The following guide shows an example of a configuration used to balance load from MFDs between multiple Dispatcher Paragon servers that form a Spooler Controller Group.
Disclaimer
The steps and configuration used in this guide are intended as a proof of concept. The actual configuration for specific environment has to be designed with respect to the specific needs and available options of the customer.
Prerequisites
- HAproxy is installed and generally configured (this guide only shows steps specific to Dispatcher Paragon settings)
- Dispatcher Paragon servers are configured and successfully formed a Spooler Controller Group. See Near Roaming in chapter Configuring Print Roaming
- Dispatcher Paragon servers are configured and ready to be used in connection with a 3rd party load balancer. See chapter Configuring a Third-party Load Balancer for Terminal Failover
- For load balancing running on OSI layer 7, a certificate and private key is needed. This certificate is issued for the IP address or hostname of the HAproxy frontends and is presented from the load balancer to the MFDs.
- Save the file so that both private key (without a passphrase) and the public certificate are in one file. In example below, it is /etc/haproxy/haproxy.pem
- The structure of the file will look like the following (order of key and certificate does not matter):
-----BEGIN CERTIFICATE-----
MIIF4z...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIF4z...
-----END PRIVATE KEY-----
Terminology
- frontend - specification of IP addresses/hostnames, ports and protocols on which HAproxy accepts communication to be balanced.
- backend - specification of servers that are used for balancing purposes.
Configuration
There are two options how the HAproxy can be configured:
- TCP mode - using balancing on OSI layer 4 (recommended)
- This mode passes the session from MFD to a chosen Dispatcher Paragon server.
- HTTP mode - using balancing on OSI layer 7
- This mode terminates communication from MFD at HAproxy and initiates a new connection to the Dispatcher Paragon servers.
It is recommended to use the OSI layer 4 balancing (the TCP mode).
Both of the proposed configurations are made for the following example environment:
- Dispatcher Paragon running Konica Minolta embedded terminals
- Three Site Servers in a Spooler Controller Group running on IP addresses 10.0.125.1, 10.0.125.2 and 10.0.125.3.
- First server also acts as a Management Server.
- Affinity is set based on hash of the source (MFD) IP address and currently alive backend servers.
- If a server is active, MFD will keep being routed to it. When any server goes down or up, affinity is reset for all servers and balancing starts again.
- See example of round robin balancing that is added as a comment in the backend.
- Statistics are available on
http://<HAproxy IP>:1936/stats
When changing configuration, you can use the following steps to validate it and reload it.
- Validate the configuration works with no issues
sudo haproxy -f /etc/haproxy/haproxy.cfg -c - Restart the service to apply the configuration.
sudo systemctl restart haproxy.service
Note that in the examples below, the sections global, defaults and stats can be configured differently. They are included to show the complete file. The important parts are under the backend and frontend sections.
Example configuration for Layer 4 balancing (pass through) - recommended
Following is content of /etc/haproxy/haproxy.cfg
In the setup below, only one backend is used because HAproxy does not perform any decryption/encryption.
As this uses Layer 4 (mode tcp in the setting below), the HAproxy is not modifying the communication and is transferring it to the selected server. There is no need for a certificate on HAproxy as the device sees and uses the certificate of the Dispatcher Paragon Terminal Server directly.
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3defaults log global mode http option httplog option dontlognull timeout connect 15000 timeout client 150000 timeout server 150000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.httplisten stats bind :1936 mode http stats enable stats hide-version stats realm Haproxy\ Statistics stats uri /statsfrontend paragonmode tcpoption tcplogbind *:80bind *:443bind *:5011-5025use_backend paragonbackend paragonmode tcpoption http-server-closeoption tcp-check## AFFINITY BASED ON SOURCE IP, CONSISTENT ROUTING TO SAME BACKEND SERVER UNTIL AVAILABILITY CHANGEShash-type consistentbalance source## BALANCING WITH ROUND ROBIN AND AFFINITY SET TO 30 MINUTES (replaces affinity above):#balance roundrobin#stick-table type ip size 5k expire 30m#stick on srcserver site-server-2 10.0.125.3 check port 5022server site-server-1 10.0.125.2 check port 5022server mgmt-server-1 10.0.125.1 check port 5022Example configuration for Layer 7 balancing
Following is content of /etc/haproxy/haproxy.cfg
In the setup below, a specific backend and fronted is used for SSL and non-SSL communication. This is needed so as not to route non-SSL traffic as SSL incorrectly.
As this uses Layer 7 (mode http in the setting below), the HAproxy is terminating the SSL communication and begins a new communication to the Dispatcher Paragon server. So there are two connections: MFD → HAproxy and then HAproxy → Terminal Server.
The backend servers have the parameter "ssl verify none" which means the certificate of the Dispatcher Paragon is not checked as is implicitly trusted. For a production environment, this should be removed and a trusted certificates should be used on the Terminal Server of Dispatcher Paragon.
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3defaults log global mode http option httplog option dontlognull timeout connect 15000 timeout client 150000 timeout server 150000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.httplisten stats bind :1936 mode http stats enable stats hide-version stats realm Haproxy\ Statistics stats uri /statsfrontend paragon_ssl mode http option httplog option forwardfor bind *:443 ssl crt /etc/haproxy/haproxy.pem bind *:5012-5020 ssl crt /etc/haproxy/haproxy.pem bind *:5022-5025 ssl crt /etc/haproxy/haproxy.pem use_backend paragon_sslbackend paragon_ssl mode http option forwardfor option http-server-close option tcp-check## AFFINITY BASED ON SOURCE IP, CONSISTENT ROUTING TO SAME BACKEND SERVER UNTIL AVAILABILITY CHANGES hash-type consistent balance source## BALANCING WITH ROUND ROBIN AND AFFINITY SET TO 30 MINUTES (replaces affinity above):#balance roundrobin#stick-table type ip size 5k expire 30m#stick on src server site-server-2 10.0.125.3 check port 5022 on-marked-down shutdown-sessions ssl verify none server site-server-1 10.0.125.2 check port 5022 on-marked-down shutdown-sessions ssl verify none server mgmt-server-1 10.0.125.1 check port 5022 on-marked-down shutdown-sessions ssl verify nonefrontend paragon_no_ssl mode http option httplog option forwardfor bind *:80 bind *:5011 bind *:5021 use_backend paragon_no_sslbackend paragon_no_ssl mode http option forwardfor option http-server-close option tcp-check## AFFINITY BASED ON SOURCE IP, CONSISTENT ROUTING TO SAME BACKEND SERVER UNTIL AVAILABILITY CHANGES hash-type consistent balance source## BALANCING WITH ROUND ROBIN AND AFFINITY SET TO 30 MINUTES (replaces affinity above):#balance roundrobin#stick-table type ip size 5k expire 30m#stick on src server site-server-2 10.0.125.3 check port 5011 on-marked-down shutdown-sessions verify none server site-server-1 10.0.125.2 check port 5011 on-marked-down shutdown-sessions verify none server mgmt-server-1 10.0.125.1 check port 5011 on-marked-down shutdown-sessions verify none