Linux reverse proxy - SSO

Ubisecure suggests you use HAProxy as reverse proxy, however you can use what product you want. Just keep in mind following principles:

  • For High availability setup, SSO node 2 should be passive, so no queries there unless SSO node 1 fails
  • For High availability, high performance setup, all SSO nodes are active

High availability setup (HAProxy example)

#---------------------------------------------------------------------
# backend servers
#---------------------------------------------------------------------
#
backend sso-backend
    mode http
    option forwardfor except 127.0.0.0/8
    cookie SERVERID insert indirect nocache
    option httpchk GET /uas/ping HTTP/1.1\r\nHost:\ login.custom.com
    http-check expect status 200
    balance roundrobin
    #
    server sso01.example.com sso01.example.com:8080 check  cookie 270c5ec20f147b7fbb856c363a80f4b37073d342 weight 10000000
    server sso02.example.com sso02.example.com:8080 check  cookie 4bd383a4b37f314fcfc6791ecffa5e1b5474c6a4 weight 1
    #




High availability, high performance setup (HAProxy example)

#---------------------------------------------------------------------
# backend servers
#---------------------------------------------------------------------
#
backend sso-backend
    mode http
    option forwardfor except 127.0.0.0/8
    cookie SERVERID insert indirect nocache
    option httpchk GET /uas/ping HTTP/1.1\r\nHost:\ login.custom.com
    http-check expect status 200
    balance roundrobin
    #
    server sso01.example.com sso01.example.com:8080 check  cookie 270c5ec20f147b7fbb856c363a80f4b37073d342 weight 10
    server sso02.example.com sso02.example.com:8080 check  cookie 4bd383a4b37f314fcfc6791ecffa5e1b5474c6a4 weight 10
    #