HOW TO INSTALL & CONFIGURE OPEN SOURCE LOAD BALANCER FOR UPSSO ON-PREMISES SOLUTION

Apart from commercial or OS-based load balancer products UPSSO also supports open-source load balancers such as Apache and PEN. This document provides instructions on how to install & configure Apache and PEN load balancer for UPSSO On-Premises application.

PREREQUISITES

  • Ubuntu 18.04 Operating System. (4GB RAM, 8GB HDD, Dual CORE CPU)
  • Should have root user access to the Ubuntu OS.
  • We should have full Internet Access in Ubuntu OS at the time of installation.

INSTALLING APACHE SERVER

  1. Login into Ubuntu Server as the root user. (sudo su -)
  2. Execute the following commands,
apt-get update
apt-get install apache2

3. Open the /etc/apache2/apache2.conf file to edit. Add the following line at the end of the file,(Replace <IP_ADDRESS> with IP address of the load balancer server)

ServerName <IP_ADDRESS>

4. Save & exit the file.

5. Execute the following command,

systemctl restart apache2

6. Type “http://<LOAD_BALANCER_IP_ADDRESS>” into the browser and make sure the Apache Server default page is getting displayed.

GENERATING CERTIFICATES

  1. Execute the following command to generate key and certificate,
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/server.pem -out /etc/ssl/certs/server.crt

2. Enter the appropriate values when prompted as displayed in the below screenshot, (Enter server hostname or IP address for Common Name)

CONFIGURING VIRTUAL HOSTS

  1. Open “/etc/apache2/sites-available/default-ssl.conf” file to edit. Delete all the text and paste the following text.
ProxyRequests On
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
<Proxy balancer://myloadbalancer>
	BalancerMember https://<SERVER_1_IP_ADDRESS> route=node1 retry=1 acquire=3000 timeout=600 Keepalive=On
	BalancerMember https://<SERVER_2_IP_ADDRESS> route=node2 retry=1 acquire=3000 timeout=600 Keepalive=On
	ProxySet lbmethod=byrequests
	ProxySet stickysession=ROUTEID
</Proxy>

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerAdmin webmaster@localhost
		ServerName  <LOAD_BALANCER_IP>
		ServerAlias  <LOAD_BALANCER_IP>

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined
		SSLProxyEngine on
		SSLProxyVerify none 
		SSLProxyCheckPeerCN off
		SSLProxyCheckPeerName off
		SSLProxyCheckPeerExpire off
		SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
		SSLCertificateFile /etc/ssl/certs/server.crt
		SSLCertificateKeyFile /etc/ssl/private/server.pem
		SSLVerifyClient optional
		RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
		RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

		<Location />
			SetHandler balancer-manager
			Order allow,deny
			Allow from all
		</Location>

		ProxyPass /balancer-manager !
		ProxyPass / balancer://myloadbalancer/ stickysession=ROUTEID nofailover=On
		ProxyPassReverse / balancer://myloadbalancer/
		ProxyPreserveHost on

	</VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Note :

Replace <SERVER_1_IP_ADDRESS> with the IP address of node 1 of the UPSSO application server.

Replace <SERVER_2_IP_ADDRESS> with the IP address of the node 2 of the UPSSO application server.

Replace <LOAD_BALANCER_IP> with the IP address of the load balancer server.

2. Open “/etc/apache2/sites-available/000-default.conf”  file to edit.Delete all the text and paste the following text.

<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	Redirect / https://<LOAD_BALANCER_IP>/
	ProxyPreserveHost on

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Note: Replace <LOAD_BALANCER_IP> with the IP address of the load balancer.

ENABLING PROXY

  1. Please execute the following commands,
a2enmod proxy
a2enmod proxy_balancer
a2enmod proxy_http
a2enmod ssl
a2ensite default-ssl
a2enmod headers
a2enmod lbmethod_byrequests

2. Restart the Apache server,

systemctl restart apache2

INSTALLING PEN - UDP LOAD BALANCER

  1. Execute the following command to install the pen load balancer,
apt-get update
apt-get -y install pen

2. Create a script that will start the pen load balancer,

mkdir /usr/local/pen

3. Create the file "/usr/local/pen/penlb.sh" and copy the following content.

#!/bin/bash
pen -l pen.log -p pen.pid -r -U 1812 <UPSSO_NODE_1>:1812 <UPSSO_NODE_2>:1812

Note:

Replace the <UPSSO_NODE_1> with IP address of UPSSO RADIUS Node 1

Replace the <UPSSO_NODE_2> with IP address of UPSSO RADIUS Node 2

4. Save and exit the file.

5. Provide permissions to the script file,

chmod 777 /usr/local/pen/penlb.sh

6. Create a file "/etc/systemd/system/penlb.service" and copy the following content,

[Unit]
Description=PEN UDP LOAD BALANCER

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/pen/penlb.sh

[Install]
WantedBy=multi-user.target

7. Save and exit the file.

8. Enable the service,

systemctl enable penlb.service

9. Restart the Ubuntu server.

10. Execute the following command to make sure UDP load balancing is running,

netstat -tnulp | grep pen