Thursday, October 23, 2014

Reverse proxy and Active/Passive load balace with HAProxy


Consider a requirement where you want to implement both high availability and url mapping.



Here you want your service to be exposed as yourserver.com/yourservice however actual service is running in your DMZ in yourserver:8280/yourservice (i.e with a port). And also you want to implement higha vailability by maintaining a standby node (yourserver-standby:8280/yourservice). Following text describes how to achive this using HAProxy

HAproxy is a lightweight open source proxy/load balancer which you can easily configure for your needs. Described below are the minimal steps required to implement a scenario like above.


Install HAproxy.
sudo apt-get install haproxy

Enable HAproxy.
Open /etc/default/haproxy file and set the ENABLED value to 1.
ENABLED=1

Configure HAproxy.
Open /etc/haproxy/haproxy.cfg file and add the following configuration at the bottom.

frontend haproxyfrontend
  # replace XXX.XXX.XXX.XXX with the ip address of haproxy
   bind XXX.XXX.XXX.XXX:80
   option http-server-close
   acl url_esbapi path_beg /myapi
   use_backend esb-backend if url_esbapi

backend esb-backend
   reqrep ^([^\ :]*)\ /myapi/(.*) \1\ /\2
   #replace xxx.xxx.xxx.xxx with your actual backend server ip addresses.
   server esb-1 xxx.xxx.xxx.xx1:8280 check
   server esb-2 xxx.xxx.xxx.xx2:8280 backup check

listen stats :1936
   stats enable
   stats scope esb-backend
   stats uri /
   stats realm Haproxy\ Statistics
   stats auth admin:admin

Start the HAproxy
sudo service haproxy start {stop, restart, status}

 Definitions of the configs
Frontend named "haproxyfrontend", is use to handle incoming traffic, and it is bind/listen to port 80.

 acl url_esbapi path_beg /myapi
use_backend esb-backend if url_esbapi

 Any request comes to path begins with  "/myapi" would map to esb-backend, esb-backend configs are defined under backend esb-backend.

 server esb-2 xxx.xxx.xxx.xx2:8280 backup check
This says that esb-2 server is a loadbalance member and 'backup' says that this act as the passive node.
config under listen stats :1936 defines how HAproxy status is defined. This is optional, however by enabling this you will be able to see the status of nodes in localhost(or ip of haproxy):1936 as follows







Posted by at
No comments:

Monday, October 13, 2014

Reverse Proxy with Apache2

Suppose that you already have a service tunning at 127.0.0.1:8080/docs, and you want it to make avaialable via 127.0.0.1/docs then we have to employ some url mappings. Following steps describes how to do this via apache2 server.

Install Apache2
apt-get install apache2

Get the module and dependencies.
apt-get install libapache2-mod-proxy-html libxml2-dev

Activate the modules
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_ajp
a2enmod rewrite
a2enmod deflate
a2enmod headers
a2enmod proxy_balancer
a2enmod proxy_connect
a2enmod proxy_html

Modify the default configuration file
nano /etc/apache2/sites-enabled/000-default.conf

Add following as appropriate 

   ProxyPreserveHost On
   ProxyPass / http://127.0.0.1:8080/
   ProxyPassReverse / http://127.0.0.1:8080/
   ServerName localhost


Restart Apache2
sudo service apache2 restart or sudo apache2ctl restart

Test
Once restarted check typing localhost/docs if you get the same site which gives you when you type localhost:8080/docs then you have properly configured the reverse proxy.


 For https

Activate the module
a2enmod _ssl

Add following to the default configuration file (/etc/apache2/sites-enabled/000-default.conf)





SSLEngine on
SSLCertificateFile /home/path/to/ca.crt
SSLCertificateKeyFile /home/path/to/ca.key

ProxyPreserveHost On
SSLProxyEngine on

# Proxy path which user wants to map with actual backend
ProxyPass /myapp https://localhost:9443/app/
ProxyPassReverse /myapp https://localhost:9443/app/
ProxyPassReverseCookiePath /app /myapp

Restart Apahe2 and test similar to above setup.
Reference
[1] - https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension



Posted by at
No comments:

Wednesday, October 01, 2014

WSO2-IS - How to add a AD LDAP as a secondary userstore

Its very simple, only 5 steps

1. Create a file (lets say MyLdapUserStore.xml) in IS_HOME/repository/conf/deployment/server/userstores

2. Copy paste following lines[1] into the file, make relevant changes according to your ldap server, eg server-ip, port, UserSearchBase, GroupSearchBase etc

3. Save the file, make sure the file name is same as the domainname property(i.e. Property name="DomainName" MyLdapUserStore) in UserStoreManager config[1]

4. Import ldap servers cretificate to client truststore in IS_HOME/repository/resources/security/client-truststore.jks

5. Start the server, And check  'User Store Management' in mangement console , you will see the user store you created. Also if you looked at 'Users' section you will see your userstores domain is listed in 'Select Domain' combo box


[1] 

            org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager
            WSO2.TEST
     MyLdapUserStore
            false                                   
            false
            ldaps://: 
            CN=Administrator,CN=Users,DC=wso2,DC=test
            xxxxxx
     PLAIN_TEXT
            CN=Users,DC=wso2,DC=test
            user
            cn
            false
     512
            (objectClass=user)
     (&(objectClass=user)(cn=?))
            [a-zA-Z0-9._-|//]{3,30}$
            ^[\S]{3,30}$
            ^[\S]{5,30}$
     ^[\S]{3,30}$
            [a-zA-Z0-9._-|//]{3,30}$
     true
     true
     true
            CN=Users,DC=wso2,DC=test
     group
            cn
            cn
            CN=Users,DC=wso2,DC=test
            groups
            (object=organizationalUnit)
            ou
            organizationalUnit
            member
            (objectcategory=group)
     (&(objectClass=group)(cn=?))
            true
            follow
     true
            100
            100
Posted by at
No comments:
Subscribe to: Posts (Atom)