In my previous blog post, we understand, how we can cluster multiple identity server nodes. In this blog post i am going to use Apache HTTP server to load balance the WSO2 Identity Server cluster nodes. Apache HTTP server can be easily configure to support the sticky session with Identity Server nodes.
Pre-request
1. You need to install Apache HTTP server.
Actually If you are in ubuntu, you can easily install it by using apt-get as follows
apt-get install apache2
2. You need to enable necessary modules
proxy_http
ssl
proxy_balancer
You can easily do this using a2enmod command in ubuntu.
3. You need a private key file and a certificate file to configure SSL communication with Apache HTTP server. You can find default configuration with self sign keys
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
How to Configure
Lets go through step by step now………
Step 1. Configure virtual host containing following sample content. ( in ubuntu you can create it inside etc/apache2/sites-available directory)
<IfModule mod_proxy.c> <VirtualHost *:443> ServerAdmin [email protected] ServerName localhost ServerAlias localhost ProxyRequests Off SSLEngine On SSLProxyEngine On SSLCertificateFile /home/asela/security/server.crt SSLCertificateKeyFile /home/asela/security/server.key <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /balancer-manager ! ProxyPass / balancer://wso2.identity.domain/ lbmethod=byrequests stickysession=JSESSIONID ProxyPassReverse / https://localhost:9443/ ProxyPassReverse / https://localhost:9444/ <Proxy balancer://wso2.identity.domain> BalancerMember https://localhost:9443 route=isNode1 loadfactor=1 BalancerMember https://localhost:9444 route=isNode2 loadfactor=1 </Proxy> </VirtualHost> </ifModule>
Important notes of this configurations.
- I have assumed that Apache HTTP server and WSO2 Identity server cluster (2 nodes. with HTTPS port 9443 and 9444) are running in same machine (localhost).
- All the requests that comes to 443 port are load balance to 9443 and 9444
- ServerName and ServerAlias parameters set to “localhost”
- SSL has been enabled for both client side (for clients who call to Apache HTTP server) and back end servers (for WSO2 Identity Server nodes). Please note certificate validation is not enabled for Identity Server. Therefore you do not need to configure Identity Server certificate in Apache HTTP Server
- Proxy is created to send all request to wso2.identity.domain load balancer.
- In wso2.identity.domain load balancer configuration, members (WSO2 Identity Server nodes) have been defined with following two parameters
route – this defined the jvmRoute parameter which is configured in the corresponding WSO2 Identity server node. This parameter is needed to achieve the sticky session.
loadfactor – this defined how load must be shared between two nodes. Here it has configure equal load for both two nodes.
You can find more details from Apache HTTP server docs and you can define your own configuration. Then virtual host configuration which is defined above, just a sample one.
Step2. enable virtual host configuration
You can easily do this in ubuntu using a2ensite command
Step3. Restart Apache HTTP server
In ubuntu, use
/etc/init.d/apache2 restart
Step4. Restart WSO2 Identity server nodes with proper jvmRoute Ids (As we have configured as virtual host configuration)
Please pass corresponding jvmRoute id as system property value.
As an example in UNIX before WSO2IS server is started you can set this as following
export JAVA_OPTS=’-DjvmRoute=isNode1′
Or you can set this in the wso2server.sh or wso2server.bat. In wso2server.sh script file, you can set as;
-DjvmRoute=isNode1
Step5. Please login to Identity Server using new url i.e https://localhost/carbon You can login to different nodes with sticky session.