- Created by Pavel Golubnichiy on Jan 27, 2020
With simultaneous balancing, the HAProxy server will accept requests both as a web server for api addresses, and as an RDS server.
You need to specify the HAProxy address in the files:
C:\inetpub\wwwroot\mc\assets\config\config.prod.json
"apiServer": {
"url": "https://haproxy.indeed-id.local/api"
},
C:\inetpub\wwwroot\uc\assets\config\config.prod.json
"apiServer": {
"url": "https://haproxy.indeed-id.local/api"
},
"gatewayServer": {
"address": "haproxy.indeed-id.local"
},
C:\Program Files\Indeed PAM\Gateway\ProxyApp\Pam.Proxy.App.exe
<pamProxy ApiUrl="https://haproxy.indeed-id.local/api" IdpUrl="https://pam1.indeed-id.local/idp" ... FileCopyMinBytesToSave="1048576" />
Thus, in the HAProxy configuration, separate frontend and backend for each service must be configured.
For the two PAM Cores and PAM Gateways, the HAProxy configuration is presented below:
global
log /dev/haproxy/log local0
log /dev/haproxy/log local1 notice
chroot /var/lib/haproxy
maxconn 256
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 3s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
defaults
log global
mode tcp
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
retries 3
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# Stats
frontend stats
bind *:8404
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy
stats auth stat:stat
stats refresh 3s
frontend ft_rdp
mode tcp # frontend mode
bind 192.168.48.140:3389 #Address and port on HAProxy for client connections
timeout client 1h
log global
option tcplog
tcp-request inspect-delay 2s # Set the maximum time to analyze the incoming connection
tcp-request content accept if RDP_COOKIE
default_backend bk_rdp
backend bk_rdp
mode tcp # backend mode
balance leastconn # Selecting the server with the fewest active connections
timeout server 1h
timeout connect 4s
log global
option tcp-check
tcp-check connect port 3389 ssl
stick-table type ip size 1m expire 12h # set up a table binding on ip size 1 million records and lifetime record of 1 hour
stick on src # Using a customer's ip address to stick
default-server inter 3s rise 2 fall 3 # Set a check interval for backend servers 3 seconds. The server will be considered active after 2 successful checks and unavailable after 3 failed checks.
server gw1 192.168.10.145:3389 weight 10 check verify none # PAM Gateway servers: Server weights are equal relative to each other,
server gw2 192.168.10.146:3389 weight 10 check verify none # availability check enabled, certificate not checked
frontend frontend_http
mode http # frontend mode
bind *:443 ssl crt /etc/ssl/certs/ubuntu.test.com.pem # Interface settings for incoming requests
option forwardfor # Pass the original client ip address to the server
default_backend backend_http # Name of the backend processing the requests
backend backend_http
mode http # backend mode
option prefer-last-server # Try to reuse the same connection to the server
option redispatch
balance roundrobin
option httpchk GET /api/isHealthy # PAM Core application availability check
stick-table type string len 35 size 1m expire 1d # Setting required for communication between gateway and core, otherwise viewing the video stream will not work
stick on path,word(2,/) if { path_beg /screencast/ } ##
server pam2 192.168.10.122:443 ssl verify none check inter 15s # Certificate verification disabled, availability check 15 sec
server pam1 192.168.10.121:443 ssl verify none check inter 15s ##
- No labels