduce the load on our Apache/PHP and MariaDB servers by more than 95%, as a large percentage of our client's sites are brochure-style SMB Wordpress websites or WooCommerce shops. TTFB averages around 100-150ms (example attached).

That's probably more information than you asked for, but I hope it helps!

 

[analiesek]

Thanks again! This is exactly what I needed. I passed it along to my IT Director and he said to pass along his thanks as well.

 

[BrianMacKenzie]

You're welcome!