Setting High Availability Configuration for the Proxy

Learn to configure High Availability configuration for the proxy.

You can set up a high availability configuration for the proxy. High availability architecture ensures that at least one proxy continues to function through different demand loads and failure types.

The Oracle NoSQL Database Proxy can run in one or multiple dedicated hosts. It can also be hosted inside the nodes of the data store. You can use a Load Balancer as the front end, which has a back end set of multiple NoSQL proxies on different hosts.

HAProxy is an open-source software that offers a high availability Load Balancer and proxy for HTTP and TCP applications. You can use the HAProxy software as a Load Balancer in front of multiple NoSQL proxies.

Note:

There are other Load Balancers available. This topic demonstrates the concepts using HAProxy as the Load Balancer.

For example, consider a data store with three dedicated proxy hosts: proxy1-nosql, proxy2-nosql, proxy3-nosql. To set up a high availability configuration for the proxy, you can configure the hosts proxy1-nosql, proxy2-nosql, proxy3-nosql as Oracle NoSQL Database proxies in the back end. Install and configure the HAProxy software on the node where you have installed the Load Balancer (external node). The Load Balancer routes requests to the proxies.

Configuring NoSQL Database Proxy in the hosts

Ensure that you have deployed the data store.

Start the HTTP proxy on each of the hosts, proxy1-nosql, proxy2-nosql, proxy3-nosql as follows:
Non-secure data store:
```
java -jar $KVHOME/lib/httpproxy.jar -helperHosts <kvstore_helper_host:5000> -storeName <kvstore_name> -httpPort 8080 -verbose true
```
For details, see Using the Proxy in a non-secure data store.
Secure data store:
```
java -jar $KVHOME/lib/httpproxy.jar -helperHosts <kvstore_helper_host:5000> -storeName <kvstore_name> -httpsPort 8443 -storeSecurityFile $KVROOT/security/proxy.login -sslCertificate certificate.pem -sslPrivateKey key-pkcs8.pem -sslPrivateKeyPass <privatekey_password> -verbose true
```
For details, see Using the Proxy in a secure data store.
Note:
Instead of creating a certificate for each NoSQL proxy, you can create only one certificate with Subject Alternative Names (SAN). This simplifies the configuration in the following scenarios:
- When you need to rotate the certificate. You only have one certificate to manage and share.
- When a server has multiple names.
- When using the IPs.
For more details on using SAN, see Generating Certificate and Private Key for Proxy.
Verify if the proxy is functioning.
Non-secure data store:
```
http://<proxy1-nosql>:8080/V2/health
```
Secure data store:
```
https://<proxy1-nosql>:8443/V2/health
```

Configuring the Load Balancer

Install the HAProxy software on the external node, for example, <LB-hostname> to run the Load Balancer.

Note:
Oracle NoSQL Database documentation does not provide instructions to set up a Load Balancer. You must implement it as a prerequisite before configuring the high availability proxy set up.

Configure the HAProxy software:

The examples serve as a guideline to configure an open-source Load Balancer in the Oracle NoSQL HTTP proxy context.

Add the following lines at the end of the file /etc/haproxy/haproxy.cfg.

This configures the HAProxy to route requests to the proxies: proxy1-nosql, proxy2-nosql, proxy3-nosql.

Example: Non-secure data store

# Configure HAProxy to listen on port 8080
frontend http_front
   bind *:8080
   stats uri /haproxy?stats
   default_backend http_back

# Configure HAProxy to route requests to Oracle NoSQL Database proxy hosts on port 8080
backend http_back
   balance roundrobin
   server proxy1-nosql <IP_node1>:8080 check
   server proxy2-nosql <IP_node2>:8080 check
   server proxy3-nosql <IP_node3>:8080 check

Example: Secure data store

Depending on your Load Balancer, you can use one of the following sample configurations:

SSL passthrough configuration:

The Load Balancer passes encrypted HTTPS traffic directly to the back end servers without decrypting the traffic on the Load Balancer. Here, the Load Balancer and proxies use the same SSL certificate.

# Configure HAProxy to listen on port 8443
frontend http_front
   bind *:8443 ssl crt /etc/haproxy/certs/full.pem
   timeout http-keep-alive 20s
   stats uri /haproxy?stats
   default_backend http_back

# Configure HAProxy to route requests to Oracle NoSQL Database Proxy hosts on port 8443
backend http_back
   balance roundrobin
   timeout http-keep-alive 20s
   server proxy1-nosql <IP_node1>:8443 check maxconn 20 ssl verify none
   server proxy2-nosql <IP_node2>:8443 check maxconn 20 ssl verify none
   server proxy3-nosql <IP_node3>:8443 check maxconn 20 ssl verify none

SSL Bridging configuration:

The Load Balancer decrypts all HTTPS traffic when it arrives at the Load Balancer, and encrypts the traffic to the destination server. This configuration allows Load Balancer and proxies to use different SSL certificates.

# Configure HAProxy to listen on port 8443
frontend http_front
  bind *:8443 ssl crt /etc/haproxy/certs/full.pem
  timeout http-keep-alive 20s
  stats uri /haproxy?stats
  default_backend http_back


# Configure HAProxy to route requests to Oracle NoSQL Database Proxy hosts on port 8443
backend http_back
  balance roundrobin
  timeout http-keep-alive 20s
  server proxy1-nosql <IP_node1>:8443 check maxconn 20 ssl ca-file /root/proxy1-nosql.pem
  server proxy2-nosql <IP_node2>:8443 check maxconn 20 ssl ca-file /root/proxy2-nosql.pem
  server proxy3-nosql <IP_node3>:8443 check maxconn 20 ssl ca-file /root/proxy3-nosql.pem

Restart the haproxy and validate the status:

sudo systemctl stop haproxy.service
sudo systemctl start haproxy.service
sudo systemctl status haproxy.service

Verify if the Load Balancer is working.
Non-secure data store:
```
http://<LB-hostname>:8080/V2/health
```
Secure data store:
```
https://<LB-hostname>:8443/V2/health
```