The following load balancing methods are supported in nginx.
round-robin: The requests to the application servers that are distributed in a round-robin fashion.
least-connected: Next request assigned to the server with the least number of active connections.
ip-hash: A hash-function that is used to determine which server must be selected for the next request (based on the client’s IP address).
This document describes the ip-hash configuration because the REST queries that are balancing require sticky-session enabled and ip-hash is a similar mechanism.
In this document, the ip-hash configuration has been described because for the REST queries that are balancing, the sticky-session must be enabled. The ip-hash has a similar mechanism.
To configure nginx, perform the following steps:
Create a backup of the original configuration file by running the following command:
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf_original.
NOTE:This configuration file allows to balance REST, Administration, and Self-Service portal requests.
Copy the certificate from aucore-1 container to host (Advanced Authentication appliance) using the following command:
docker cp aaf-aucore-1:/etc/nginx/conf/cert.pem
Later copy the cert.pem to the load balancer.
Open the nginx.conf file and replace the content as in the following sample:
user www-data; worker_processes auto; pid /run/nginx.pid; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; #tcp_nopush on; #tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; #include /etc/nginx/mime.types; #default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ssl_certificate /etc/nginx/cert.pem; ssl_certificate_key /etc/nginx/cert.pem; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; resolver 192.168.1.56 valid=300s ipv6=off; # ip address of DNS resolver_timeout 10s; upstream aaf-clu { ip_hash; # Type of load balancing mechanism server aaf-clu-wb1.utopia.locl:443; #192.168.1.72:443; server aaf-clu-wb2.utopia.locl:443; #192.168.1.73:443; } server { listen 443 ssl; # Rule for REST location ~ ^/api/v1 { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://aaf-clu$uri?$args; } location ~ ^/admin { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://aaf-clu$uri?$args; } location ~ ^/static { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://aaf-clu$uri?$args; } location ~ ^/helpdesk { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://aaf-clu$uri?$args; } location ~ ^/account { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://aaf-clu$uri?$args; } location ~ ^/osp { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://aaf-clu$uri?$args; } location ~ ^/rest { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://aaf-clu$uri?$args; } location ~ ^/smartphone { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://aaf-clu$uri?$args; } location ~ ^/oob{ proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://aaf-clu$uri?$args; } } }
You can use REST API to configure third-party tools to perform a health check of the Advanced Authentication servers.