Load Balancing
Load balancing web console
All hosts in a Pritunl cluster can be used to access the web console. For high demand clusters that handle a lot of single sign-on users it is best to setup a Pritunl host dedicated for web console access that does not host any vpn servers. A single dedicated web console Pritunl server should handle almost all high demand configurations but if additional capacity or high availability is required a load balancer can be used. To do this enable the reverse proxy option, this will configure the server to read the X-Forwarded-For
and X-Forwarded-Proto
headers. If X-Forwarded-Proto
is equal to http
the client will always be redirected to HTTPS even if the Pritunl server is running with SSL off and on port 80. Load balancers can be configured to proxy both HTTP and HTTPS traffic to the Pritunl server and as long as the load balancer sets the X-Forwarded-Proto
header the Pritunl server will handle HTTPS redirection. The /check
handler will return 200 if the Pritunl server is online and connected to the database.
sudo pritunl set app.reverse_proxy true
sudo pritunl set app.redirect_server false
sudo pritunl set app.server_ssl false
sudo pritunl set app.server_port 80
Configuration Sync
When configuring load balancing the clients will not be able to access the hosts directly to sync the configuration. This is fixed by setting the Sync Address in the host settings to the domain name of the load balancer.
HAProxy Configuration
Below is an example HAProxy configuration for Pritunl. This requires a certificate at /etc/ssl/haproxy.pem
.
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 4000
frontend http
bind :::80 v4v6
reqadd X-Forwarded-Proto:\ http
default_backend backend
frontend https
bind :::443 v4v6 ssl crt /etc/ssl/haproxy.pem
reqadd X-Forwarded-Proto:\ https
default_backend backend
backend backend
balance roundrobin
server pritunl0 <PRITUNL0_IP>:80 check
server pritunl1 <PRITUNL1_IP>:80 check
Updated over 4 years ago