In this article:

Setting Up BI Servers

Setting Up Web Application

Setting Up WSS

Setting Up HAProxy

Setting Up HAProxy Balancer for Working via HTTPS Protocol Using Web Forms

To work via HTTPS protocol, before setting up BI servers, web application, and balancer, one should prepare the root certificate and security certificates for each server. Certificates should be signed with the root certificate. All certificates can be prepared using special cryptographic tools, for example, OpenSSL.

Combine the key and the root certificate to one file, which will be used on HAProxy setup.

Setting Up BI Servers

It is assumed that BI servers of Foresight Analytics Platform are already installed. Execute the operations given below on each BI server and specify required certificates:

  1. Install the proxy_http and proxy_wstunnel modules:

sudo a2enmod proxy_http proxy_wstunnel

  1. Add the strings in the settings file /etc/httpd2-fp10.x/conf/sites-enabled/default_https.conf:

Listen 443

<VirtualHost _default_:443>

    ServerName biserver1

    SSLEngine on

    SSLCertificateFile /etc/httpd2-fp10.x/conf/ssl.crt/<BI-server N cert>.pem

    SSLCertificateKeyFile /etc/httpd2-fp10.x/conf/ssl.key/<BI-server N key>.pem

    SSLCACertificateFile /etc/httpd2-fp10.x/conf/ssl.crt/CACert.pem

</VirtualHost>

Setting Up Web Application

It is assumed that the web application is already installed. Add the strings in the settings file /etc/httpd2-fp10.x-web/conf/sites-enabled/default_https.conf:

<VirtualHost _default_:443>

    ServerName server

    SSLEngine on

    SSLCertificateFile /etc/ssl/certs/balancer/server/server-cert.pem

    SSLCertificateKeyFile /etc/ssl/certs/balancer/server/server-key.pem

    SSLCACertificateFile /etc/ssl/certs/balancer/CACert.pem

    # Web application settings

    ErrorLog ${APACHE_LOG_DIR}/error.log

    CustomLog ${APACHE_LOG_DIR}/access.log combined

        Alias /fp10.x/app/ ${PATH_TO_WEB}/app/

        Alias /fp10.x/build/ ${PATH_TO_WEB}/build/

        Alias /fp10.x/dashboard/ ${PATH_TO_WEB}/dashboard/

        Alias /fp10.x/resources/ ${PATH_TO_WEB}/resources/

        Alias /fp10.x/index.html ${PATH_TO_WEB}/index.html

        Alias /fp10.x/libs/ ${PATH_TO_WEB}/libs/

        Alias /fp10.x/ ${PATH_TO_WEB}/

  

        ProxyPass /fp10.x/app/PPService.axd ${PP_SOM} retry=1 acquire=3000 timeout=6000 Keepalive=On

        RewriteEngine On

        RewriteCond %{QUERY_STRING} (.*(?:^|&))cache(=1)?((?:&|$).*)

        RewriteRule .* - [env=CACHEABLE]

        KeepAlive Off

  

        <Directory "${PATH_TO_WEB}/">

            Options Indexes

            AllowOverride All

            Require all granted

            FileETag None

            SetEnv no-gzip 1

            SetEnv dont-vary 1

            <FilesMatch "\.([^.]+)$">

                Header set Cache-Control "public, max-age=31536000" env=CACHEABLE

                Header unset Pragma

                Header unset ETag

                UnsetEnv CACHEABLE

            </FilesMatch>

            <FilesMatch "\.cache\.(js|html)$">

                 Header set Cache-Control "public, max-age=31536000"

            </FilesMatch>

        </Directory>

</VirtualHost>

Setting Up WSS

  1. In the settings.xml settings file determine Web form port to work via the WebSocket protocol for each BI server:

<Configuration>

  <Root>

    <Key Name="PP">

      <BIS>

        <Key Name="System">

          <WebForms Port="9099"/>

        </Key>

      </BIS>

    </Key>

  </Root>

</Configuration>

  1. Add the VirtualHost subsection to the settings file /etc/apache2-fp10.x/sites-enabled/000-default.conf. Specify individual port number and path to certificates for each BI server:

<VirtualHost *:9091>

ProxyPass /service ws://localhost:${WS_PORT}/service

ProxyPassReverse /service ws://localhost:${WS_PORT}/service

SSLEngine on

SSLCertificateFile /etc/httpd2-fp10.x/conf/ssl.crt/<BI-server N cert>.pem

SSLCertificateKeyFile /etc/httpd2-fp10.x/conf/ssl.key/<BI-server N key>.pem

SSLCACertificateFile /etc/httpd2-fp10.x/conf/ssl.crt/CACert.pem

SSLProxyEngine On

RewriteEngine On

RewriteCond %{HTTP:Connection} upgrade [NC]

RewriteCond %{HTTP:Upgrade} websocket [NC]

RewriteRule ^(.*) ws://localhost:${WS_PORT}/$1 [P,L]

</VirtualHost>

  1. Add the corresponding listening port in the /etc/apache2-fp10.x/ports.conf files of each BI server:

<IfModule ssl_module>

Listen 443

Listen 9091

</IfModule>

  1. Add the following string to the end of the file with environment variables /etc/apache2-fp10.x/envvars for each BI server:

export WS_PORT=9099

Where 9099 is the port that will be determined in the 1 point.

  1. Specify the port, via which Web forms will work, in the config.json web application settings file:

{
  ...
  "webSocketPort": "8080",
  ...
}

  1. On the server with the balancer, in /etc/hosts write mapping of domain name and server IP address:

10.0.0.10 server

10.0.0.20 biserver1

10.0.0.30 biserver2

Setting Up HAProxy

Specify the following stings in the /etc/haproxy/haproxy.cfg balancer configuration file:

global

        log /dev/log local0

        log /dev/log local1 notice

        chroot /var/lib/haproxy

        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners

        stats timeout 30s

        user haproxy

        group haproxy

        daemon

        # Allows to enable or disable support mandatory access control (default: on)

        # The fetch methods (at Layer 4) was added:

        # * maclev - returns an integer value corresponding to the mandatory access control privacy level

        # * maccat - returns an integer value corresponding to the mandatory access control category

        # astra-mode on

        # Default SSL material locations

        ca-base /etc/ssl/certs

        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate

        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults

        log global

        mode http

        option httplog

        option dontlognull

        timeout connect 5s

        timeout client  500s

        timeout server  500s

        timeout tunnel  3600s

        errorfile 400 /etc/haproxy/errors/400.http

        errorfile 403 /etc/haproxy/errors/403.http

        errorfile 408 /etc/haproxy/errors/408.http

        errorfile 500 /etc/haproxy/errors/500.http

        errorfile 502 /etc/haproxy/errors/502.http

        errorfile 503 /etc/haproxy/errors/503.http

        errorfile 504 /etc/haproxy/errors/504.http

frontend ft_web_bi

        bind *:555 ssl crt /etc/ssl/certs/balancer/CA.pem

        http-request redirect scheme https unless { ssl_fc }

        bind-process all

        acl bisom path -i -m sub /FPBI_App_v10.x/axis2/services

        acl biproxy path -i -m sub /PPService.axd

        use_backend bk_bi if bisom || biproxy

        default_backend bk_web

backend bk_web

        mode http

        option forwardfor

        server web server:443 check ssl verify none

backend bk_bi

        mode http

        option forwardfor

        balance roundrobin

        cookie IDBI insert indirect nocache

        server bi1 biserver1:443 check cookie sb1 ssl verify required ca-file /etc/ssl/certs/balancer/CA.pem

        server bi2 biserver2:443 check cookie sb2 ssl verify required ca-file /etc/ssl/certs/balancer/CA.pem

frontend ft_ws_bi

        bind *:8080 ssl crt /etc/ssl/certs/balancer/CA.pem

        bind-process all

        default_backend bk_ws_bi

backend bk_ws_bi

        option forwardfor

        balance roundrobin

        cookie IDBI insert indirect nocache

        server bi1 biserver1:9091 cookie sb1 ssl verify required ca-file /etc/ssl/certs/balancer/CA.pem

        server bi2 biserver2:9092 cookie sb2 ssl verify required ca-file /etc/ssl/certs/balancer/CA.pem

frontend stats

        bind *:8404

        stats enable

        stats uri /stats

        stats refresh 10s

To check if the obtained configuration file is correct, one can use the the following command:

sudo haproxy -c -f /etc/haproxy/haproxy.cfg

If all settings are determined correctly, the web application will be available at: https://server:555/fp10.x/r. When web forms are started, the connection opens at: wss://server:8080/service?id={web_form_moniker}.

See also:

Setting Up HAProxy Balancer Using Web Forms