To balance PAM Core, an Active-Passive scheme is recommended.

Additional servers are added to Component arrangement #2 with Indeed PAM Core installed.

Let their names be pam2, pam3, etc., each PAM Core is configured exactly like the first, the configuration files c:\inetpub\wwwroot\api\Web.config should be the same.

The balancer itself will act as api, all PAM Core will be tied to it. The balancer address must be entered in the corresponding sections of the User Console, Management Console and Gateway configuration files:

Edit lines in files C:\inetpub\wwwroot\uc\assets\config\config.prod.json and C:\inetpub\wwwroot\mc\assets\config\config.prod.json 

"apiServer": {
"url": "https://haproxy.indeed-id.local/api"
},

Edit lines in file C:\Program Files\Indeed PAM\Gateway\ProxyApp\Pam.Proxy.App.exe

<pamProxy ApiUrl="https://haproxy.indeed-id.local/api" IdpUrl="https://pam1.indeed-id.local/idp" ... FileCopyMinBytesToSave="1048576" />


HAProxy settings in the case of two servers (the first is active, the second is standby) are presented below:

global
    log		/dev/haproxy/log local0			# see https://en.wikipedia.org/wiki/Syslog#Facility
    log		/dev/haproxy/log local1 notice	# notice - Error level. The whole list: emerg, alert, crit, err, warning, notice, info, debug
    chroot	/var/lib/haproxy	# Change the execution directory to protect against attacks. The folder is empty and there are no permissions.
    maxconn	256					# Maximum number of simultaneous connections. 
    stats socket /run/haproxy/admin.sock mode 660 level admin 
    stats timeout 30s
    
# HAPROXY Immutable settings 
    user haproxy
    group haproxy 

    daemon 					# Run the process in the background

defaults
    log		global
    mode	http
    option	httplog
    option	dontlognull
    
# Timeouts
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    retries 3 				# retries before lowering server status

# Statistics
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /haproxy		#here's a link to the statistics page
    stats auth stat:stat
    option httpchk HEAD / HTTP/1.0

# Access settings 
    option redispatch		# Allows users to go to another server if the server their cookies refer to doesn't work
    balance roundrobin		# Server selection algorithm (least loaded in order)

frontend frontend_http
    bind *:443 ssl crt /etc/ssl/certs/haproxy.indeed-id.local.pem # Setting up the frontend interface with the path to the certificate of this server
    option forwardfor				# Pass the original client ip address to the server
    default_backend backend_http	# Indicate which backend processes requests

backend backend_http    
    option prefer-last-server         			 # Attempt to reuse the same connection to the server
    option httpchk GET /api/isHealthy			 # PAM Core application availability check
    stick-table type string len 35 size 1m expire 1d  	 # The setting required for communication between gateway and core, otherwise viewing the video stream will not work
    stick on path,word(2,/) if { path_beg /screencast/ } ##
    server pam2 192.168.10.122:443 ssl verify none check inter 5000ms	# Server names for HAProxy monitoring, availability check enabled, certificate not verified
    server pam1 192.168.10.121:443 backup ssl verify none check inter 5000ms	# Backup server is inactive while the main server is available for connections


  • No labels