Load Balancing

Load balancing web console

All hosts in a Pritunl cluster can be used to access the web console. For high demand clusters that handle a lot of single sign-on users it is best to setup a Pritunl host dedicated for web console access that does not host any vpn servers. A single dedicated web console Pritunl server should handle almost all high demand configurations but if additional capacity or high availability is required a load balancer can be used. To do this enable the reverse proxy option, this will configure the server to read the X-Forwarded-For and X-Forwarded-Proto headers. If X-Forwarded-Proto is equal to http the client will always be redirected to HTTPS even if the Pritunl server is running with SSL off and on port 80. Load balancers can be configured to proxy both HTTP and HTTPS traffic to the Pritunl server and as long as the load balancer sets the X-Forwarded-Proto header the Pritunl server will handle HTTPS redirection. The /check handler will return 200 if the Pritunl server is online and connected to the database.

sudo pritunl set app.reverse_proxy true
sudo pritunl set app.redirect_server false
sudo pritunl set app.server_ssl false
sudo pritunl set app.server_port 80

Configuration Sync

When configuring load balancing the clients will not be able to access the hosts directly to sync the configuration. This is fixed by setting the Sync Address in the host settings to the domain name of the load balancer.

HAProxy Configuration

Below is an example HAProxy configuration for Pritunl. This requires a certificate at /etc/ssl/haproxy.pem.

    log local2
    chroot /var/lib/haproxy
    pidfile /var/run/haproxy.pid
    maxconn 4000
    user haproxy
    group haproxy
    stats socket /var/lib/haproxy/stats
    tune.ssl.default-dh-param 2048

    mode http
    log global
    option httplog
    option dontlognull
    option http-server-close
    option forwardfor
    retries 3
    timeout http-request 10s
    timeout queue 1m
    timeout connect 10s
    timeout client 1m
    timeout server 1m
    timeout http-keep-alive 10s
    timeout check 10s
    maxconn 4000

frontend http
    bind :::80 v4v6
    reqadd X-Forwarded-Proto:\ http
    default_backend backend

frontend https
    bind :::443 v4v6 ssl crt /etc/ssl/haproxy.pem
    reqadd X-Forwarded-Proto:\ https
    default_backend backend

backend backend
    balance roundrobin
    server pritunl0 <PRITUNL0_IP>:80 check
    server pritunl1 <PRITUNL1_IP>:80 check