You have multiple UCS portal servers, and one server with haproxy installed and you want to balance the connections to the portal servers.
The UCS Portal is a normal dynamic website, that is accessible with both http and https. To place multiple Portalservers behind a loadbalancer, we recommend to provide the SSL certificate
and the corresponding private key
to the loadbalancer and decrypt the traffic. Attach a cookie in order to route packages of concurrent sessions to the same portal server. Note that the default UCS certificate is self signed and might not be accepted unless specifically allowed.
In this article we will focus on HAProxy as the loadbalancer because we have made good experiences with it, but the principles will likely also work for other products. Every scenario is different and the steps described here might not be optimal for yours. This is only meant as an example.
The UCS portal is basically just a website that is being hosted per default on the standard http (80) and https (443) ports.
We can use haproxy to direct users to either portal server. As a loadbalancing method we use “least connected” (leastconn) because we expect long lived connections of varying size and “least connected” trys to balance the amount of concurrent connections on either side.
The site is not static and user will login to sessions. If we were to direct each request or package randomly users with running sessions would have to login again when they are directed to another portal than before. In order to make the loadbalancer aware of this we want to save a cookie and configure haproxy to always direct users to the same portal if the cookie stays the same.
backend portalbackend_http ... cookie SERVERUSED insert indirect nocache server por1 10.200.50.21:80 cookie por1 server por2 10.200.50.22:80 cookie por2 backend portalbackend_https ... cookie SERVERUSED insert indirect nocache server por1 10.200.50.21:443 cookie por1 ssl verify none server por2 10.200.50.22:443 cookie por2 ssl verify none
If https is used the packages are encrypted with the certificate of UCS. In order to save a cookie to a session haproxy needs to be aware of more than just the tcp packages. For this it needs to be able to decrypt the package stream. We need to provide haproxy with a copy of this certificate in order for it to do this.
frontend portalfrontend_https bind 10.200.50.21:10443 ssl crt /etc/univention/ssl/ucs01.ucs-test.intranet/ucs01.pem ...
haproxy expects both the private.key and the public certificate to be in one file. UCS however saves them separately. We have to create the combination with
cat /etc/univention/ssl/ucs01.ucs-test.intranet/cert.pem /etc/univention/ssl/ucs01.ucs-test.intranet/private.key > /etc/univention/ssl/ucs01.ucs-test.intranet/ucs01.pem
Lastly we can tell haproxy to encrypt the packages again for delivery to the UCS portal servers.
backend portalbackend_https ... server por1 10.200.50.21:443 cookie por1 ssl verify none server por2 10.200.50.22:443 cookie por2 ssl verify none
All together we get a configuration file like:
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend portalfrontend_http bind 10.200.50.21:10080 mode http default_backend portalbackend_http backend portalbackend_http mode http balance leastconn default-server check maxconn 200 cookie SERVERUSED insert indirect nocache server por1 10.200.50.21:80 cookie por1 server por2 10.200.50.22:80 cookie por2 frontend portalfrontend_https bind 10.200.50.21:10443 ssl crt /etc/univention/ssl/ucs01.ucs-test.intranet/ucs01.pem mode http default_backend portalbackend_https backend portalbackend_https mode http balance leastconn default-server check maxconn 200 cookie SERVERUSED insert indirect nocache server por1 10.200.50.21:443 cookie por1 ssl verify none server por2 10.200.50.22:443 cookie por2 ssl verify none
If you’re not sure whether the recommendations will fit into your scenario, please ask your Professional Services contact person, or create a new topic referencing this article.