Thanks, oddly enough, they built a parallel instance with nginx as the web load balancer and db load balancer and it worked for them. The SNAT configuration is with a pool of 4 IP's in the VLAN. We're on 12.1.1. But when they had F5 to Nginx, it didn't work for them, so there's some setting I'm missing somewhere. Below is the configuration of the nginx config they built in parallel to the F5 that was working. The IP's have been changed to protect the innocent. The F5 essentially was LAN/WAN protocol profile, x-forward http profile, cookie persistence, nothing special really. Not sure if you can see anything unique I might be missing. No irules, nothing.
upstream ewb_web {
zone upstream_ewb_web 64k;
List the E-WorkBook servers for handling web request (including web services requests)
server 1.1.1.1:8443;
server 1.1.1.1:8443;
sticky cookie srv_id path=/;
keepalive 32;
}
upstream ewb_desktop {
zone upstream_ewb_desktop 64k;
List the E-WorkBook servers for handling desktop client requests
server 1.1.1.1:8443;
server 1.1.1.1:8443;
}
upstream ewb_web_pubsub {
zone ewb_web_pubsub 64k;
server 1.1.1.1:8443;
server 1.1.1.1:8443;
}
upstream ewb_web_ir {
zone ewb_web_ir 64k;
server 1.1.1.1:8443;
server 1.1.1.1:8443;
ip_hash;
}
We only set the "Connection" header to upgrade if the "Upgrade:" header is present (as it will be
for web sockets and EWB Desktop Client connections)
map $http_upgrade $connection_upgrade {
default upgrade;
'' '';
}
Set a variable for whether a response code is considered a failure (and will not be cached)
map $status $status_is_failure {
200 0;
301 0;
302 0;
default 1;
}
proxy_cache_path /tmp/nginx-ewb-cache keys_zone=ewb-cache:1m inactive=1d;
proxy_no_cache $status_is_failure;
proxy_http_version 1.1;
proxy_pass_header Server;
Pass on http Upgrade headers (WebSockets/EWB Desktop Client) so that protocol upgrades work.
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
Set up X-Forwarded headers so that WildFly interprets the client's IP correctly
Note that X-Forwarded-For is set to a specific address, rather than adding the address to a list.
This prevents an attack whereby a bogus X-Forwarded-For could be supplied in the initial request
(overriding the client's real IP).
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
Pass on Host header so that upstream servers see the load balancer
proxy_set_header Host $http_host;
Default timeouts of 20 minutes
proxy_read_timeout 20m;
proxy_send_timeout 20m;
send_timeout 20m;
server {
listen 443 ssl default_server;
listen 8443 ssl default_server;
server_name x.x.x.x.abc.com;
status_zone eworkbook;
ssl_certificate /etc/nginx/ssl/x.x.x.x.crt;
ssl_certificate_key /etc/nginx/ssl/x.x.x.x.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location = / {
proxy_pass https://ewb_desktop;
proxy_read_timeout 1h;
proxy_send_timeout 1h;
}
location / {
proxy_pass https://ewb_web;
proxy_redirect https://ewb_web $scheme://$host:$server_port;
proxy_cache ewb-cache;
client_max_body_size 0;
}
location /EWorkbookWebApp/pubsub {
proxy_pass https://ewb_web_pubsub/EWorkbookWebApp/pubsub;
proxy_buffering off;
proxy_ignore_client_abort off;
}
location ~/instruments {
proxy_pass https://ewb_web_ir;
proxy_buffering off;
proxy_ignore_client_abort off;
}
location /status {
If required, add allow/deny or password directives to restrict access to this status information
status;
}
location = /status.html {
alias /usr/share/nginx/html/status.html;
}
}