Recommendations for a free/cheap load balancer to use with JSS

kraigschroth
New Contributor III

I'm looking to build a clustered instance jss behind a load balancer to improve uptime and scale a new Casper 9 deployment. The last time I did this, I had a networking team and a budget to get F5s in to handle the load balancing, and I could focus on getting the services running; however, this new project has a budget of my time and maybe some leftover coffee in the employee breakroom.

Do any of you fine folk have recommendations for free/cheap load balancers and configuring them? Inquiring minds want to know.

2 ACCEPTED SOLUTIONS

jhbush
Valued Contributor II

You can use Pound http://www.apsis.ch/pound or Citrix VPX free for one year http://www.citrix.com/products/netscaler-application-delivery-controller/try.html. I'm sure there are others but that is the two I have used.
.

View solution in original post

Lotusshaney
Contributor II

I second Pound, It's fantastic. Also nginx will work too.

I have configs for both if you need them

Dan

View solution in original post

20 REPLIES 20

jhbush
Valued Contributor II

You can use Pound http://www.apsis.ch/pound or Citrix VPX free for one year http://www.citrix.com/products/netscaler-application-delivery-controller/try.html. I'm sure there are others but that is the two I have used.
.

Lotusshaney
Contributor II

I second Pound, It's fantastic. Also nginx will work too.

I have configs for both if you need them

Dan

kraigschroth
New Contributor III

I'll give pound and nginx a shot -- I'd love the configs if you're willing to share.

Andrina
Contributor
Contributor

I use HAProxy if you're looking for another alternative also...

jdziat
Contributor

kraigschroth
New Contributor III

@Lotusshaney - you still up for sharing those pound configs?

kalik4
New Contributor III

seconded!

Lotusshaney
Contributor II

Hi All, Here is my pound config :-

User        "www-data"
Group       "www-data"
#RootJail   "/chroot/pound"

## Logging: (goes to syslog by default)
##  0   no logging
##  1   normal
##  2   extended
##  3   Apache-style (common log format)
LogLevel    1

## check backend every X secs:
Alive       30

# poundctl control socket
Control "/var/run/pound/poundctl.socket"


ListenHTTP
    Address 172.16.169.131
    Port    80
    HeadRemove "X-Forwarded-For"
    Service
        Redirect    "https://172.16.169.131:8443"
    End
End

ListenHTTPS
    Address 172.16.169.131
    Port    8443
    HeadRemove "X-Forwarded-For"
    Cert "/etc/pound/pound.pem"
    Service
        BackEnd
            Address 172.16.169.128
            Port    9006
        End
        BackEnd
            Address 172.16.169.129
            Port    9006
        End
        BackEnd
            Address 172.16.169.130
            Port    9006
        End
        Session
            Type    Cookie
            ID  "JSESSIONID"
            TTL 300
        End
    End
End

The way I have pound set up is that it's doing the SSL termination and Load balancing to 3 servers. Each backend entry is a server, you can add or remove servers from here.

The SSL Cert is loaded onto the pound server and pound forwards the data to the servers in clear HTTP but data going to the clients is SSL'ed

The ListenHTTP is just redirecting HTTP to HTTPS just incase.

Don't forget that the normal JSS loadbalancer config of clicking a box won't work 100%, you will get the IP address of the loadbalancer as the IP address of the client mac, you need to add some more to the Tomcat's config. Have a look here :-

https://jamfnation.jamfsoftware.com/article.html?id=305

Lutz
New Contributor

@Lotusshaney][/url

How did you setup SSL termination using the load balancer?

I've added the cert to the pound server.

I also modified the server.xml file on my tomcat instance with the following:

<Connector port="8080" proxyPort="443" scheme="https" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               redirectPort="443" />

Do I need to add the cert somewhere on the tomcat server also? Traffic appears to be being redirected properly when accessing the JSS web portal, but I'm unable to enroll machines.

Thanks!

kraigschroth
New Contributor III

@Lutz][/url -- the pound config posted by @Lotusshaney][/url has that item covered in line 32-- I had a little trouble with the .pem file, but fixed that when i rebuilt it in the correct order. Once that's fixed, it should be handing off the sessions automatically.

kraigschroth
New Contributor III

@Lutz - also, I totally added the signed cert via the web app as well, and configured tomcat to work behind a load balancer [also via the web app]. Works like a charm.

Lutz
New Contributor

@kraigschroth - thanks, that helps. I'm running into a small snag though. Because I have multiple JSS instances running on the same Tomcat server, the web app doesn't have the ability to add the cert directly.

Any idea on how/where to add the certs manually through command line? They're running on ubuntu servers.

kraigschroth
New Contributor III

@Lutz If you're using multi context sessions, you'll need to import the all of those items into the Tomcat keystore, and then declare the /path/to/keystore.jks and password in your /path/to/tomcat/conf/server.xml file for the appropriate connector. You can use keytool to import the correct items into the tomcat keystore using the -import verb. Just make sure to import the root CA cert into the keystore using the alias -root and the signed certificate with the -alias of tomcat.

Kumarasinghe
Valued Contributor

@Lutz][/url][/url][/url][/url][/url][/url][/url][/url @kraigschroth][/url][/url][/url][/url][/url][/url][/url][/url
Do you really have to upload the .pem file to all WebApps?
I don't think so.

If it's self-signed;
1) You create a Key and CSR on the Load Balancer
2) Get the CSR signed from JSS's CA
3) Upload it to Load Balancer and combine the Key and JSS signed Cert to single .pem file and use it with Pound.

If you have a properly signed certificate from a third party vendor like Comodo;
Just combine the Key and signed Cert to single .pem file and use it it directly with Pound. No need to get JSS's CA as it has been signed properly.

Kumarasinghe
Valued Contributor

@Lotusshaney
Can you please post the nginx config as well.

kraigschroth
New Contributor III

@Kumarasinghe - I edited my response to reflect that. I have done that extra step historically for testing purposes.

kraigschroth
New Contributor III

@Lutz @Kumarasinghe is correct -- you don't technically *have* to upload it to the instances, but you certainly *can*. I do it as a part of my testing process (validating against instances in my dev/prod environments) and without knowing more about how your mulitcontext deployment is configured you may or may not want to do either. I'll leave that up to your choice.

Lutz
New Contributor

@Kumarasinghe @kraigschroth thanks for all of your help, I was able to get everything working last week.

For the sake of completeness and anyone using this for reference, I do have a properly signed cert from a third party.
Using that directly with Pound works great, no technical need to install them on your Tomcat instances.

Initially, after setting up the SSL termination with Pound I started getting certificate errors when attempting to enroll machines via Quick add package. Like an amature I of course started troubleshooting the most complicated pieces first, which lead me to configuring the certs on the LB & JSS' and re-editing the Tomcat .xml files.

With all of the changes I'd been making with config files and cert requests, etc. I forgot to check the basics. In my JSS Global Management Settings, I never changed my JSS URL to match that of the Load Balancer address and port. I changed that and everything started working 100%.

Thanks again for all the help, it did keep me sane and clarified a few things.

Kumarasinghe
Valued Contributor

@Lotusshaney
I really like to see your nginx config. Can you please post it here.
Thanks.

Derrick_meyer
New Contributor

Has anyone had any success setting up a jds behind a nginx load balancer. I'm seeing a lot of errors in /usr/local/jds/logs/jamf.log 661 ERROR Communication error with the JSS, 661 ERROR (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')

When we look at the JDS in the JSS we get
Display Name - no name
Root - Yes
Parent JDS Instance - NONE
Hostname
JDS URL: https://FQDN
Reported IP Address
jamfds binary Version:
Operating System:
Operating System Version:
Total Memory:
Available Memory:
Hard Drive Size: -1024 B
Hard Drive Used Space: -1 %