Load Balancing
Load balancing web console
All hosts in a Pritunl cluster can be used to access the web console. For high demand clusters that handle a lot of single sign-on users it is best to setup a Pritunl host dedicated for web console access that does not host any vpn servers. A single dedicated web console Pritunl server should handle almost all high demand configurations but if additional capacity or high availability is required a load balancer can be used. To do this enable the reverse proxy option, this will configure the server to read the X-Forwarded-For and X-Forwarded-Proto headers. If X-Forwarded-Proto is equal to http the client will always be redirected to HTTPS even if the Pritunl server is running with SSL off and on port 80. Load balancers can be configured to proxy both HTTP and HTTPS traffic to the Pritunl server and as long as the load balancer sets the X-Forwarded-Proto header the Pritunl server will handle HTTPS redirection. The /check handler will return 200 if the Pritunl server is online and connected to the database.
sudo pritunl set app.reverse_proxy true
sudo pritunl set app.redirect_server false
sudo pritunl set app.server_ssl false
sudo pritunl set app.server_port 80
Configuration Sync
When configuring load balancing the clients will not be able to access the hosts directly to sync the configuration. This is fixed by setting the Sync Address in the host settings to the domain name of the load balancer.
HAProxy Configuration
Below is an example HAProxy configuration for Pritunl. This requires a certificate at /etc/ssl/haproxy.pem.
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 4000
frontend http
bind :::80 v4v6
reqadd X-Forwarded-Proto:\ http
default_backend backend
frontend https
bind :::443 v4v6 ssl crt /etc/ssl/haproxy.pem
reqadd X-Forwarded-Proto:\ https
default_backend backend
backend backend
balance roundrobin
server pritunl0 <PRITUNL0_IP>:80 check
server pritunl1 <PRITUNL1_IP>:80 check
Nginx Configuration
The Nginx configuration below uses SSL for the upstream connection. In this configuration the Pritunl server should be configured with SSL.
sudo pritunl set app.reverse_proxy true
sudo pritunl set app.redirect_server false
sudo pritunl set app.server_ssl true
sudo pritunl set app.server_port 8443
Configure the Nginx configuration and self-signed certificate for unmatched domains. Replace 123.123.123.123 with the IP address of the Pritunl server and demo.pritunl.com with the domain name of the server.
sudo openssl req -x509 -nodes -days 18250 -newkey rsa:2048 -keyout /etc/nginx/ssl/notfound.key -out /etc/nginx/ssl/notfound.crt
sudo tee /etc/nginx/nginx.conf << EOF
user nginx;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 400000;
pcre_jit on;
events {
worker_connections 20000;
multi_accept on;
use epoll;
}
http {
server_tokens off;
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
access_log off;
client_header_timeout 45;
client_body_timeout 45;
keepalive_timeout 65;
connection_pool_size 1024;
request_pool_size 8k;
client_header_buffer_size 2k;
client_body_buffer_size 32k;
server_names_hash_bucket_size 512;
server_names_hash_max_size 1024;
types_hash_max_size 2048;
server {
listen 80;
listen [::]:80;
server_name _;
return 404;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/nginx/ssl/notfound.crt;
ssl_certificate_key /etc/nginx/ssl/notfound.key;
server_name _;
return 404;
}
include /etc/nginx/conf.d/*.conf;
}
EOF
sudo tee /etc/nginx/conf.d/pritunl-vpn.conf << EOF
upstream pritunl-vpn {
server 123.123.123.123:8443;
}
server {
listen 80;
listen [::]:80;
root /usr/share/nginx/html;
server_name demo.pritunl.com;
location / {
return 301 https://demo.pritunl.com\$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/nginx/ssl/demo.pritunl.com.crt;
ssl_certificate_key /etc/nginx/ssl/demo.pritunl.com.key;
server_name demo.pritunl.com;
location / {
proxy_pass https://pritunl-vpn;
proxy_ssl_verify off;
proxy_set_header Host \$http_host;
proxy_set_header X-Forwarded-For \$remote_addr;
proxy_set_header X-Real-IP \$remote_addr;
}
}
EOF
Below is a certbot script to generate a LetsEncrypt certificate for the server.
sudo dnf -y install certbot
sudo tee /etc/systemd/system/certbot.target << EOF
[Unit]
Description=Cerbot target
StopWhenUnneeded=yes
EOF
sudo tee /etc/systemd/system/certbot.timer << EOF
[Unit]
Description=Cerbot timer
[Timer]
OnCalendar=*-*-* 8:00:00
Unit=certbot.target
[Install]
WantedBy=basic.target
EOF
sudo tee /etc/systemd/system/certbot.service << EOF
[Unit]
Description=Cerbot
Wants=certbot.timer
[Service]
ExecStart=/usr/bin/certbot-nginx
[Install]
WantedBy=certbot.target
EOF
sudo tee /usr/bin/certbot-nginx << EOF
#!/bin/bash
getcert () {
echo "Getting certificate email=\$1 domain=\$2"
/usr/bin/certbot --webroot --agree-tos --non-interactive --webroot-path /usr/share/nginx/html --preferred-challenges http --email \$1 -d \$2 certonly
/usr/bin/cp -f /etc/letsencrypt/live/\$2/fullchain.pem /etc/nginx/ssl/\$2.crt
/usr/bin/chown nginx:nginx /etc/nginx/ssl/\$2.crt
/usr/bin/cp -f /etc/letsencrypt/live/\$2/privkey.pem /etc/nginx/ssl/\$2.key
/usr/bin/chown nginx:nginx /etc/nginx/ssl/\$2.key
}
getcert "[email protected]" "demo.pritunl.net"
/usr/bin/chown -R nginx:nginx /etc/nginx/ssl
/usr/bin/chmod 600 /etc/nginx/ssl/*
/usr/sbin/restorecon -R -v /etc/nginx
/usr/bin/systemctl reload nginx
EOF
sudo chmod +x /usr/bin/certbot-nginx
Generate the initial certificate and start the server.
sudo /usr/bin/certbot-nginx
sudo systemctl daemon-reload
sudo systemctl enable certbot.service
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer
sudo systemctl restart nginx
sudo systemctl enable nginx
Updated over 1 year ago