||
Skip to end of metadata
Go to start of metadata

Use the following steps to configure HAProxy as the load balancer for WSO2 products.

  1. Install HAProxy. You need version 1.5 since the native SSL support was implemented in version 1.5.
    $ sudo add-apt-repository ppa:vbernat/haproxy-1.5
    $ sudo apt-get update
    $ sudo apt-get install haproxy

    Set ENABLED to 1 if you want the init script to start haproxy.
    $ sudo vi /etc/default/haproxy
  2. Configure HAProxy to direct the HTTP requests to the worker nodes with load balancing as http://as.wso2.com/<service> via HTTP 80 port. Edit the /etc/haproxy/haproxy.cfg file and add the following.

    frontend ft_wrk
    	bind as.wso2.com:80
    	default_backend bk_wrk
    
    backend bk_wrk
    	balance roundrobin
    	server node1 xxx.xxx.xxx.xx3:9763
    	server node2 xxx.xxx.xxx.xx4:9763
  3. Configure HAProxy to direct the HTTPS requests to the worker nodes with load balancing as https://as.wso2.com/<service> and access the management console as https://mgt.as.wso2.com/carbon via HTTPS 443 port. Edit the /etc/haproxy/haproxy.cfg file and add the following.

    frontend https-in
    	bind *:443 ssl crt /etc/haproxy/ssl/server.pem
    	acl is_mgt hdr_beg(host) -m beg xxx.xxx.xxx.xx2
    	acl is_wrk hdr_beg(host) -m beg xxx.xxx.xxx.xx3
    
    	use_backend mgt_as_wso2_com if is_mgt
    	use_backend as_wso2_com if is_wrk
    	default_backend as_wso2_com
    
    backend as_wso2_com
        balance roundrobin
        server node1 xxx.xxx.xxx.xx3:9443 check ssl verify none
        server node2 xxx.xxx.xxx.xx4:9443 check ssl verify none
     
    backend mgt_as_wso2_com
        server server1 xxx.xxx.xxx.xx2:9443 check ssl verify none

    The load balancer can receive HTTPS requests via the 443 port either to management console (https://mgt.as.wso2.com/carbon) or worker nodes (https://as.wso2.com/) frontend https-in block handles HTTPS requests come to the load balancer via 443 port, bind *:443 ssl crt /etc/haproxy/ssl/haproxy.pem provide valid certificate to HAProxy.

    acl is_mgt hdr_beg(host) -m beg xxx.xxx.xxx.xx2
    acl is_wrk hdr_beg(host) -m beg xxx.xxx.xxx.xx3
    acl properties filter manager and worker requests

    Server verification is enabled by default in HAProxy, so need to specify the ca-file as follows.
    server node1 xxx.xxx.xxx.xx3:9443 check ssl ca-file /ca-file/path

    To disable the server verifications need to specify ssl verify none as follows or specify ssl-server-verify none in global section.
    server node1 xxx.xxx.xxx.xx3:9443 check ssl verify none

  4. Restart the HAProxy.
    $sudo /etc/init.d/haproxy restart

Create SSL certificates

Create SSL certificates for both the manager and worker nodes using the instructions that follow.

  1. Create the Server Key.
    $sudo openssl genrsa -des3 -out server.key 1024
  2. Certificate Signing Request.
    $sudo openssl req -new -key server.key -out server.csr
  3. Remove the password.
    $sudo cp server.key server.key.org
    $sudo openssl rsa -in server.key.org -out server.key
  4. Sign your SSL Certificate.
    $sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  5. Create a .pem file for HAProxy.
    cat server.crt server.key > server.pem
  • No labels