06 Sep 2014
Load Balancing Proxy for WSO2 Servers
I have written a post previously about setting up configurations in Apache Proxy for Carbon Servers on Mac OS X. This time - I will be focusing on the SSL aspect and load balancing aspect of it. For this particular use case I am going to take the WSO2 Identity Server. The final scenario is to have a deployment architecture where 2 WSO2 Identity Servers load balances the traffic coming to the Proxy.
This depends vastly on the OS. For Mac OS X - this is located usually
/etc/apache2/httpd.conf. Red Hat Linux put this file in
Apache server is broken into the core and modules. Some modules are not enabled by default in certain distributions. Modules are defined in the httpd.conf file. This file is read by apache server in startup to configure itself. Below are the necessary modules for Apache 2. Check if below modules are available in the httpd.conf. If not you’ll have to install them using your package manager-
Certificates for SSL
A certificate generation is necessary to perform SSL Proxy. We generate a private key using Open SSL. When generating the private key - use wso2carbon as the pass phrase.
openssl genrsa -des3 -out server.key 1024
Afterwards - we generate the Certificate signing request (.csr).
openssl req -new -key server.key -out server.csr
By using both the CSR request and the private key - we can generate a certificate for particular number of days.
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
Copy your certificate file (server.crt) and private key (server.key) to a directory inside apache. Let’s put it to a folder called certs under apache.
EDIT:- In the new Apache version (Apache/2.4.16) below additional configs are needed to enable SSL inside the VirtualHost.
Configure Apache for certificates
Let’s get down and dirty with the https.conf file now. Forget about all the default configurations in the file and scroll to the bottom of the file. First we are going to add the balancer. We are adding the two server hostnames as balancer members.
Next we are going to configure a VirtualHost that uses the above balancer. First - apache will have to listen to
443is the default SSL port. The private key and the certificate is configured inside the virtual host. Also note that after the cluster name (mycluster) the ‘/‘ is necessary.
Configure the certificate password
Create a file in the certs folder as pass. Include below content to that file -
In the httpd.conf file - outside the Virtual Host, put below configuration to setup the password. This will read the password from that file. Otherwise we have to provide the pass phrase of the private key every time we start the server.
Now if you access https://localhost - you’ll be proxyed to either Identity servers running in
Real world use case
There are several use cases for using a proxy. First - a proxy can be used to securely proxy traffic to the identity server sitting in the internal network. This way the proxy is in the DMZ. Another use case is to provide high availability (HA). The Proxy can be used to direct traffic to couple of servers where if a server goes down - other servers will continue to process requests.
Till next time mate,
Dulitha at 20:24