Debian and Ubuntu Linux Load Balancer

Objective

The objective of this guide is to configure a HTTPS enabled load balancer for a single server PAM system on a Linux host computer.

Note that there are multiple architectures and products that can be used for load balancing of WEB applications all involving different configuration files and mechanisms to obtain and deploy a SSL certificate.

This guide will describe one of the methods to illustrate components and files required in the process.

Pre-requisites

  • OS Debian / Ubuntu with Apache HTTP Server installed.
  • URI for PAM setup that might be used as a managed path for PAM SSO Server (such as https://pam.company.com) so that an external computer can access the PAM server using this URL.
  • SSL certificate from a trusted Certificate Authority. Note that the certificate should be trusted by all client and server side system components (browsers and WEB containers) in order for the SSO server to work. The certificate contains the following files:
  • The certificate (the guide assumes the name cert.crt)
  • Server private Key (the guide assumes the name private.key)
  • Optional: CA bundle certificate (the guide assumes the name ca-bundle.crt)
  • Optional: Certificate chain file (the guide assumes the name server-ca.crt)

Configuration

  1. Check Apache HTTP Server with httpd and mod_ssl packages installed. These packages might not be installed on a default Ubuntu distribution.

    2. To install the packages use the following commands:

    Copy 
    apt-get install apache2
    a2enmod ssl proxy proxy_http proxy_wstunnel
    a2ensite default-ssl
    service apache2 restart
  2. Copy the certificate files into the /etc/apache2/ssl/ directory. Change the permissions of the private key so only root can access it using these commands:
    3. Copy 
    chown root /etc/apache2/ssl/private.key
    chmod 600 /etc/apache2/ssl/private.key
  3. Add the SSL and Load Balancer configuration to the Apache HTTP Server.

    4. Edit the file /etc/apache2/sites-enabled/default-ssl.conf and locate the line:

    Copy 
    VirtualHost _default_:443
    1. Add the load balancer configuration after this line:
      2. Copy 
      ProxyPass /xtam/websocket-tunnel ws://127.0.0.1:8080/xtam/websocket-tunnel
      ProxyPassReverse /xtam/websocket-tunnel ws://127.0.0.1:8080/xtam/websocket-tunnel

      ProxyPass /xtam/ http://127.0.0.1:8080/xtam/
      ProxyPassReverse /xtam/ http://127.0.0.1:8080/xtam/

      ProxyPass /cas/ http://127.0.0.1:8080/cas/
      ProxyPassReverse /cas/ http://127.0.0.1:8080/cas/
    2. Add the SSL certificates to the same file:

      3. Locate line starting with SSLCertificateFile, uncomment it and add the path to the certificate:

      Copy 
      SSLCertificateFile /etc/apache2/ssl/cert.crt

      Locate line starting with SSLCertificateKeyFile, uncomment it and add the path to the private key:

      Copy 
      SSLCertificateKeyFile /etc/apache2/ssl/private.key

      Optionally, locate line starting with SSLCACertificateFile, uncomment it and add the path to the chain file:

      Copy 
      SSLCACertificateFile /etc/apache2/ssl/ca-bundle.crt

      Optionally, locate line starting with SSLCertificateChainFile, uncomment it and add the path to the chain file:

      Copy 
      SSLCertificateChainFile /etc/apache2/ssl/server-ca.crt
    3. Save and close the file.
  4. Restart the Apache HTTP Server.
Copy 
service apache2 restart