Red Hat SummitChapter 7. Installing and configuring the load balancer
Red Hat provides general guidance for configuring an HAProxy load balancer using Red Hat Enterprise Linux 9. However, you can install any suitable load balancing software solution that supports TCP forwarding.
7.1. Installing the load balancer
The following example provides general guidance for configuring an HAProxy load balancer using Red Hat Enterprise Linux 9. However, you can install any suitable load balancing software solution that supports TCP forwarding.
Procedure
Install HAProxy:
# dnf install haproxyInstall the following package that includes the
semanagetool:# dnf install policycoreutils-python-utilsConfigure SELinux to allow HAProxy to bind any port:
# semanage boolean --modify --on haproxy_connect_any- Configure the load balancer to balance the network load for the ports as described in Section 7.2, “Ports configuration for the load balancer”.
- Configure the load balancer to disable SSL offloading and allow client-side SSL certificates to pass through to back end servers. This is required because communication from clients to Capsule Servers depends on client-side SSL certificates.
Start and enable the HAProxy service:
# systemctl enable --now haproxy
7.2. Ports configuration for the load balancer
You must ensure proper network configuration of the load balancer to enable it to balance the network load for the ports.
For example, to configure ports for HAProxy, edit the /etc/haproxy/haproxy.cfg file to correspond with the table.
| Service | Port | Mode | Balance Mode | Destination |
|---|---|---|---|---|
| HTTP | 80 | TCP | roundrobin | port 80 on all Capsule Servers |
| HTTPS and RHSM | 443 | TCP | source | port 443 on all Capsule Servers |
| Anaconda for template retrieval | 8000 | TCP | roundrobin | port 8000 on all Capsule Servers |
| Puppet (Optional) | 8140 | TCP | roundrobin | port 8140 on all Capsule Servers |
| PuppetCA (Optional) | 8141 | TCP | roundrobin | port 8140 only on the system where you configure Capsule Server to sign Puppet certificates |
| Capsule HTTPS for Host Registration and optionally OpenSCAP | 9090 | TCP | roundrobin | port 9090 on all Capsule Servers |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}