Internally hosted applications under load balancer issue

[Daniel Rakaric]

Hi,

Recently our institution has been trying to implement a new load balancer. We have tried this out in our pre-prod environment and test out to see how our applications behave with this new implementation.

So far, not a single application that is behind the load balancer that requires CAS authentication works as the connection just times out during a login request. Any externally hosted applications such as our vendor applications that use our CAS to authenticate works with no issues. Also, any application that is internally hosted that is not behind a load balancer works as well.

We were wondering if anyone has had a similar time-out issue while using a load balancer, and how did you configure the load balancer to behave properly?

Just to iterate, CAS is also behind a load balancer.

[Uxío Prego]

You can try to find the way of applying sticky (https://en.wikipedia.org/wiki/Load_balancing_(computing)#Persistence) to your casified applications' load balancer, and see if that solves, but I am afraid you could be alone on that.

CAS itself supports being behind a load balancer since a particular version.

> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/383046f6-d8c2-4657-ab4a-b027eefbd322%40apereo.org.

[Tom Poage]

Several factors may be at play. We deployed recently using an F5 but, because as part of an initiative to deprecate old SSL/TLS protocols and ciphers, we set it up in routed mode (where F5 behaves like a gateway vs. SNAT and the like) so the CAS servers themselves can directly observe protocols/ciphers in use, trap deprecated ones and display a warning page.

Anyhow, we discovered any CAS client host (configured with the CAS virtual address) on the same subnet as the CAS servers didn't work because of a layer-2 short circuit. The solution was to put the CAS servers on their own subnet (here a /28) with no other potential CAS clients on that same net.

Other than that, CAS 4.2(?) on no longer requires session stickiness. We disabled it in the F5 and see traffic pretty evenly sprayed across all the servers w/ no ill effect. E.g. host1 serves the login page, and host2 accepts the POST.

Tom.

[Christopher Myers]

A few questions --

Are the applications behind the same load balancer, or different ones?

Does the load balancer do SSL offloading?

How is the DNS set up for the applications behind the load balancer? Eg., can application X see the proper DNS and IP address for CAS server Y?

Do the logs say anything special? (CAS logs, application logs, load balancer logs, etc.)


It's working fine for us both ways for quite a while.




>>> Uxío Prego<upr...@madiva.com> 01/13/17 11:35 AM >>>

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/AF20D2B9-BFEC-4985-956F-AC43045BBCAE%40madiva.com.