Web Service Load Balancer Node Installation
Audience: System Administrators
Content Summary: A load balancer should be installed and configured to act as a reverse proxy for the Web Service nodes. The load balancer should be installed on a dedicated node, but can be collocated with one of the Web Service nodes.
If collocating, the Web Service node hosting the load balancer will be referred to for the remainder of this section as the load balancer node.
Environment Setup
The following variables will be used throughout the installation of the Load Balancer:
PATH_TO_PRIVATE_KEY
: path to the private key nginx will use for TLS.PATH_TO_CERT
: path to the certificate nginx will use for TLS.
Export these as environment variables before beginning the setup:
export PATH_TO_PRIVATE_KEY=<path to private key>
export PATH_TO_CERT=<path to cert>
Load Balancer Node Package Installation
Install nginx on the load balancer node.
The following command must be run as root
:
yum install nginx
Load Balancer Node Setup and Configuration
Configure nginx by creating or replacing /etc/nginx/nginx.conf
:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent $http_referer '
'"$http_user_agent" "$http_x_forwarded_for" $request_time';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
client_max_body_size 1g;
proxy_send_timeout 600;
proxy_read_timeout 600;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream service {
server localhost:8080; # <- this assumes the web service on on the same node
# server <hostname>:8080; # <- create one of these entries for every Web Service node.
}
server {
listen *:443 ssl;
ssl_certificate /etc/nginx/tls/server.crt;
ssl_certificate_key /etc/nginx/tls/server.key;
ssl_session_cache shared:SSL:10m;
location / {
proxy_pass http://service;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
}
Be sure to set this for your upstream web nodes
As noted in the config file, add a line in the upstream web_service
block for each Web Service node.
Copy the TLS certificates into the /etc/nginx/tls
directory. Ensure that they are readable by the nginx user. The
private keys should not be readable by group or other.
The following commands must be run as root
:
mkdir -p /etc/nginx/tls
chown nginx: /etc/nginx/tls
cp "${PATH_TO_CERT}" /etc/nginx/tls/server.crt
cp "${PATH_TO_PRIVATE_KEY}" /etc/nginx/tls/server.key
chmod 600 /etc/nginx/tls/server.key
chown nginx: /etc/nginx/tls/*
If SELinux is enabled, ensure that nginx can communicate over the network.
The following command must be run as root
:
setsebool -P httpd_can_network_connect 1
Finally, enable and start the nginx service.
The following commands must be run as root
:
systemctl enable nginx
systemctl start nginx