Load balancing for WSO2 Identity Server nodes using Apache HTTP Server

In my previous blog post,  we understand, how we can cluster multiple identity server nodes.  In this blog post i am going to use Apache HTTP server to load balance the WSO2 Identity Server cluster nodes.  Apache HTTP server can be easily configure to support the sticky session with Identity Server nodes.


1. You need to install Apache HTTP server.

Actually If you are in ubuntu, you can easily install it by using apt-get as follows

apt-get install apache2

2. You need to enable necessary modules

You can easily do this using a2enmod command in ubuntu.

3. You need a private key file and a certificate file to configure SSL communication with Apache HTTP server. You can find default configuration with self sign keys

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

How to Configure

Lets go through step by step now………

Step 1.  Configure virtual host containing following sample content. ( in ubuntu you can create it inside etc/apache2/sites-available directory)

<IfModule mod_proxy.c>
<VirtualHost *:443>
 ServerAdmin [email protected]
 ServerName localhost
 ServerAlias localhost
 ProxyRequests Off
 SSLEngine On
 SSLProxyEngine On
 SSLCertificateFile /home/asela/security/server.crt
 SSLCertificateKeyFile /home/asela/security/server.key
<Proxy *>
 Order deny,allow
 Allow from all
ProxyPass /balancer-manager !
 ProxyPass / balancer://wso2.identity.domain/ lbmethod=byrequests stickysession=JSESSIONID
 ProxyPassReverse / https://localhost:9443/
 ProxyPassReverse / https://localhost:9444/
<Proxy balancer://wso2.identity.domain>
 BalancerMember https://localhost:9443 route=isNode1 loadfactor=1
 BalancerMember https://localhost:9444 route=isNode2 loadfactor=1

Important notes of this configurations.

  •  I have assumed that Apache HTTP server and WSO2 Identity server cluster (2 nodes. with HTTPS port 9443 and 9444) are running in same machine (localhost).
  • All the requests that comes to 443 port are load balance to 9443 and 9444
  • ServerName and ServerAlias parameters set to “localhost”
  • SSL has been enabled for both client side (for clients who call to Apache HTTP server) and back end servers (for WSO2 Identity Server nodes). Please note certificate validation is not enabled for Identity Server. Therefore you do not need to configure Identity Server certificate in Apache HTTP Server
  • Proxy is created to send all request to wso2.identity.domain load balancer.
  • In wso2.identity.domain load balancer configuration, members (WSO2 Identity Server nodes) have been defined with following two parameters

route – this defined the jvmRoute parameter which is configured in the corresponding WSO2 Identity server node. This parameter is needed to achieve the sticky session.
loadfactor – this defined how load must be shared between two nodes. Here it has configure equal load for both two nodes.

You can find more details from Apache HTTP server docs and you can define your own configuration. Then virtual host configuration which is defined above, just a sample one.

Step2. enable virtual host configuration

You can easily do this in ubuntu using a2ensite command

Step3. Restart Apache HTTP server

In ubuntu, use

/etc/init.d/apache2 restart

Step4. Restart WSO2 Identity server nodes with proper jvmRoute Ids (As we have configured as virtual host configuration)

Please pass corresponding jvmRoute id as system property value.

As an example in UNIX before WSO2IS server is started you can set this as following

export JAVA_OPTS=’-DjvmRoute=isNode1′

Or you can set this in the wso2server.sh or wso2server.bat. In wso2server.sh script file, you can set as;


Step5. Please login to Identity Server using new url i.e  https://localhost/carbon  You can login to different nodes with sticky session.