Example Nginx Load-Balancer Configuration
You can use a NginX web server as a load balancer in PrivX-HA deployments. This chapter provides an example configuration for an Nginx load balancer, along with any prerequisites required for the example configuration.
Note
In the following examples the IP addresses ​
192.0.2.100​ and​192.0.2.101​​ need to be substituted with your PrivX-server addresses.
The Nginx used for the load balancer must be built with additional packages, for TLS-passthrough and sticky-session support. If you are building Nginx yourself, configure Nginx with the similarly to the following (replace ​path/to/nginx-sticky-module-ng​ with the path to the ​nginx-sticky-module-ng​ module, available from ​https://github.com/Refinitiv/nginx-sticky-module-ng​​):
# ./configure \
--with-stream \
--add-module=​​path/to/nginx-sticky-module-ng​​
The sample configuration requires that the SELinux policy allows Nginx process to listen at ports 2222 and 3389. Run the following commands to add these ports to the list of allowed listen ports for Nginx:
semanage port -a -t http_port_t -p tcp 2222
semanage port -a -t http_port_t -p tcp 3389
The sample configuration also requires you to install a TLS key and certificate to the following paths respectively:
​​/etc/nginx/server.key
​​/etc/nginx/server.crt
After setting up Nginx with the required modules, you can use the following Nginx configuration to satisfy all the load-balancer requirements described in PrivX high availability deployment.
# NGINX Load-balancer example configuration.
# Requests are distributed between servers using sticky sessions.
# The upstream module contains the IP addresses of the PrivX servers.
# In this example two instances of PrivX are running
# with private IP addresses 192.0.2.100 and 192.0.2.101
# HTTP requests except for CRLs are redirected to HTTPS.
load_module "/usr/lib64/nginx/modules/ngx_stream_module.so";
events {
worker_connections 1024;
}
http {
upstream privx_http {
sticky;
server 192.0.2.100:80;
server 192.0.2.101:80;
}
upstream privx_https {
sticky;
server 192.0.2.100:443;
server 192.0.2.101:443;
}
client_max_body_size 50M;
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://privx_http;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate "/etc/nginx/server.crt";
ssl_certificate_key "/etc/nginx/server.key";
location / {
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://privx_https;
}
location ~ ^/(ssh-proxy|ssh-mitm|rdp-proxy|rdp-mitm)/ {
proxy_pass https://privx_https;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
}
stream {
upstream privx_ssh-mitm {
hash $remote_addr consistent;
server 192.0.2.100:2222;
server 192.0.2.101:2222;
}
upstream privx_rdp-mitm {
hash $remote_addr consistent;
server 192.0.2.100:3389;
server 192.0.2.101:3389;
}
upstream privx_cert {
hash $remote_addr consistent;
server 192.0.2.100:8443;
server 192.0.2.101:8443;
}
server {
listen 2222;
proxy_pass privx_ssh-mitm;
proxy_connect_timeout 1s;
}
server {
listen 3389;
proxy_pass privx_rdp-mitm;
proxy_connect_timeout 1s;
}
server {
listen 8443;
proxy_pass privx_cert;
proxy_connect_timeout 1s;
}
}
To disconnect a PrivX server, append ​down​​ to the server address. For example:
upstream privx_http {
hash $remote_addr consistent;
server 192.0.2.100:443;
server 192.0.2.101:443 ​down​​;
}
Then reload the Nginx configuration with:
# systemctl reload nginx
To reconnect a PrivX server, remove the ​down​​ keyword and reload the configuration.
Updated over 3 years ago