From 4da5c637932fc8f223be8afdbbd95352db127274 Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Wed, 8 Feb 2017 11:57:53 +0100 Subject: [PATCH 1/2] horizon: Configure stickiness with haproxy We use cookie-based stickiness for non-SSL, and we also expire the stickiness based on the session timeout. This should make the haproxy/horizon combo to work well, with each session sticking to one backend, thus avoiding potential issues where requests are spread between multiple backends. Note that we use two cookies: - sessionid, which identifies a session - csrftoken, which identifies a "login session", before a real session really exists, with the proper sessionid token --- chef/cookbooks/horizon/recipes/ha.rb | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/chef/cookbooks/horizon/recipes/ha.rb b/chef/cookbooks/horizon/recipes/ha.rb index 2de52b7754..165e89d33f 100644 --- a/chef/cookbooks/horizon/recipes/ha.rb +++ b/chef/cookbooks/horizon/recipes/ha.rb @@ -15,20 +15,31 @@ include_recipe "crowbar-pacemaker::haproxy" +stick_options = { + # we want stickiness for the session (sessionid), but also for the login form + # (csrftoken) + cookies: ["sessionid", "csrftoken"], + expire: "#{node[:horizon][:session_timeout]}m" +} + haproxy_loadbalancer "horizon" do address "0.0.0.0" port 80 use_ssl false servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "horizon", "horizon-server", "plain") + stick stick_options action :nothing end.run_action(:create) if node[:horizon][:apache][:ssl] + stick_options = { expire: "#{node[:horizon][:session_timeout]}m" } + haproxy_loadbalancer "horizon-ssl" do address "0.0.0.0" port 443 use_ssl true servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "horizon", "horizon-server", "ssl") + stick stick_options action :nothing end.run_action(:create) end From 2471a0e46493769e84a040ccd570d4bbbec7b8cd Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Wed, 8 Feb 2017 17:09:07 +0100 Subject: [PATCH 2/2] horizon: Use "source" balance strategy for ssl haproxy Since horizon is really used by browsers, the affinity based on SSL session ID is not enough because the browsers open multiple connections. To make sure a user always ends up on the same backend, we enforce the balance strategy to be "source" (that is based, on the the client IP address). --- chef/cookbooks/horizon/recipes/ha.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/chef/cookbooks/horizon/recipes/ha.rb b/chef/cookbooks/horizon/recipes/ha.rb index 165e89d33f..bd16278b6f 100644 --- a/chef/cookbooks/horizon/recipes/ha.rb +++ b/chef/cookbooks/horizon/recipes/ha.rb @@ -40,6 +40,7 @@ use_ssl true servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "horizon", "horizon-server", "ssl") stick stick_options + balance "source" action :nothing end.run_action(:create) end