Is there a recommended HTTPD (Apache) load balancer configuration for WCC?
Release : 12.0
Component : WORKLOAD CONTROL CENTER
This is just being suggested as an example, it is highly recommended that this be done by a Load Balancer administrator
First make sure basic httpd proxying works, via httpd.conf (or an include to another .conf file via httpd.conf)
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule xml2enc_module modules/mod_xml2enc.so
LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
Note: Without the above modules loaded, httpd may not start properly.
Now WCC specific load balancer entries:
<Location /balancer-manager>
SetHandler balancer-manager
</Location>
ProxyPass /balancer-manager !
# failonstatus status is available with Apache HTTP Server 2.2.17 and later. Remove the parameter if necessary.
ProxyPass /wcc balancer://wccbalancer stickysession=WCC-ASID failonstatus=503
ProxyPassReverse /wcc balancer://wccbalancer
# All WCC HA nodes in a WCC HA cluster must use the same protocol either http or https
# In order to change protocol of node, please, use the batch interface wcc_config.[bat|sh]
# in <CA_WCC_INSTALL_LOCATION>/bin folder
<Proxy balancer://wccbalancer>
BalancerMember http://server1.company.com:8080/wcc route=server1.company.com timeout=30s
BalancerMember http://server2.company.com:8080/wcc route=server2.company.com timeout=30s
</Proxy>
If the previous one does not work (login attempt gives error in browser: E150004: An error occurred during authentication. Authentication between CA WCC and EEM failed.), we can use ROUTEID cookie instead of WCC-ASID
<Location /balancer-manager>
SetHandler balancer-manager
</Location>
ProxyPass /balancer-manager !
# failonstatus status is available with Apache HTTP Server 2.2.17 and later. Remove the parameter if necessary.
ProxyPass /wcc balancer://wccbalancer stickysession=ROUTEID failonstatus=503
ProxyPassReverse /wcc balancer://wccbalancer
# All WCC HA nodes in a WCC HA cluster must use the same protocol either http or https
# In order to change protocol of node, please, use the batch interface wcc_config.[bat|sh]
# in <CA_WCC_INSTALL_LOCATION>/bin folder
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
<Proxy balancer://wccbalancer>
BalancerMember http://server1.company.com:8080/wcc route=server1.company.com timeout=300s
BalancerMember http://server2.company.com:8080/wcc route=server2.company.com timeout=300s
</Proxy>
SSL example:
httpd.conf:
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
<Location /balancer-manager>
SetHandler balancer-manager
</Location>
ProxyPass /balancer-manager !
# failonstatus status is available with Apache HTTP Server 2.2.17 and later. Remove the parameter if necessary.
ProxyPass /wcc balancer://wccbalancer stickysession=ROUTEID failonstatus=503
ProxyPassReverse /wcc balancer://wccbalancer
# All WCC HA nodes in a WCC HA cluster must use the same protocol either http or https
# In order to change protocol of node, please, use the batch interface wcc_config.[bat|sh]
# in <CA_WCC_INSTALL_LOCATION>/bin folder
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
<Proxy balancer://wccbalancer>
BalancerMember https://server1.company.com:8443/wcc route=server1.company.com timeout=300s
BalancerMember https://server2.company.com:8443/wcc route=server2.company.com timeout=300s
</Proxy>
conf/extra/httpd-ssl.conf:
SSLProxyEngine On
SSLCertificateFile /httpd-2.4.18/Apache24/server-cert.pem
SSLCertificateKeyFile /httpd-2.4.18/Apache24/server-cert-key.key
SSLCertificateChainFile /httpd-2.4.18/Apache24/tomcat.pem
#server-cert.pem file is the server certificate
#server-cert-key.key file is the private key for the server-cert.pem certificate
#tomcat.pem file is the whole certificate chain of WCC SSL certificates that Apache HTTPD needs to be able to use
#below settings might be needed too if self-signed certs are being used on WCC nodes
# add them right after SSLProxyEngine On option described above OR before the <Location /balancer-manager> section
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off