Skip to content

You are viewing documentation for Immuta version 2.8.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Web Service Load Balancer Node Installation

Audience: System Administrators

Content Summary: A load balancer should be installed and configured to act as a reverse proxy for the Web Service nodes. The load balancer should be installed on a dedicated node, but can be collocated with one of the Web Service nodes.

If collocating, the Web Service node hosting the load balancer will be referred to for the remainder of this section as the load balancer node.

Environment Setup

The following variables will be used throughout the installation of the Load Balancer:

  • PATH_TO_PRIVATE_KEY: path to the private key nginx will use for TLS.
  • PATH_TO_CERT: path to the certificate nginx will use for TLS.

Export these as environment variables before beginning the setup:

export PATH_TO_PRIVATE_KEY=<path to private key>
export PATH_TO_CERT=<path to cert>

Load Balancer Node Package Installation

Install nginx on the load balancer node.

The following command must be run as root:

yum install nginx

Load Balancer Node Setup and Configuration

Configure nginx by creating or replacing /etc/nginx/nginx.conf:

user  nginx;
worker_processes  auto;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/;
events {
  worker_connections  1024;
http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent $http_referer '
                    '"$http_user_agent" "$http_x_forwarded_for" $request_time';
  access_log  /var/log/nginx/access.log  main;
  sendfile        on;
  keepalive_timeout  65;
  client_max_body_size 1g;
  proxy_send_timeout 600;
  proxy_read_timeout 600;

  map $http_upgrade $connection_upgrade {
      default upgrade;
      ''      close;

  upstream service {
    server localhost:8080;  # <- this assumes the web service on on the same node
    # server <hostname>:8080;  # <- create one of these entries for every Web Service node.
  server {
    listen *:443 ssl;
    ssl_certificate /etc/nginx/tls/server.crt;
    ssl_certificate_key /etc/nginx/tls/server.key;
    ssl_session_cache shared:SSL:10m;

    location / {
      proxy_pass http://service;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;
Be sure to set this for your upstream web nodes

As noted in the config file, add a line in the upstream web_service block for each Web Service node.

Copy the TLS certificates into the /etc/nginx/tls directory. Ensure that they are readable by the nginx user. The private keys should not be readable by group or other.

The following commands must be run as root:

mkdir -p /etc/nginx/tls
chown nginx: /etc/nginx/tls
cp "${PATH_TO_CERT}" /etc/nginx/tls/server.crt
cp "${PATH_TO_PRIVATE_KEY}" /etc/nginx/tls/server.key
chmod 600 /etc/nginx/tls/server.key
chown nginx: /etc/nginx/tls/*

If SELinux is enabled, ensure that nginx can communicate over the network.

The following command must be run as root:

setsebool -P  httpd_can_network_connect 1

Finally, enable and start the nginx service.

The following commands must be run as root:

systemctl enable nginx
systemctl start nginx