I'm trying to use ModCluster to load balance some servers. We have one single EAR that need to be load balanced by different DNSs.
We have this scenario. We need to maintain the same context 'system1' because of backward compatibility
4 servers for urla.com.br/system1/
2 servers for urlb.com.br/system1/
Using Wildfly 10.1.0 in domain mode, they are separated by two server groups: URLA and URLB. They share the same profile (URL-HA) and socket bindings (URL-HA-SOCKET).
I have an Apache with mod_cluster with a minimal configuration.
LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule advertise_module modules/mod_advertise.so
Listen 10.90.0.13:7777
<VirtualHost 10.90.0.13:7777>
<Directory />
Require all granted
</Directory>
<Location />
Order deny,allow
Allow from all
</Location>
ManagerBalancerName mybalancer
ServerAdvertise on
EnableMCPMReceive On
<Location /mod_cluster-manager>
SetHandler mod_cluster-manager
Order deny,allow
Allow from all
</Location>
</VirtualHost>
When I access http://10.90.0.13:7777/mod_cluster-manager, I see the 6 servers registered with the context system1/. They use the same EAR file, by the way.
But this is not the ideal scenario for us. The users accessing urla.com.br/system1/ cannot use the machines of urlb.com.br/system1/ and vice versa.
The only way that I can found to do this (I not tested yet...) is create one profile for each server group, so I can configure a different load balance group in:
Profile > URLA-HA / URLB-HA > Subsystems > ModCluster.
But in this case, we duplicated all configurations that exists in profile (DataSources, Queues, MailSession, etc). This is painful to maintain.
So, what options we have in my case? Thanks!
I've found the solution for my problem using only one Wildfly's profile.
For this, I have used two balancers and used ProxyPass to use the specific balancer.
Wildfly: At the Domain Controller's Console admin url, go to:
Configuration: Profiles Profile: URL-HA Subsystem: ModCluster
On the Advertising tab, change the Balancer value:
${projectcluster.modcluster.balancer:mybalancer}
Add System Properties to both the server-groups
Runtime -> Server Groups -> URLA -> View
On the System Properties tab, add:
Key 'projectcluster.modcluster.balancer' value 'first'
Key 'jboss.modcluster.multicast.address' value '224.0.2.108'
Runtime -> Server Groups -> URLB -> View
On the System Properties tab, add:
Key 'projectcluster.modcluster.balancer' value 'second'
Key 'jboss.modcluster.multicast.address' value '224.0.2.108'
After this, restart your server-groups URLA and URLB
Apache
Using the example Apache conf on the question:
...
...
ManagerBalancerName mybalancer
ServerAdvertise on
EnableMCPMReceive On
# Defined on Wildfly
AdvertiseGroup 224.0.2.108:23364
<Location /mod_cluster-manager>
SetHandler mod_cluster-manager
Order deny,allow
Allow from all
</Location>
</VirtualHost>
Listen 10.90.0.13:8001
<VirtualHost 10.90.0.13:8001>
ProxyPass / balancer://first stickysession=JSESSIONID|jsessionid nofailover=On
ProxyPassReverse / balancer://first
</VirtualHost>
Listen 10.90.0.13:8002
<VirtualHost 10.90.0.13:8002>
ProxyPass / balancer://second stickysession=JSESSIONID|jsessionid nofailover=On
ProxyPassReverse / balancer://second
</VirtualHost>
All the request on 10.90.0.13:8001/system1 will be sent to first balancer and on the 10.90.0.13:8002/system1 will be sent to second balancer
And that is it.
Related
I have 1 load balancer server and 2 app servers which do load distribution. Now i have a strange problem that the
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
rule dous not get triggerd when the request gets forwarded to the app servers.
Setup is:
<Proxy balancer://catdefault>
BalancerMember http://xx.xxx.xxx:8081
BalancerMember http://xx.xxx.yyy:8081
</Proxy>
And in the virtual host i get it included like this:
ProxyPass / balancer://catdefault/
ProxyPassReverse / balancer://catdefault/
The strange thing is that when i apply the Files rule in the app server which is a balance memger ex. http://xx.xxx.xxx:8081 then the rule gets respected.
Now we agreed not to makie rew rulles on the app server because they will be later or many of them and administration will be heavy.
Any idea how i can make the files work from the load balancer server and not the http://xx.xxx.xxx:8081 servers???
<Directory> or <Files> directives will only apply to objects that reside in the filesystem.
Perhaps something like this can help (untested):
ProxyPassMatch "(?i)\.ht([^/]*)$" !
ProxyPass / balancer://catdefault/
ProxyPassReverse / balancer://catdefault/
I need to configure Jenkins behind Apache. For this purpose I installed Apache 2.2 using httpd-2.2.25-win32-x86-openssl-0.9.8y.msi.
Now I have configured jenkins with -
--httpPort=8084 --prefix=/jenkins (inside jenkins.xml)
The securityRealm for Jenkins is (I am using LDAP authentication):
<securityRealm class="hudson.security.LDAPSecurityRealm" plugin="ldap#1.11">
<server>ldap://ldap.myserver.com:1234</server>
<rootDN>DC=blah-blah,DC=blah</rootDN>
<inhibitInferRootDN>false</inhibitInferRootDN>
<userSearchBase></userSearchBase>
<userSearch>SAMAccountName={0}</userSearch>
<groupSearchFilter></groupSearchFilter>
<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy">
<filter></filter>
</groupMembershipStrategy>
<managerDN>email#mycompany.com</managerDN>
<managerPasswordSecret>XXXX</managerPasswordSecret>
<disableMailAddressResolver>false</disableMailAddressResolver>
<displayNameAttributeName>displayname</displayNameAttributeName>
<mailAddressAttributeName>mail</mailAddressAttributeName>
<userIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
<groupIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
</securityRealm>
The name of the server where Apache and Jenkins are hosted is : http://abchost/.
Jenkins is hosted at : http://abchost:8084/jenkins.
Now I need to configure Apache server in such a way that, when I enter http://abchost/jenkins in browser it a Proxy should work in between and it should forward the request to http://abchost:8084/jenkins and again, get the result from jenkins and display the result at : http://abchost/jenkins.
For this I have configured Apache like this:
NameVirtualHost abchost:80
Listen 80
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes On
<VirtualHost *:80>
ServerName abchost.com
ServerAdmin admin#abchost.com
ProxyPass /downloads !
Alias /downloads "d:\myPath1"
<Directory "d:\myPath2">
# Don't allow editing the main repository site.
Options -Indexes
</Directory>
<Directory "d:\myPath3">
# Remove 'Parent Directory' link from the site.
# IndexIgnore ..
#
Options +Indexes
# List file names which will be opened automatically when the folder is opened.
DirectoryIndex index.html toc.html
IndexOptions FancyIndexing HTMLTable FoldersFirst SuppressDescription
</Directory>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# Jenkins via HTTP.
ProxyPass /jenkins/ http:/abchost:8084/jenkins/ nocanon
ProxyPassReverse /jenkins http://abchost:8084/jenkins/
</VirtualHost>
After this configuration, I am able to login in jenkins using http:/abchost:8084/jenkins/, but, not using http:/abchost/jenkins/.
Point to note is:
When I am logging in http:/abchost/jenkins/ using proper user id and pswd, it looks like the page refreshes and blank login page appears again.
When I am logging in http:/abchost/jenkins/ using wrong user id and pswd combination, it shows message that LDAP authentication failed.
Can anyone please enlighten me?
Thanks in advance!
Having a specific cluster architecture with the following details:
Load balancer (10.10.0.1) using Apache's mod_cluster 1.2.0 without advertising using multicast
2 JBoss AS 7.2 servers (jboss-instance-1, jboss-instance-1) in domain mode (host and slave), i'm using proxy-list instead of multicast
In domain.xml i have the following settings (only important snippets):
...
<subsystem xmlns="urn:jboss:domain:modcluster:1.1">
<mod-cluster-config advertise-socket="modcluster" connector="ajp" balancer="${mycluster.modcluster.balancer:DefaultBalancer}" proxy-list="10.10.0.1:6677">
<dynamic-load-provider>
<load-metric type="busyness"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
...
...
<server-group name="SG1" profile="ha">
<system-properties>
<property name="mycluster.modcluster.balancer" value="SG1Balancer"/>
</system-properties>
<jvm name="default"/>
<socket-binding-group ref="ha-sockets"/>
</server-group>
<server-group name="SG2" profile="ha">
<system-properties>
<property name="mycluster.modcluster.balancer" value="SG2Balancer"/>
</system-properties>
<jvm name="default"/>
<socket-binding-group ref="ha-sockets"/>
</server-group>
....
And in host.xml (same as in slave and host):
....
<servers>
<server name="server-1" group="SG1" auto-start="true">
<socket-bindings port-offset="1"/>
</server>
<server name="server-2" group="SG2" auto-start="true">
<socket-bindings port-offset="2"/>
</server>
....
I need to point each virtual hosts to a specific server-group, so this is my solution for it:
www.vhost1.com -> SG1Balancer, which is attached to group=SG1, so it will load balance between:
jboss-instance-1's server-1
jboss-instance-2's server-1
www.vhost2.com -> SG2Balancer, which is attached to group=SG2, so it will load balance between:
jboss-instance-1's server-2
jboss-instance-2's server-2
Here's my httpd configuration sets:
loadbalancer.conf:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule slotmem_module modules/mod_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule advertise_module modules/mod_advertise.so
<IfModule manager_module>
Listen 0.0.0.0:6677
ManagerBalancerName ddrct-cluster
<VirtualHost *:6677>
ServerName RecetteDtvLb1
<Location />
Order deny,allow
Allow from 0.0.0.0
</Location>
# No server advertising
# we're using proxy-list
ServerAdvertise Off
KeepAliveTimeout 300
MaxKeepAliveRequests 0
EnableMCPMReceive
<Location /mcm>
SetHandler mod_cluster-manager
Order deny,allow
Allow from 0.0.0.0
</Location>
</VirtualHost>
</IfModule>
vhosts.conf:
ProxyRequests Off
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www.vhost1.com
ProxyPass / balancer://SG1Balancer stickysession=JSESSIONID
ProxyPassReverse / balancer://SG1Balancer
ProxyPreserveHost On
ErrorLog "logs/vhost1_error.log"
CustomLog "logs/vhost1_access.log" common
</VirtualHost>
<VirtualHost *:80>
ServerName www.vhost2.com
ProxyPass / balancer://SG2Balancer stickysession=JSESSIONID
ProxyPassReverse / balancer://SG2Balancer
ProxyPreserveHost On
ErrorLog "logs/vhost2_error.log"
CustomLog "logs/vhost2_access.log" common
</VirtualHost>
Everything is running fine, deployed apps in G1 can be used through www.vhost1.com and vice versa for G2, the problem is all about session stickyness, here are the symptoms:
My browser is accepting JSESSIONID cookie, but having a content like this: KhH7gInyAFPsILN6mYDQ84Kf.jboss-instance-1:server-1 will not get my next request sticked to jboss-instance-1's server-1, the load balancer will switch my requests between jboss-instance-1's server-1 and jboss-instance-2's server-1 and each time it changes the JSESSIONID cookie content.
When i manually edit the content of JSESSIONID cookie (using firecookie plugin) to remove the server name like this: KhH7gInyAFPsILN6mYDQ84Kf.jboss-instance-1, my requests will be sticking on jboss-instance-1, leading to a correct behaviour
Did not get too much documentation about multi-vhost and multi-server-group clustering and load balancing configurations, it was my own guess to implement such configuration, i may get it wrong ... any help ?
Issue resolved, from KB182813:
Do not put the "-" character in your balancer name as it has been known to create sticky session issues
Do not use uppercase characters in your balancer name
Regarding node names
The relevant issue MODCLUSTER-435 was resolved in Nov 2014. It is safe to use upper case characters and dashes in any decent mod_cluster version, i.e. 1.3.x.
Regarding ProxyPass
One doesn't need to set anything ProxyPass related unless one wants to do something special. The aforementioned setting is redundant and weird. Mod_cluster uses mod_proxy as its backend, so it actually dynamically configures proxy pass balancer members for you. It makes sense to have your own ProxyPass additional setting if you wish to alter the balancer's behaviour in a custom way, e.g.
One needs to have static content served from the Apache HTTP Server while the dynamic one being proxied to Wildfly workers:
ProxyPassMatch ^/app/static/ !
ProxyPass /app balancer://qacluster stickysession=JSESSIONID|jsessionid nofailover=on
ProxyPass / !
ProxyPassReverse /app balancer://qacluster
ProxyPassReverseCookieDomain / /app/
ProxyPassReverseCookiePath / /app/
ProxyPreserveHost on
I configured apache http server to act as load balancer using mod-proxy module
<Proxy balancer://clusterABCD>
BalancerMember http://192.168.0.222:8080/geoserver/wms loadfactor=8
BalancerMember http://192.168.0.14:8081/geoserver/wms loadfactor=8
BalancerMember http://192.168.0.222:8082/geoserver/wms status=+H
ProxySet lbmethod=bytraffic
Order allow,deny
Allow from all
</Proxy>
ProxyPass /LGroup balancer://clusterABCD/
Is there any way to monitor the load balancer functionality
My question is
is there any way to find from which BalanceMember the request is processing
is there any settings available to increase functionality
Thanks IN Advance
In response to your both your questions, yes it is possible but you will need to enhance your configuration for Apache Load Balancing via Mod Proxy to have this functionality available.
I suggest you use the sample setup below:
<VirtualHost *:80>
ProxyRequests off
ServerName servername.local
<Proxy balancer://mycluster>
# TomcatA
BalancerMember http://172.20.20.101:8080 route=tomcatA
# TomcatB
BalancerMember http://172.20.20.102:8080 route=tomcatB
# TomcatC
BalancerMember http://172.20.20.103:8080 route=tomcatC
# Security – to determine who is allowed to access
# Currently all are allowed to access
Order Deny,Allow
Deny from none
Allow from all
# Load Balancer Settings
# We will be configuring a simple Round
# Robin style load balancer. This means
# that all nodes take an equal share of
# of the load.
ProxySet lbmethod=byrequests
</Proxy>
# balancer-manager
# This tool is built into the mod_proxy_balancer
# module and will allow you to do some simple
# modifications to the balanced group via a gui
# web interface.
<Location /balancer-manager>
SetHandler balancer-manager
# I recommend locking this one down to your
# administering location
Order deny,allow
Allow from all
</Location>
# Point of Balance
# This setting will allow to explicitly name the
# location in the site that we want to be
# balanced, in this example we will balance "/"
# or everything in the site.
ProxyPass /balancer-manager !
ProxyPass / balancer://mycluster/ stickysession=JSESSIONID|jsessionid nofailover=Off scolonpathdelim=On
To view the Balance Request you need to have the module
mod_proxy_balancer
installed and then use the configuration from above.
In regards to availability, it depends on the Load Balancer Settings the Round Robin approach share the traffic equally between the nodes, and is seen as possibly the best option for availabilty:
ProxySet lbmethod=byrequests
Also, if you are considering sharing sessions with your request from Apache to app servers, then configuration to the AJP instead of the HTTP port is needed along with changes needed on the Application Servers (such as Tomcat). More details are available at:
Load Balancing: Apache versus Physical Appliance
May be too simple, but what about monitoring the (access-) logs of your balancer members? This should show you, which member is processing the request.
I have several named virtual hosts on the same apache server, for one of the virtual host I need to ensure only a specific set of IP addresses are allowed to access.
Please suggest the best way to do this. I have looked at mod_authz_hosts module but it does not look like I can do it inside virtual host.
The mod_authz_host directives need to be inside a <Location> or <Directory> block but I've used the former within <VirtualHost> like so for Apache 2.2:
<VirtualHost *:8080>
<Location>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
...
</VirtualHost>
Reference: https://askubuntu.com/questions/262981/how-to-install-mod-authz-host-in-apache
For Apache 2.4, you would use the Require IP directive. So to only allow machines from the 192.168.0.0/24 network (range 192.168.0.0 - 192.168.0.255)
<VirtualHost *:80>
<Location />
Require ip 192.168.0.0/24
</Location>
...
</VirtualHost>
And if you just want the localhost machine to have access, then there's a special Require local directive.
The local provider allows access to the server if any of the following conditions is true:
the client address matches 127.0.0.0/8
the client address is ::1
both the client and the server address of the connection are the same
This allows a convenient way to match connections that originate from the local host:
<VirtualHost *:80>
<Location />
Require local
</Location>
...
</VirtualHost>
If you are using apache 2.2 inside your virtual host you should add following directive (mod_authz_host):
Order deny,allow
Deny from all
Allow from 10.0.0.1
You can even specify a subnet
Allow from 10.0.0
Apache 2.4 looks like a little different as configuration.
Maybe better you specify which version of apache are you using.
In Apache 2.4, the authorization configuration syntax has changed, and the Order, Deny or Allow directives should no longer be used.
The new way to do this would be:
<VirtualHost *:8080>
<Location />
Require ip 192.168.1.0
</Location>
...
</VirtualHost>
Further examples using the new syntax can be found in the Apache documentation: Upgrading to 2.4 from 2.2