You can install a Load balancer and configure it through a third-party software. The following example guides you on how to install and configure nginx as a load balancer on Ubuntu 16.04.
NOTE:Advanced Authentication supports DNS round-robin and third-party VIP, but only with Sticky sessions. The DNS Discovery mechanism is excluded from the workflow. Advanced Authentication clients are pointed to a load balancer that manages all traffic.
Target configuration:
|
Hostname |
IP address |
Role |
Operation System |
|
|---|---|---|---|---|
|
Domain controller |
win-dc.utopia.locl |
192.168.1.56 |
AD DS, DNS |
Windows Server 2012 R2 |
|
Advanced Authentication |
aaf-clu-gm.utopia.locl |
192.168.1.70 |
Global Master |
Advanced Authentication |
|
Advanced Authentication |
aaf-clu-gs.utopia.locl |
192.168.1.71 |
DB Server |
Advanced Authentication |
|
Advanced Authentication |
aaf-clu-wb1.utopia.locl |
192.168.1.72 |
Web Server 1 |
Advanced Authentication |
|
Advanced Authentication |
aaf-clu-wb2.utopia.locl |
192.168.1.73 |
Web Server 2 |
Advanced Authentication |
|
Load balancer |
llb.utopia.locl |
192.168.1.138 |
Nginx load balancer |
Ubuntu 16.04 |
|
Client |
windows7v5.utopia.locl |
192.168.1.61 |
AA Client |
Windows 7 x64 |
Before you start the configuration, ensure that the following requirements are met:
Repository is configured in Advanced Authentication appliance.
Advanced Authentication servers are installed and configured. All servers have the same version.
Appropriate entries are added to DNS.
Ubuntu 16.04 is installed.
Update repository and install nginx:.
apt-get update
apt-get install nginx
Start nginx and ensure that web server is working.
sudo service nginx restart
Open your browser and go to the web server http://192.168.1.138.
The following load balancing methods are supported in nginx.
round-robin: The requests to the application servers that are distributed in a round-robin fashion.
least-connected: Next request assigned to the server with the least number of active connections.
ip-hash: A hash-function that is used to determine which server must be selected for the next request (based on the client’s IP address).
This document describes the ip-hash configuration because the REST queries that are balancing require sticky-session enabled and ip-hash is a similar mechanism.
In this document, the ip-hash configuration has been described because for the REST queries that are balancing, the sticky-session must be enabled. The ip-hash has a similar mechanism.
To configure nginx, perform the following steps:
Create a backup of the original configuration file by running the following command:
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf_original.
NOTE:This configuration file allows to balance REST, Administration, and Self-Service portal requests.
Copy the certificate from aucore_1 container to host (Advanced Authentication appliance) using the following command:
docker cp aaf_aucore_1:/etc/nginx/conf/cert.pem
Later copy the cert.pem to the load balancer.
Open the nginx.conf file and replace the content as in the following sample:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
#tcp_nopush on;
#tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
#include /etc/nginx/mime.types;
#default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/cert.pem;
ssl_certificate_key /etc/nginx/cert.pem;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
resolver 192.168.1.56 valid=300s ipv6=off; # ip address of DNS
resolver_timeout 10s;
upstream aaf-clu {
ip_hash; # Type of load balancing mechanism
server aaf-clu-wb1.utopia.locl:443; #192.168.1.72:443;
server aaf-clu-wb2.utopia.locl:443; #192.168.1.73:443;
}
server {
listen 443 ssl;
# Rule for REST
location ~ ^/api/v1 {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://aaf-clu$uri?$args;
}
location ~ ^/admin {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://aaf-clu$uri?$args;
}
location ~ ^/static {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://aaf-clu$uri?$args;
}
location ~ ^/helpdesk {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://aaf-clu$uri?$args;
}
location ~ ^/account {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://aaf-clu$uri?$args;
}
location ~ ^/osp {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://aaf-clu$uri?$args;
}
location ~ ^/rest {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://aaf-clu$uri?$args;
}
location ~ ^/smartphone {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://aaf-clu$uri?$args;
}
location ~ ^/oob{
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://aaf-clu$uri?$args;
}
}
}You can use REST API to configure third-party tools to perform a health check of the Advanced Authentication servers.
To point the Advanced Authentication client to a load balancer, you must make some changes after installing the client on a workstation.
Install Windows Client. To install Windows Client, see Installing Windows Client
in the Advanced Authentication - Windows Client guide.
Open the configuration file: C:\ProgramData\NetIQ\Windows Client\config.properties.
Set the parameter discovery.host = <IP_address/hostname_loadbalancer>.
This configuration points Advanced Authentication Client to a load balancer that manages the traffic between the Advanced Authentication server and Advanced Authentication Client (REST API).