Product Documentation

    Enable HA using a load balancer.


    HA is enabled for applications by inserting a load balancer between components of the infrastructure, such as between the web application and the two FIDO2 servers of this configuration. The load balancer determines which target server is available to receive application connections, and distributes application requests to the appropriate one.

    SKFS has been tested with the open-source HAProxy load balancer, part of the standard CentOS Linux distribution. It is conceivable that SKFS will work with other load balancers; please contact us to discuss your needs.

         To install and configure HAProxy for use with the FIDO2 server cluster, follow the steps below:

    1. Install the standard CentOS 7.x Linux distribution on one of the four VMs provisioned for this setup.
    2. Login to the server as root.
    3. Install HAProxy using the Yellowdog Updater, Modified (yum) tool: 
      shell> yum install haproxy
    4. Create a self-signed certificate to be used by HAProxy, replacing the value in the -subj parameter with the value relevant to the site. The most important element within this parameter is the CN component—the value must match the FQDN of the VM used for this load balancer; so if one chooses to name your VM fidoserver.mydomain.com then the -subj parameter may simply be /CN=fidoserver.mydomain.com: 
      shell> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/fidoserver.key -out /etc/pki/tls/certs/fidoserver.crt -subj "/CN=saka02.strongkey.com"
    5. Concatenate the generated key and certificate files into a single file, preserving the names of the files as shown below: 
      shell> cat /etc/pki/tls/certs/fidoserver.crt /etc/pki/tls/private/fidoserver.key > /etc/pki/tls/certs/fidoserver.pem
    6. Using a text editor, edit the HAProxy configuration file to make the following changes: 
      shell> vi /etc/haproxy/haproxy.cfg
    7. Replace the contents with the following and replace the <ip-fidoserver1> and <ip-fidoserver2> parameters with the IP addresses for the FIDO2 servers: 
      global
  log 127.0.0.1 local0
  log 127.0.0.1 local1 debug
  maxconn 45000 # Total Max Connections.
  daemon
  nbproc 1 # Number of processing cores.
defaults
  timeout server 86400000
  timeout connect 86400000
  timeout client 86400000
  timeout queue 1000s
listen https_web
  bind *:443 ssl crt /etc/pki/tls/certs/fidoserver.pem
  option tcplog
  mode http
  balance roundrobin
  option forwardfor
  server server1 <ip-fidoserver1>:8181 check ssl verify none
  server server2 <ip-fidoserver2>:8181 check ssl verify none
    8. Create a firewall rule to open port 443 to allow the web application to communicate with the load balancer: 
      shell> firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" port port=443 protocol=tcp accept'
    9. Restart HAProxy: 
      shell> service haproxy restart
    10. Verify HAProxy is functioning as expected by accessing the URL in the browser. If it is functioning correctly, it will redirect you to one of the configured FIDO2 servers. 
      https://<fidoserver.mydomain.com_>

    selinux

    If the above URL cannot be accessed in the browser, ensure that the selinux config has been set to permissive instead of enforcing. The following command will show the current status of selinux:

    shell> sestatus

    If it is set to enforcing, change it to permissive by running the following command (this is a temporary fix that will reset on machine reboot, and which will be updated in a future release):

    shell> setenforce 0

     

    See also Clustered Installation.