Red Hat and CentOS Linux Load Balancer
Configuring a load balancer in Red Hat or CentOS Linux for PAM deployments.
Objective
The objective of this guide is to configure a HTTPS enabled load balancer for a single server PAM system on a Linux host computer.
Note that there are multiple architectures and products that can be used for load balancing of WEB applications all involving different configuration files and mechanisms to obtain and deploy a SSL certificate.
This guide will describe one of the methods to illustrate components and files required in the process.
Pre-requisites
-
OS Red Hat / CentOS with Apache HTTP Server installed.
-
URI for PAM setup that might be used as a managed path for PAM SSO Server (such as https://pam.company.com) so that an external computer can access the PAM server using this URL.
-
SSL certificate from a trusted Certificate Authority. Note that the certificate should be trusted by all client and server side system components (browsers and WEB containers) in order for the SSO server to work. The certificate contains the following files:
- The certificate (the guide assumes the name cert.crt)
- Server private Key (the guide assumes the name private.key)
- Optional: CA bundle certificate (the guide assumes the name ca-bundle.crt)
- Optional: Certificate chain file (the guide assumes the name server-ca.crt).
Configuration
- Check httpd and mod_ssl packages are installed and enabled in the Apache HTTP Server. They are enabled in the default CentOS setup but this should be confirmed.
- Copy the certificate files into the /etc/pki/tls/certs/ directory and change permissions of the private key so only root can access it using these commands:
- Add the SSL and Load Balancer configuration to the Apache HTTP Server.
- Add the load balancer configuration after this line:
- Add the SSL certificates to the same file:
- Save and close the file.
- Change the setting for the Apache HTTP Server by issuing this command:
- Restart the Apache HTTP Server:
To do that, check the file /etc/httpd/conf.modules.d/00-proxy.conf and uncomment the following lines:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
If these lines are not present then install httpd and mod_ssl with the following command:
yum install httpd mod_ssl
chown root /etc/pki/tls/private/private.key
chmod 600 /etc/pki/tls/private/private.key
Edit the file /etc/httpd/conf.d/ssl.conf and locate the line:
VirtualHost _default_:443
ProxyPass /xtam/websocket-tunnel ws://127.0.0.1:8080/xtam/websocket-tunnel
ProxyPassReverse /xtam/websocket-tunnel ws://127.0.0.1:8080/xtam/websocket-tunnel
ProxyPass /xtam/ http://127.0.0.1:8080/xtam/
ProxyPassReverse /xtam/ http://127.0.0.1:8080/xtam/
ProxyPass /cas/ http://127.0.0.1:8080/cas/
ProxyPassReverse /cas/ http://127.0.0.1:8080/cas/
Locate the line starting with SSLCertificateFile, uncomment it and add the path to the certificate:
SSLCertificateFile /etc/pki/tls/certs/cert.crt
Locate the line starting with SSLCertificateKeyFile, uncomment it and add the path to the private key:
SSLCertificateKeyFile /etc/pki/tls/private/private.key
Optionally, locate the line starting with SSLCACertificateFile, uncomment it and add the path to the chain file:
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
Optionally, locate the line starting with SSLCertificateChainFile, uncomment it and add the path to the chain file:
SSLCertificateChainFile /etc/pki/tls/certs/server-ca.crt
/usr/sbin/setsebool -P httpd_can_network_connect 1
service httpd restart