Monday, June 23, 2014

Fronting WSO2 AS worker/manager cluster with HAProxy

This blog describes how to configure HAProxy as a load balancer with WSO2 Application Server cluster

HAProxy 1.5
WSO2 Application Server 5.2.1

Setup WSO2 AS Cluster

This cluster consist of 3 WSO2 Application Server instances, as 3 worker nodes and 1 manager node, where 1 node work as both worker and manager. HAProxy performs load balancing with this cluster by distributing incoming requests to the worker nodes via HTTP/S on port 80/443.

All admin requests can be sent to the manager node directly via HTTPs on port 9444 or through the HAProxy via 443 port depending on how we configure the manager node.

Click here to see how to setup WSO2 Application Server cluster

Setup HAProxy load balancer

* Install HAProxy
$ sudo add-apt-repository ppa:vbernat/haproxy-1.5
$ sudo apt-get update
$ sudo apt-get install haproxy

Need version 1.5 since native SSL support was implemented in 1.5

* Set ENABLED to 1 if you want the init script to start haproxy

$sudo vi /etc/default/haproxy

* Edit the /etc/haproxy/haproxy.cfg file and add the following

# load balancing among the worker nodes - HTTP
frontend ft_wrk
      default_backend bk_wrk

backend bk_wrk
      balance roundrobin
    server node1
      server node2
      server node3

# load balancing among the worker nodes - HTTPS
# access the management console via HTTPS
frontend https-in
      bind *:443 ssl crt /etc/haproxy/ssl/haproxy.pem
      acl is_mgt hdr_beg(host) -m beg
      acl is_wrk hdr_beg(host) -m beg

      use_backend mgt_as_wso2_com if is_mgt
      use_backend as_wso2_com if is_wrk
      default_backend as_wso2_com

backend as_wso2_com
      balance roundrobin
      server node1 check ssl
      server node2 check ssl
      server node3 check ssl

backend mgt_as_wso2_com
      server server1 check ssl

NOTE: load balancer can receive HTTPS requests via 443 port either to management console or worker nodes
frontend https-in block handles HTTPS requests come to the load balancer via 443 port,
bind *:443 ssl crt /etc/haproxy/ssl/haproxy.pem provide valid certificate to HAProxy.

acl is_mgt hdr_beg(host) -m beg
acl is_wrk hdr_beg(host) -m beg
acl properties filter manager and worker requests

Server verification is enabled by default in HAProxy, so need to specify the ca-file as follows
server node1 check ssl ca-file /ca-file/path

To disable the server verifications need to specify ssl verify none as follows or specify ssl-server-verify none in global section
server node1 check ssl verify none

* Mapping the host names to the IP
Update the “/etc/hosts” file


* Restart the HAProxy

$sudo  /etc/init.d/haproxy restart

No comments: