Example Nginx Load-Balancer Configuration

You can use a NginX web server as a load balancer in PrivX-HA deployments. This chapter provides an example configuration for an Nginx load balancer, along with any prerequisites required for the example configuration.

ūüďė

Note

In the following examples the IP addresses ‚Äč192.0.2.100‚Äč and ‚Äč192.0.2.101‚Äč‚Äč need to be substituted with your PrivX-server addresses.

The Nginx used for the load balancer must be built with additional packages, for TLS-passthrough and sticky-session support. If you are building Nginx yourself, configure Nginx with the similarly to the following (replace ‚Äčpath/to/nginx-sticky-module-ng‚Äč with the path to the ‚Äčnginx-sticky-module-ng‚Äč module, available from ‚Äčhttps://github.com/Refinitiv/nginx-sticky-module-ng‚Äč‚Äč):

# ./configure \
--with-stream \
--add-module=‚Äč‚Äčpath/to/nginx-sticky-module-ng‚Äč‚Äč

The sample configuration requires that the SELinux policy allows Nginx process to listen at ports 2222 and 3389. Run the following commands to add these ports to the list of allowed listen ports for Nginx:

semanage port -a -t http_port_t -p tcp 2222
semanage port -a -t http_port_t -p tcp 3389

The sample configuration also requires you to install a TLS key and certificate to the following paths respectively:

‚Äč‚Äč/etc/nginx/server.key
‚Äč‚Äč/etc/nginx/server.crt

After setting up Nginx with the required modules, you can use the following Nginx configuration to satisfy all the load-balancer requirements described in PrivX high availability deployment.

# NGINX Load-balancer example configuration.
# Requests are distributed between servers using sticky sessions.
# The upstream module contains the IP addresses of the PrivX servers.
# In this example two instances of PrivX are running
# with private IP addresses 192.0.2.100 and 192.0.2.101
# HTTP requests except for CRLs are redirected to HTTPS.

load_module "/usr/lib64/nginx/modules/ngx_stream_module.so";

events {
   worker_connections 1024;
}

http {
   upstream privx_http {
      sticky;
      server 192.0.2.100:80;
      server 192.0.2.101:80;
   }

   upstream privx_https {
       sticky;
       server 192.0.2.100:443;
       server 192.0.2.101:443;
   }

   client_max_body_size 50M;

   server {
       listen 80 default_server;
       listen [::]:80 default_server;
       location / {
          proxy_set_header X-Forwarded-Host $http_host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass http://privx_http;
       }
   }

   server {
       listen 443 ssl http2 default_server;
       listen [::]:443 ssl http2 default_server;
       ssl_certificate "/etc/nginx/server.crt";
       ssl_certificate_key "/etc/nginx/server.key";

       location / {
           proxy_set_header X-Forwarded-Host $http_host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://privx_https;
       }

       location ~ ^/(ssh-proxy|ssh-mitm|rdp-proxy|rdp-mitm)/ {
           proxy_pass https://privx_https;
           proxy_set_header Host $http_host;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "Upgrade";
       }
   }
}

stream {
    upstream privx_ssh-mitm {
        hash $remote_addr consistent;
        server 192.0.2.100:2222;
        server 192.0.2.101:2222;
    }
    
    upstream privx_rdp-mitm {
        hash $remote_addr consistent;
        server 192.0.2.100:3389;
        server 192.0.2.101:3389;
    }

    upstream privx_cert {
        hash $remote_addr consistent;
        server 192.0.2.100:8443;
        server 192.0.2.101:8443;
    }
    
    server {
        listen        2222;
        proxy_pass    privx_ssh-mitm;
        proxy_connect_timeout 1s;
    }
    
    server {
        listen        3389;
        proxy_pass    privx_rdp-mitm;
        proxy_connect_timeout 1s;
    }

    server {
        listen        8443;
        proxy_pass    privx_cert;
        proxy_connect_timeout 1s;
    }
}

To disconnect a PrivX server, append ‚Äčdown‚Äč‚Äč to the server address. For example:

upstream privx_http {
    hash $remote_addr consistent;
    server 192.0.2.100:443;
    server 192.0.2.101:443 ‚Äčdown‚Äč‚Äč;
}

Then reload the Nginx configuration with:

# systemctl reload nginx

To reconnect a PrivX server, remove the ‚Äčdown‚Äč‚Äč keyword and reload the configuration.


Did this page help you?