Managing a Load Balancer
Server Statuses
Status | Comment |
---|---|
ONLINE | The service is functioning. Service availability checks are successful |
CREATING | The server is being added to the rule |
UPDATING | Server settings are being updated |
OFFLINE | The server does not accept requests, while the server itself may be active |
BACKUP | The server has been moved to backup status and will be enabled if the other servers of the rule are not working. To return the server to normal operation mode, select the Return to work server menu option |
NO_MONITOR | Service health is not checked while performing availability checks. If all the load balancer services have this status, the load balancer status will be ONLINE |
DRAINING | The server does not accept new connections, but it continues to process the current ones |
ERROR | The service on the specified port either does not respond or does not pass the response type check |
DELETING | The server is being removed from the load balancer, but the server health is not affected |
Load Balancer Statuses
The load balancer status depends on the status of the server to which it distributes requests and also on its own state.
Status | Comment |
---|---|
ONLINE | All availability checks are successful |
CREATING | Load balancer is being created |
UPDATING | Balancer configurations are being updated |
OFFLINE | The balancer is not processing requests and is disabled |
DEGRADED | One of the balancer’s components has ERROR status |
ERROR | The reasons for this status could be: all servers have ERROR status, or an error in the work of the balancer has occurred. If you see that even with this balancer status all servers are working correctly and have ONLINE status, please contact technical support |
DELETING | The balancer is being deleted |
Redirecting HTTP Requests to HTTPS
Follow these steps to redirect any regular HTTP requests (port 80) to HTTPS (port 443):
-
Create listener on port 80:
openstack loadbalancer listener create --name <listener name> --protocol HTTP --protocol-port 80 <loadbalancer name>
- Configure the L7 Policy1 on http_listener with the REDIRECT_TO_URL action pointing to the URL:
openstack loadbalancer l7policy create --action REDIRECT_TO_URL --redirect-url https://example.com/ --name <policy name> <listener name>
- Add the L7 rule to policy1 that matches all requests:
openstack loadbalancer l7rule create --compare-type STARTS_WITH --type PATH --value / policy1
TCP → PROXY
The TCP → PROXY rule can be used when the servers behind the balancer need to know the real IP addresses of the users who access it.
When balancing and terminating HTTP(S) traffic, this task is solved by adding the X-Forwarded-For
header and processing it, for example, on nginx servers behind the balancer using the ngx_http_realip_module
module.
When balancing TCP traffic from HTTPS clients and transmitting it directly to the web servers (without modification or termination), this header cannot be added. Therefore, you can use the solutions provided by the Proxy Protocol to transfer the header.
Since the Cloud platform load balancer is based on HAproxy, the solutions provided below are also relevant for those based on the HAProxy – nginx bundle.
Follow these steps to configure all the necessary rules on the load balancer:
- Create a rule for balancing TCP traffic on port 80 (HTTP). Specify TCP as the load balancer protocol and PROXY as the server protocol.
- Create a rule for balancing TCP traffic on port 443 (HTTPS). Specify TCP as the load balancer protocol and PROXY as the server protocol.
- Configure the servers that traffic will be distributed to. Specify the balancing algorithm and the necessary settings for availability checks and connection timeouts according to the basic rule configurations.
If you don’t need HTTP or HTTPS balancing, you don’t need to configure any of these rules depending on the tasks to be solved.
To configure nginx on the servers themselves (to work with the PROXY protocol), enable support for the nginx proxy_protocol
directive. Learn more in the official nginx documentation.
An example of nginx.conf configured to accept real IP addresses from the Cloud platform load balancer:
server {
server_name localhost;
# ATTENTION! Working with the proxy_protocol directive is only
possible if bundled with haproxy
# For direct access, this directive must be disabled.
listen 443 ssl default_server proxy_protocol;
ssl_certificate /etc/nginx/ssl/public.example.com.pem;
ssl_certificate_key /etc/nginx/ssl/public.example.com.key;
# HAProxy address
set_real_ip_from 192.168.1.0/24;
# We recommend specifying CIDR, because balancer IP can change in some
cases
real_ip_header proxy_protocol;
root /usr/share/nginx/html;
index index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ /\.ht {
deny all;
}
}
Please note that using LVS and Direct Server Return method is not supported according to the Cloud platform security policy.