From dbd92be1b08e92ef08411683be7d04f2b94e62e2 Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Wed, 8 Feb 2017 11:57:53 +0100 Subject: [PATCH 1/2] horizon: Configure stickiness with haproxy We use cookie-based stickiness for non-SSL, and we also expire the stickiness based on the session timeout. This should make the haproxy/horizon combo to work well, with each session sticking to one backend, thus avoiding potential issues where requests are spread between multiple backends. Note that we use two cookies: - sessionid, which identifies a session - csrftoken, which identifies a "login session", before a real session really exists, with the proper sessionid token (cherry picked from commit 4da5c637932fc8f223be8afdbbd95352db127274) --- chef/cookbooks/horizon/recipes/ha.rb | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/chef/cookbooks/horizon/recipes/ha.rb b/chef/cookbooks/horizon/recipes/ha.rb index 0c3ccab605..49df892651 100644 --- a/chef/cookbooks/horizon/recipes/ha.rb +++ b/chef/cookbooks/horizon/recipes/ha.rb @@ -13,20 +13,31 @@ # limitations under the License. # +stick_options = { + # we want stickiness for the session (sessionid), but also for the login form + # (csrftoken) + cookies: ["sessionid", "csrftoken"], + expire: "#{node[:horizon][:session_timeout]}m" +} + haproxy_loadbalancer "horizon" do address "0.0.0.0" port 80 use_ssl false servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "horizon", "horizon-server", "plain") + stick stick_options action :nothing end.run_action(:create) if node[:horizon][:apache][:ssl] + stick_options = { expire: "#{node[:horizon][:session_timeout]}m" } + haproxy_loadbalancer "horizon-ssl" do address "0.0.0.0" port 443 use_ssl true servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "horizon", "horizon-server", "ssl") + stick stick_options action :nothing end.run_action(:create) end From 68fcc4a400258591a69b45b55dafdf24dd133a00 Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Wed, 8 Feb 2017 17:09:07 +0100 Subject: [PATCH 2/2] horizon: Use "source" balance strategy for ssl haproxy Since horizon is really used by browsers, the affinity based on SSL session ID is not enough because the browsers open multiple connections. To make sure a user always ends up on the same backend, we enforce the balance strategy to be "source" (that is based, on the the client IP address). (cherry picked from commit 2471a0e46493769e84a040ccd570d4bbbec7b8cd) --- chef/cookbooks/horizon/recipes/ha.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/chef/cookbooks/horizon/recipes/ha.rb b/chef/cookbooks/horizon/recipes/ha.rb index 49df892651..367ce2e79b 100644 --- a/chef/cookbooks/horizon/recipes/ha.rb +++ b/chef/cookbooks/horizon/recipes/ha.rb @@ -38,6 +38,7 @@ use_ssl true servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "horizon", "horizon-server", "ssl") stick stick_options + balance "source" action :nothing end.run_action(:create) end