ze nlo adbalance r.

o rg

http://www.zenlo adbalancer.o rg/web/index.php?page=zen-lo ad-balancer-administratio n-guide

Zen Load Balancer Administration Guide

Created on December 2011 - Documentation Version v01 Table of contents: 1. OVERVIEW 2. BASIC CONCEPT S 3. Z EN INSTALLAT ION 3.1 DOWNLOAD T HE INSTALL ISO IMAGE 3.2 UPDAT ES 3.3 INSTALLAT ION PROCESS 4. ACCESS T O T HE Z EN WEB ADMINIST RAT ION PANEL 5. Z EN WEB ADMINIST RAT ION PANEL SECT IONS 5.1 MANAGE::GLOBAL VIEW SECT ION 5.2 MANAGE::FARMS SECT ION 5.2.1 EDIT FARM GLOBAL PARAMET ERS 5.2.1.1 T CP/UDP PROFILE OPT IONS 5.2.1.2 HT T P/HT T PS PROFILE OPT IONS 5.2.2 EDIT FARM REAL SERVERS 5.2.2.1 T CP/UDP PROFILE 5.2.2.2 HT T P/HT T PS PROFILE 5.2.3 VIEW STAT US FARM ACT ION 5.3 MANAGE::CERT IFICAT ES SECT ION 5.3.1 ADDING A NEW CERT IFICAT E 5.4 MONIT ORING::GRAPHS SECT ION 5.5 MONIT ORING::LOGS SECT ION 5.6 SET T INGS::SERVER SECT ION 5.7 SET T INGS::INT ERFACES SECT ION 5.8 SET T INGS::CLUST ER SECT ION 5.9 SET T INGS::CHANGE PASSWORD SECT ION 5.10 SET T INGS::BACKUP SECT ION 6. FARM GUARDIAN USAGE 6.1 PHILOSOFY 6.2 CONFIGURAT ION 7. LICENSE 1. OVERVIEW Z en Load Balancer is an Open Source Load Balancer Appliance Project that provides a f ull set of tools to run and manage a complete load balancer solution which includes: f arm and server def inition, networking, clustering, monitoring, secure certif icates management, logs, conf ig backups, etc. 2. BASIC CONCEPT S Farm is a set of servers that of f er the same service over a single one entry point def ined with an IP address and a port, which is commonly called virtual service. T he main f arm work is to deliver the client virtual service connection to the real backend service and back. Meanwhile, the f arm def inition establishes the delivery policies to every real server. Backend is a server that of f ers the real service over a f arm def inition and it process all the real data requested by the client.

Client is called to the IP address that connects to the virtual service of the initial connection that usually a user requests. T he client IP address that opens a new connection on the virtual service side is used to communicate with the user. T he same client could generate several (layer 4) connections to the virtual service, and an IP client address could be generated by several users. Application Session is a layer 7 concept which tries to identif y the requests of a single user although several clients shares the same IP client address. Real IP is a physical IP address over a layer 4 network conf iguration which is assigned to a server or NIC. Virtual IP is a f loating IP address over a layer 4 network conf iguration which is used to be the entry point of a virtual service def ined by a f arm that is ready to deliver connections between redundant load balancing nodes. 3. Z EN INSTALLAT ION 3.1 DOWNLOAD T HE INSTALL ISO IMAGE T he load balance appliance installer is able to be downloaded f rom the of f icial website that could be used to: Burn an installer CD-ROM to install under a physical machine Record on an USB device to install on a physical machine with usb boot support Install on a virtual machine through a virtualization sof tware Usually you'll be able to download the latest stable version or the latest release candidate testing version, depending of your f eature needs. T hey'll be available f rom the download section of http://www.zenloadbalancer.com. 3.2 UPDAT ES Z en Load Balancer is under continuous development with new f eatures, improves and bug f ixes, so there is a very easy way to upgrade your Z enLB to a newer version through a simple procedure. To maintain updated your Z enLB installation, be sure you've the f ollowing line into the /etc/apt/sources.list conf ig f ile: For v1 version : deb http://zenloadbalancer.sourceforge.net/apt/x86 v1/ For v2 version : deb http://zenloadbalancer.sourceforge.net/apt/x86 v2/

T hen update the apt database with the root user:

Check the last version on our of f icial repository:

And compare it with your Z enLB installed version:

If the last of f icial version is greater than your installation, you'll be able to upgrade your Z enLB through the command below:

If would be necessary you can f orce the reinstallation through the f ollowing command:

T he process will ask you "install the package without verification", select [y]. T hen the process will ask if you want to rewrite the global.conf f ile, you've to select the def ault value [N]. Finally it's recommended to restart Z en Load Balancer service at your convenience. To upgrade f rom v1 to v2 you've to f ollow all these explained steps and additionally you've to delete the RRD databases of monitoring to be automatically regenerated with the new structure. rm -rf /usr/local/zenloadbalancer/app/zenrrd/rrd/* 3.3 INSTALLAT ION PROCESS Conf igure your physical or virtual x86 machine to boot f rom your iso/cd/usb Z en Load Balancer installer. T hen a splash is going to be loaded to start the install process.

Select "Install" option and continue. Z en Load Balancer is distributed under a standard ISO f ormat built on top of the common GNU/Debian Linux stable distribution. If you're f amiliar with this distribution then you should have no problems installing Z enLB. Select your language, location and keyboard map.

Later the installer is going to detect the hardware components and load additional sof tware components. Just wait a f ew seconds. Now the installation process will conf igure the network interf ace, you must set up a static IP address that it's going to be used in the startup to access to the Z en web administration panel. Other conf ig data like netmask, gateway and dns will be requested.

Set up a hostname f or the load balancer.

Set up the domain name f or your organization.

Introduce the root system password and repeat to validate. T his password will be used when you access over a console or ssh to the Z en Load Balancer system.

Set your timezone, once Z en LB is installed the local time will be syncronized every hour with ntp.pool.org servers.

Conf igure your partition disk, if you haven't experience with Linux environment you can select Guide use entire disk and automatically the system will be installed with a conf iguration by def ault. Experimented users could select their custom installation. It would be interesting to know that a special disk space is not needed to work with Z en Load Balancer, although minimal recommended is 1 GB of f ree space f or the whole operating system. On this example we select the option by def ault.

If you've got more than one disk on your machine, you can select one of them here to be installed.

T he partition table can be modif ied through the f ollowing menu.

Finish and continue.

Select Yes to apply the changes and continue.

Now you've to wait some seconds while the system is installed on your disk with your custom conf iguration.

Now you've your brand new Z enLB installation and f inally it's necessary to restart the system.

On the boot process is shown your management IP address conf igured and the system started.

Remember that the conf igured root password on the installation process would be needed to enter to the system on the server via ssh or console. 4. ACCESS T O T HE Z EN WEB ADMINIST RAT ION PANEL Once the Z en Load Balancer distro is installed into your server, you've to access through the secure URL shown below: https://<zenlb_ip_address>:444 T he f irst time you enter to the administration panel, you've to accept the secure certif icate of Z enLB and then a login window will appear.

T he def ault credentials to get into the Z en web administration panel are the f ollowing: User name: admin Password: admin T hese credentials could be changed through the Settings::Change Password section. 5. Z EN WEB ADMINIST RAT ION PANEL SECT IONS T he menu bar is distributed by the sections of Manage, Monitoring, Settings and About. 5.1 MANAGE::GLOBAL VIEW SECT ION

T he Global View section is used to know the actual instant state of the system, like a photo system status. Under this section you'll be able to analyse the f arms state, memory, cpu consumption, established connections and the % of established connections f rom the total system connections consumed by every f arm. T he Global Farms Inf ormation table summarizes the f arm status you'll be able to control the f arms status with a simple view, which of them are on UP status, how many resources are using and which is on DOWN status.

With this table you can analyse: o T he % of cpu usage by the f arms o T he % of memory usage by the f arms o T he number of "Total connections on system" shows the concurrent connections that is used by the f arm compared with the total connections established on the system. T he Memory table shows the global memory status measured in Megabytes.

MemTotal: It's the total ram memory on the system. MemFree: It's the total f ree memory not cached by the system. MemUsed: It's the memory used by the system. Buffers: It's the memory used by the buf f ers. Cached: It's the total memory cached by the system. SwapTotal: It's the total swap memory reserved. SwapFree: It's the total f ree memory not used by swap, on optimal systems it should be the same that SwapTotal. SwapUsed: It's the swap used memory by the system, on optimal systems should be 0.

T he Load table shows the system load:

T he Network Traf f ic Interf aces table shows the traf f ic used by the system since last time that it was switched on:

5.2 MANAGE::FARMS SECT ION Under the Farms section you'll be able to access to the main conf iguration panel of virtual services. T hrough the Add New Farm icon, you can def ine a new f arm with the next properties:

Farm Description Name: It's an identif ication f or the f arm and could be used to def ine a description of the virtual service to be provided. Profile: Def ine the level of the sNAT load balancing method. You could choose one of the next types: TCP: It's a simple load balancing that deliver traf f ic in raw T CP data. T he basic mechanism is about open 2 sockets f or every connection, one to the client and other to the real server, and then deliver the raw data between them. T he selection of this method could be adecuated f or protocols like SMT P, RDP, IMAP, LDAP,

SSH, etc. UDP: It's a simple load balancing that deliver traf f ic in raw UDP data. T he basic mechanism is about open 2 sockets f or every connection, one to the client and other to the real server, and then deliver the raw data between them. T he selection of this method could be adecuated f or protocols like DNS, NT P, T FT P, BOOT P, SNMP, etc. HTTP: It's an advanced only HT T P layer 7 load balancing (or Application Delivery Controller) with proxy special properties. T his method is adecuated f or web services (web application servers included) and all application protocols based on HT T P protocol like WebDav, RDP over HT T P, ICA over HT T P, etc. HTTPS: It's an advanced only HT T PS layer 7 load balancing (or Application Delivery Controller) combinated with SSL wrapper acceleration. In this case, the communication between the client and the load balancer is secure through HT T PS, meanwhile the communication between the load balancer and the real server is clear through HT T P. Virtual IP: T he list shows all the IP addresses available in the system network conf iguration to be used to conf igure a virtual service f or a f arm. T his IP would be the bind address where the virtual service will be listen on f or client requests. If the cluster service is enabled then the physical IP address of the cluster nodes and the management web GUI IP address aren't listed. Virtual Port: T his f ield has to be a port number available on the system, where the virtual service will be listen in. It's not possible to def ine two f arms through the same virtual IP and port. To f inalize the process adding a new f arm press the Save button.

Once the new f arm is created, it will be shown under the Farms Table with the basic data about the virtual service: the virtual IP, the virtual Port, the f arm connections, PID, status, prof ile and actions. T he connections data is collected f rom the system netstat. T he Pending Conns are calculated with the SYN requests that are pending to be processed in the system f or this f arm. T he Established Conns are calculated with the ESTABLISHED requests that are processing currently.

T he Closed Conns are calculated with the CLOSE WAIT connections that have been processed in the system. T he status f ield shows the state of the f arm system process with a green dot if the f arm is up and a red dot if the f arm is down. T he actions available f or a running f arm are: Stop Farm: T he selected f arm will be stopped, and the virtual service will be disabled. Once the f arm is stopped, it will not be started at the boot up process of the load balancer. T he status f ield will be shown with a red dot and the PID will be disappeared. A conf irmation window will be shown. Edit Farm: You've to select this action to edit the f arm properties and the def inition of the real servers f or the current f arm. T he properties to be conf igured depends on the load balancing prof ile selected f or the current virtual service. Delete Farm: T his action disables the current f arm and removes the virtual service. A conf irmation window will be shown. View Farm Status: T his action shows a complete backend status, pending connections, established connections and closed connections of every real server, the clients and the properties f or every backend. 5.2.1 EDIT FARM GLOBAL PARAMET ERS In this panel you'll be able to set the parameters f or improving your f arms perf ormance and the basic f unctionalities of your virtual service. T he properties of the Edit Farm Action depends on the prof ile type that we've selected while the f arm was created. T he common parameters f or all f arm prof iles are the f ollowing: Farm's name. It's the identif ication f ield and a description f or the virtual service. To change this item you've to modif y the name f ield and press the Modif y button. T he load balancing service will be restarted automatically af ter applying this operation. Be sure the new f arm name is available, if not, an error message will appear.

Backend response timeout. It's the max seconds that the real server has to respond f or a request. If the

backend response is too late, then the server will be marked as blacklisted. T he change of this parameter is applied online f or T CP and UDP prof iles. To be applied f or HT T P and HT T PS, the f arm needs to be restarted manually through the restart icon . Frecuency to check resurrected backends. T his value in seconds is the period to get out a blacklisted real server and checks if is alive. Note that the backend will not be in up status until the f irst successf ul connection is done. T he change of this parameter is applied online f or T CP and UDP prof iles. To be applied f or HT T P and HT T PS, the f arm needs to be restarted manually through the restart icon . Farm Virtual IP and Virtual Port. T hese are the virtual IP address and virtual port in which the virtual service f or the f arm will be bind and listening in the load balancer system. To make changes in these f ields, be sure the new virtual ip and virtual port are not in use. To apply the changes the f arm service will be restarted automatically f or T CP and UDP prof iles. To be applied f or HT T P and HT T PS, the f arm needs to be restarted manually through the restart icon . 5.2.1.1 T CP/UDP PROFILE OPT IONS

T he specif ic parameters f or a simple T CP or UDP f arm are the f ollowing: Load Balance Algorithm. T his f ield shows the dif f erent load balancing algorithms that are possible to be conf igured f or the current f arm. Four algorithms are available. Selecting an unappropiate algorithm f or your service inf rastructure could cause a lot of processor consumption over the load balancer. To apply the changes check the Modif y Button and the new algorithm will be applied on line without restarting the f arm.

Here you've a brief explanation about the available algorithms f or T CP and UDP prof iles.

Round Robin equal sharing. An equal balance of traf f ic to all active real servers. For every incoming connection the balancer assigns the next round robin real server to deliver the request. Hash sticky client. T he Farm will create a hash string f or each IP client and send each connection f rom that hash to the same real server. A hash table is created with the real servers and the requests are assigned through the f ollowing algorithm: index = cli % nServers Where index is the index of the real server hash table, cli is the integer representation of the IP address and the nServers is the number of real servers available. T his algorithm is a way to create persistence through the IP address, but its more powerf ul if youve a variety of subnets clients accessing to your service (f or example, an international service). Weight connection linear dispatching by weight. Balance connections depending on the weight value, you have to edit this value f or each real server. T he requests are delivered through an algorithm to calculate the load of every server using the actual connections to them, and then to apply a linear weight assignation. Priority connections to the highest priority available. Balance all connections to the same highest priority server. If this server is down, the connections switch to the next highest server. With this algorithm you can build an Active-Pasive cluster service with several real servers. Enable client ip address persistence through memory. For every algorithm a persistence by ip address client could be conf igured. With this option enabled all the clients with the same ip address will be connected to the same server. A new incoming connection is delivered to the selected server by the algorithm and stored in the memory table. T he next times the client will be connected is delivered to this same server. T his behaviour provides a basic persistency by ip address. To apply the changes you've to press the Modif y Button and will be modif ied on line on the load balancer service. T his option is not available f or UDP f arms. Max number of clients memorized in the farm. T his values have only sense if you enable the client ip persistence. T he client f ield is about the max number of clients that will be possible to memorize and the time value is the max time of lif e f or this clients to be memorized (the max client age). To change these values you've to press the Modif y Button and then the f arm service will be restarted automatically. T his option is not available f or UDP f arms.

Max number of simultaneous connections for the virtual IP. It's the max value of established connections and active clients that the virtual service will be able to manage. For UDP f arms this value indicates the max pending packets to be processed by the virtual service. To change this f ield the f arm will be restarted automatically.

Max number of real ip servers. It's the max number of real servers that the f arm will be able to have conf igured. To change this value the f arm service will be restarted automatically. Add X-Forwarded-For header to http requests.

T his option enables the HT T P header X-ForwardedFor to provide to the real server the ip client address. To change this f eature will be applied online. By def ault is disabled. T his option is not available f or UDP f arms. Use farmguardian to check backend servers. Checking this box will enable a more advanced monitoring state f or backends and totally personalized f or your our scripts. When a problem is detected by f armguardian automatically disables the real server and will be marked as blacklisted. T his is an independent service so you've not to restart the f arm service. To get more details about this service, please read the FarmGuardian section. T his option is not available f or UDP f arms.

5.2.1.2 HT T P/HT T PS PROFILE OPT IONS

T he vast majority of parameters you'll be able to conf igure in a HT T P/HT T PS f arm, needs a manual restart of the f arm service, so a T IP message will be appear to alert at the administrator that there are global parameters or backend changes that needs to restart the service through the icon bef ore be applied. T he system administrator is able to modif y whatever parameters are needed and then restart the f arm service to apply all them at the same time.

Note that in the HT T P/HT T PS f arms prof ile, the HT T P header X-Forwarded-For is included by def ault with

the IP client address data. By contrast with the T CP or UDP f arms prof ile, the HT T P/HT T PS prof ile use a weight algorithm implicitly. T he specif ic parameters f or advanced HT T P or HT T PS f arm are the f ollowing: Persistence session. T his parameter def ines how the f arm service is going to manage the client session and what HT T P connection f ield has to be controlled to maintain saf e client sessions. When a type of persistence session is selected a persistence session T T L will appear. No persistence. T he f arm service won't control the client sessions and the HT T P or HT T PS requests will be f ree delivered to real servers. IP client address . T he IP client address will be used to maintain the client sessions through the real servers. BASIC basic authentication. T he HT T P basic authentication header will be used to control the client sessions. For example, when a web page request a basic authentication to the client a HT T P header will contain a string like the f ollowing:

HTTP/1.1 401 Authorization Required Server: HTTPd/1.0 Date: Sat, 27 Nov 2011 10:18:15 GMT WWW-Authenticate: Basic realm="Secure Area" Content-Type: text/html Content-Length: 31

T hen the client answer with the header:

GET /private/index.html HTTP/1.1 Host: localhost Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

T his basic authentication string is used like an ID f or the session to identif y the client session. URL a request parameter. When the session ID is sent through a GET parameter with the URL will be possible to use this option indicating the parameter name associated with the client session ID. For example, a client request like " http://www.example.com/index.php?sid=3a5ebc944f41daa6f849f730f1 " has be conf igured as shown below:

To conf igure the URL session persistence, you've to select this option in the Persistence Session f ield and then press the Modif y Button. Later, two new f ields will be shown: Persistence session time to limit (TTL). T his value indicates the max time of lif e f or an inactive client session (max session age). Persistence session identifier. T his f ield is the URL parameter name that will be analyzed by the f arm service and will manage the client session. Af ter conf iguring this items and pressed the Modif y Button, it's needed to restart the f arm service to apply the changes. PARM a URI parameter. Another way to identif y a client session is done through a URI parameter. T his is a f ield separated by a semicolon like the f ollowing " http://www.example.com/private.php;EFD4Y7 " To conf igure this kind of persistence is suf f icient to select the PARM option and press the Modif y Button. Finally, to apply the changes will be necessary to restart the f arm service. COOKIE a certain cookie. Also, you'll be able to select a http cookie variable to maintain the client session through the COOKIE option. A cookie has to be created by the programmer into the webpage to identif y the client session, f or example: GET /spec.html HTTP/1.1 Host: www.example.org Cookie: sessionidexample=75HRSd4356SDBfrte With this specif ication, the f ollowing conf iguration will be needed:

Af ter conf iguring this items and pressed the Modif y Button on all of them, it's needed to restart the f arm service to apply the changes. HEADER a certain request header. A custom f ield of the HT T P header could be used to identif y the client session. For example:

GET /index.html HTTP/1.1 Host: www.example.org X-sess: 75HRSd4356SDBfrte With this specif ication, the f ollowing conf iguration will be needed:

Af ter conf iguring this items and pressed the Modif y Button on all of them, it's needed to restart the f arm service to apply the changes. HT T P verbs accepted. T his f ield indicates the operations that will be permitted to the HT T P client requests. If a not permitted verb is requested an error will be shown to the client. Standard HTTP request . Accept only standard HT T P requests (GET, POST, HEAD). + extended HTTP request . Additionally allow extended HT T P requests (PUT, DELET E). + standard WebDAV verbs. Additionally allow standard WebDAV verbs (LOCK, UNLOCK, PROPFIND, PROPPAT CH, SEARCH, MKCOL, MOVE, COPY, OPT IONS, T RACE, MKACT IVIT Y, CHECKOUT, MERGE, REPORT ). + MS extensions WebDAV verbs. Additionally allow MS extensions WebDAV verbs (SUBSCRIBE, UNSUBSCRIBE, NOT IFY, BPROPFIND, BPROPPAT CH, POLL, BMOVE, BCOPY, BDELET E, CONNECT ). + MS RPC extensions verbs. Additionally allow MS RPC extensions verbs (RPC_IN_DATA, RPC_OUT _DATA). To apply any of these options, press the Modif y Button and restart the f arm service. HT T PS Certificate. T he SSL certif icate is only available f or HT T PS f arms, where a list of certif icates will be shown to be selected f or the current f arm. T his list could be modif ied under the Manage::Certificates section. To apply this conf iguration press the Modif y Button and restart the f arm service. Personalized error messages. T hrough the personalized error messages, the f arm service is able to answer a custom message of your site when a web code error is detected f rom the real servers. A personalized HT ML page will be shown.

To apply the changes press the Modif y Button and restart the f arm service. 5.2.2 EDIT FARM REAL SERVERS Once a new f arm is created, you've to include the servers with the real services to deliver the input connections. Under the Edit real IP servers table conf iguration you'll be able to include the conf iguration backends f or every backend and their specif ic parameters.

T he common properties to be entered f or a real backend are the f ollowing: Server. It's an automatic ID established to be an index f or the real server. T he system administrator can't change this value. Address. It's the IP address of the real service. Port. It's the port of the real server in which the real service is listening on. 5.2.2.1 T CP/UDP PROFILE With a T CP or UDP f arm, you'll be able to conf igure the f ollowing properties: Max connections. It's the max number of concurrent connections that the current real server will be able to receive. T his value must be less than the Max clients of the Global Parameters.

Weight . It's the weight value f or the current real server which is only usef ul if the Weight Algorithm is enabled. More weight value indicates more connections delivered to the current backend. Priority. It's the priority value f or the current real server which is only usef ul if the Priority Algorithm is enabled. T he priority value accepted is between 1 and 9, less value indicates more priority to the current real server.

With the Save Real Server button you'll apply the new conf iguration, or you'll be able to cancel the process through the button. A message with the result will be displayed.

Once the real server conf iguration is entered, you'll be able to edit the conf ig throught the Edit button or delete the conf iguration with the Delete Real Server button.

T he server index is usef ul to identif y the real server conf iguration f or the current f arm. T he changes of the real servers conf iguration f or the T CP and UDP prof iles are applied online, and a restart action isn't needed. 5.2.2.2 HT T P/HT T PS PROFILE With a HT T P or HT T PS f arm, you'll be able to conf igure the f ollowing properties: T imeout . It's the specif ic value of timeout f or a backend to response. T his value override the global timeout f arm parameter f or the current backend. Weight . It's the weight value f or the current real server. By def ault a value of 5 is established.

With the Save Real Server button you'll apply the new conf iguration, or you'll be able to cancel the process. For the HT T P/HT T PS f arm prof ile a message with the result will be displayed and a restart action will be requested to the administrator to the changes take ef f ect. To apply the new conf iguration you have to restart the f arm through the restart button .

T he T IP message will not disappear until the f arm is restarted. Once the real server conf iguration is entered, you'll be able to edit the conf ig throught the Edit button or delete the conf iguration with the Delete Real Server button.

T he server index is usef ul to identif y the real server conf iguration f or the current f arm. T he changes of the real servers conf iguration f or the HT T P and HT T PS prof iles needs a manual f arm restart. 5.2.3 VIEW STAT US FARM ACT ION T his action shows the actual state of backends, clients and connections that are being delivered f rom the virtual service to the real servers.

T he Real Server Status table shows the state of every backend: Server . It's the backend identif ication number. Address. It's the real server IP address. Port . It's the port number where the real service of the current real server is listening on. Status. A red dot means that the current real server is down or blacklisted, meanwhile a green dot means that the backend is online and delivering connections. Pending Conns. T his is the number of pending connections in the system that are on SYN state f or the current backend, indepently of f arm service. Established Conns. T his is the number of established connections in the system that are on ESTABLISHED state f or the current backend, indepently of f arm service. Closed Conns. T his is the number of closed connections in the system that are on T IME_WAIT state f or the current backend, indepently of f arm service. Clients. It's the number of clients (unique IP addresses) that are associated with the current backend server. T his is only available f or T CP f arms. Sessions. It's the number of HT T P client sessions that are associated with the current backend server. T his is only available f or HT T P and HT T PS f arms. Weight . It's the weight value established f or every backend. Priority. It's the priority value established f or every backend server. T his option is only available f or T CP and UDP f arms. To analyze with details the clients, sessions and connections to the backends, you've to expand the Client sessions status or Active connections tables to show all this inf ormation pressing the Maximize button.

Note that f or very high load f arms showing this table could slowdown the machine and could be shown a

very large table. 5.3 MANAGE::CERT IFICAT ES SECT ION T he Certif icates inventory table is used to manage the SSL certif icates to be used f or the HT T PS prof ile f arms.

All the certif icates has to be generated a PEM f ile extension to be valid f or HT T PS f arms. By def ault a zencert.pem certif icate is possible to be used and is not able to be deleted. T he uploaded certif icate f ile must contain a PEM-encoded certif icate, optionally a certif icate chain f rom a known Certif icate Authority to your server certif icate and a PEM-encoded private key (not password protected).

5.3.1 ADDING A NEW CERT IFICAT E To upload a custom certif icate it's necessary to press the button Upload Certif icate to be used f or SSL wrapper. A new window is shown to upload a custom certif icate through the Browse... button on your local computer.

To upload the new certif icate f ile it's needed to press the Upload button. Automatically, the new f ile will be

accessible f or the balancer.

T hen we're able to select the certif ied uploaded to be used f or the HT T PS f arms. 5.4 MONIT ORING::GRAPHS SECT ION T his section is usef ul to monitorize the internal load balancer system to detect problems through the parameters of CPU usage, swap memory, ram memory, all conf igured nework interf aces, load and hard disk storage. All the graphs that are shown in the f irst page are the daily progress value of every parameter. Also, you'll be able to access to the weekly, mothly and yearly history through the button. 5.5 MONIT ORING::LOGS SECT ION T his section is used to access to the system logs. To display the logs you've to select one of the log f iles and then establish the number of tailed lines to be shown pressing the See logs button.

T he f iles are associated to the f ollowing services: ucarp.log. Log f ile f or cluster service. zenlatency.log. Log f ile f or latency service launcher of ucarp service. zeninotify.log. Log f ile f or conf ig replication service.

mini_https.log. Log f ile f or the web gui http service. zenloadbalancer.log. Log f ile f or the global zen load balancer actions service through the web GUI. farmguardian.log. Log f ile f or f armguardian advanced monitoring service. 5.6 SET T INGS::SERVER SECT ION T his section provides some global parameters f or the load balancer server system.

T he meaning of these parameters are the f ollowing: T ime out execution Z en GUI CGIs. T he Z en GUI web administration panel has been implemented in perl CGI, so this is the time limit to execute the cgi. If the page execution exceed this timeout, the process will be killed. NT P server . Time server to syncronize the date-time of the system. Rsync replication parameters. T hese are the parameters to syncronize the conf ig data of the cluster replication. Do not change this settings if you dont know what are you doing. Physical interface where is running the GUI service . T his is the interf ace where the web panel service

will be bind to. It's saf e to keep the All interfaces enabled. To apply the changes it's needed to restart the GUI service. DNS servers. T his is the /etc/resolv.conf f ile content to apply the DNS servers f or the system. APT repository. T his is the /etc/apt/sources.list f ile content to apply the APT repositories f or the system. T hese apt servers have to be appropiately updated when a system upgrading is needed. 5.7 SET T INGS::INT ERFACES SECT ION T his section is the main network conf iguration panel f or Z en Load Balancer, where will be shown the network interf aces table f or physical, virtual and vlan interf aces, and the def ault gateway conf iguration f ield.

At the Interf aces Table will appear all the physical network interf aces installed in the system af ter the Z enLB installation. T he meaning of every table f ields are the f ollowing: Name . It's the name of the current interf ace and will be unique. T he virtual interf aces will be identif icated by a colon ":" character within the interf ace name, meanwhile the vlan is identif icated by a dot "." character within the interf ace name which will be the vlan tag. Addr . It's the IP address in ipv4 f ormat f or the current network interf ace. HWAddr . It's the MAC physical address f or the current network interf ace. Note that the virtual and vlan network interf aces have the same MAC address of its parent physical interf ace. Netmask. It's the netmask of the network interf ace, which def ines the subnet of the network f or the current interf ace. Gateway. It's the gateway f or the current network interf ace. Z enLB could work with independent route tables f or every physical or vlan network interf aces. Virtual interf aces always inherit the gateway f rom the parent physical or vlan interf ace. Status. A green dot means the interf ace is UP and running, meanwhile a red dot means an interf ace is DOWN. Sometimes a disconnect icon will be shown when the interf ace is UP but it hasn't link.

Actions. T he action icons are used to apply changes to the current network interf ace. Applying a certain action could af f ect to one or more network interf aces. Down interface. Disables the current interf ace.

Up interface. Enable the current interf ace. Edit interface. Change the current network interf ace conf iguration. To apply the changes press the Save & Up! Button.

Add virtual interface. Adds a new virtual interf ace inherited f rom the current network interf ace. Creating a new virtual interf ace will appear a f ield with a colon ":" character that will be used to establish an identif ication f or the virtual interf ace. T he IP address has to be under the same subnet that the parent interf ace.

To apply the changes you have to press the Save button. Press the Cancel button to reject the changes. Add vlan interface. Adds a new vlan interf ace inherited f rom the current network interf ace. Creating a new vlan interf ace will appears a f ield with a dot "." character that will be used to establish an identif ication f or the vlan interf ace. T he IP address could be dif f erent of the parent interf ace.

To apply the changes you have to press the Save button. Press the Cancel button to reject the changes. Delete interface. T his action disables and delete the current interf ace if it's possible.

Some actions are locked. T his icon means that some actions are locked and disabled temporarily. Some reasons to this behaviour are the f ollowing: GUI service is bind to a certain interface. In this case, a home icon is shown and some actions are disabled to be saf e f rom bad conf igurations that could produce an unaccessible zen web GUI.

To restablish the actions, you've to go to the Settings::Server section and bind the GUI service over all interf aces, and f inally restart the GUI service. Cluster configuration. In this case, the cluster has been conf igured and the interf aces conf iguration is only enabled when the cluster is disabled.

Finally a def ault gateway f or the system could be established through the Def atul gateway table.

To change this f ield, you've to press the edit button and enter the gateway address and interf ace.

To apply the new conf iguration press the Save button or Cancel to reject the changes. To remove the def ault gateway press the Delete Button. 5.8 SET T INGS::CLUST ER SECT ION On this section you can conf igure the cluster service and check the cluster service status. During the cluster process conf iguration you don't have to access to the second node, as the conf iguration will be replicated automatically.

Cluster status. It's a global view of cluster elements, you can reload the check here Virtual IP for Cluster, or create new virtual here . Select a virtual ip that will be used f or the cluster service, if you didn't conf igure one, please go to Settings::Interface and conf igure one, this virtual interf ace is only needed to be conf igured on the f irst node that you are conf iguring the cluster service.

Local hostname and Remote Hostname . Once a virtual interf ace is selected the hostnames and IP address inf ormation about the cluster nodes are needed.

Press the Save button to save the changes. At this point, it's needed that the physical IP f or both nodes are conf igured over the same physical interf ace that the "virtual IP Cluster" on the last step (f or example, eth0). Remote Hostname root password . Enter the second node root password, this inf ormation won't be memorized, it's only needed to conf igure the RSA comunication over the both nodes.

Once the Configure RSA Connection between nodes is pressed the communication process is executed and if everything is right you'll see messages as shown below.

Pressing the Test RSA connection button will check that the RSA communication f rom the current node to the remote node is working f ine. A message like the f ollowing will appear if everything is right.

Select the cluster type . T hrough this combo you can choose the behaviour of the cluster service.

--Disable cluster on all hosts--:T he cluster service will be stopped and disabled on both nodes. Only use this option if you need to stop the cluster service to make changes or disable the cluster service. node1 master and node2 backup automatic failback: If node1 is detected as down the node2 will take over the load balancing service. When node1 is restored the service will automatically switch back to node1. You should choose this option when node1 is a more powerf ul server than node2. node1 or node2 can be masters: anyone can be master, there is no automatic f ailback when one node is recovered. If you have two very similar servers f or node1 and node2 that can both handle the f ull load of your traf f ic then you can use this option. To connect two Z en Load Balancer servers over cross over cable f or cluster communication you have to check this option: Now press to save the changes. T he cluster service is going to start on both nodes and at the end of the process these messages will appear.

Processes are going to be launched on background to conf igure the cluster, at this point you can press the ref resh icon to update the cluster status view. If the cluster is conf igured and working f ine you can see a similar view like this:

On this view will be shown the cluster services and the status that we describe on the next lines: Z en latency. Is a launcher of UCARP service, this service has to be running on both cluster nodes, and check that the communication between nodes is OK. Cluster IP . T his IP is UP only on the master node and conf igured but DOWN on the backup node.

Z en inotify. T his service has to be running only on the master node and will send to the backup node all the conf iguration and changes of networking and f arms. Over the cluster conf igured view you can: Reload the check for testing that the cluster service are working like a charm. Force cluster sync from master to backup . T his manual f orce is usef ul af ter a cluster service recovery. Test the RSA connection . Verif y that the RSA connection between nodes is working f ine that it's needed f or syncronization over zen inotif y service. Force failover . Switch the cluster service node. It's usef ul if you need to do some maintenance tasks on the master server or to test the cluster service. For node1 master and node2 backup automatic failback cluster type will be switched f or only 30 seconds, af ter that, the cluster service will be switched back to node1. Once the cluster service is conf igured you'll be able to change the cluster type but the service could produce some outages. Over the web GUI is easy to identif y which is the cluster role f or both nodes. On the upper side of the webpage will show this message f or the master node: And f or the backup node: Once the cluster service is running on both nodes you only have to connect to master node to apply changes f or f arms and interf aces, which will be automatically conf igured and replicated to the backup node. 5.9 SET T INGS::CHANGE PASSWORD SECT ION In this section you'll be able to change the web admin user password.

It's necessary to insert the current password and a repeated new password. Pressing the Change button will change the admin web password. Optionally you'll be able to sync the admin password with the root system password through the Change & Sync with root password button. 5.10 SET T INGS::BACKUP SECT ION With the Backup option you can save the conf igurations on the Z enLB server and download to your local

computer.

On this panel you can create, restore, upload and download backup f iles. T he Description name f ield will be the identif ication f or the backup f ile to be generated pressing the Create Backup button. Please, do not include blank spaces. T he new backup f ile generated will be listed on the Backup f iles table:

T he actions to be applied are the f ollowing: : T hrough this icon you can download the selected f ile. : T hrough this icon you can delete the selected backup f ile. : T hrough this icon you can apply this backup. T he conf ig f iles will be rewritten if exists. : T hrough this icon you can upload a backup f ile. It's usef ul if you've created a backup and downloaded it f or security reasons. If you press this icon a window will be shown:

Pressing the Browse... button you'll be able to navigate through your local f iles to select your backup f ile to be uploaded. It is important to know that the f ile need to f ollow the next pattern: backup-description.tar.gz If you modif y the pattern, then the f ile isn't going to be listed on the Settings::Backup section. 6. FARM GUARDIAN USAGE 6.1 PHILOSOPHY By def ault Z en Load balancer checks the tcp backends port status, but sometimes this check its not enough to conclude that the backend status is working f ine. To solve this problem Z en Load Balancer implement a way to execute an advanced and personalized backends checks called Farm Guardian. With this advanced monitoring application you can develope your own personalized scripts or use some available scripts under the /usr/local/zenloadbalancer/app/libexec/ directory. Farm Guardian checks the execution error output f rom the selected script ($? = 0 when there isn't error f or the backend and $? <> 0 when there is an error f or the backend). All scripts used by Farm Gardian have to accept two minimal input arguments, HOST and PORT (HOST =backend ip, PORT = port backend). Farm Guardian connects to your f arm and will list the backends and ports. T hen the selected script will be runned f or each server replacing the HOST and PORT token string by each backend and port conf igured on your f arm. 6.2 CONFIGURAT ION At the moment, Farm Guardian is only implemented f or T CP prof ile:

To enable the Farm Guardian monitoring check the box Use FarmGuardian to check Backend Servers and establish the time period of checks: Now select a def ault script under the path /usr/local/zenloadbalancer/app/libexec or include your own script on that directory:

Farm Guardian connects to the f arm to obtain the backend list and execute this script f or each of them. Reading the output of the execution through the $? variable we could determine that if the web content on a real server doesn't contain the string It works, the current backend will be marked as blacklisted.

It's recomended to read the help page of check_http script to understand this example.

You can activate the execution logs f or Farm Guardian checking the Active logs checkbox. 7. LICENSE T his documentation has been created by the Z en Load Balancer Developers Team f or the Z en Load Balancer GNU/GPL Project. T his documentation is licensed under the terms of the GNU Free Documentation License. T his programm is licensed under the terms of the GNU General Public License.