RSS LinkedIn Twitter

Apache mod_proxy_balancer Self Registration : Part 1

Load balancers are great, but they become even more powerful when servers have the ability to self-register when they come online, and deregister when they go offline. This is especially true with services such as EC2, when the size of the server group might grow or shrink in response to need. This is a tutorial describing my particular (partially insecure at the moment) solution for allowing self-registration with Apache’s mod_proxy_balancer. Specifically this covers the load balancer side of the equation. Tomorrow I hope to get a post out describing the server side.

Here is my flowchart for how self registration will work:
1. Server comes online.
2. A startup script will register itself with the MySQL database (including hostname, ip, loadfactor, and a hash that it will generate in some way).
3. The server will then call a PHP script on the load balancer: “register/register.php”.
4. The PHP script will verify that a server sent the request.
5. The PHP script will query the database to get the current list of balancer members, and regenerate the balancer_members.conf file.
6. The PHP script will then issue a command to reload Apache’s configuration files.

Deregistration, which my PHP script as presented doesn’t display, will work as follows:
1. Server sends its hash to the PHP script, and shuts down.
2. The PHP script will check the hash against the database.
3. The PHP script will remove the server from the database.
4. The PHP script will repeat steps 5 and 6 above.

First, set up the database and created a user with sufficient privileges.

CREATE DATABASE lb_register;
GRANT ALL ON lb_register.* TO 'lbuser'@'%' IDENTIFIED BY 'password';
 
 
CREATE TABLE lb2_members(
ip VARCHAR(20) NOT NULL PRIMARY KEY,
hostname VARCHAR(100) NOT NULL,
loadfactor INT NOT NULL DEFAULT 0,
hash VARCHAR(40) );

Second, create the PHP script.

$dbhost = "mysql.host.com";
$dbuser = "lbuser";
$dbpass = "password";
$dbname = "lb_register";
$dbtable = "lb2_members";
 
 
$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die (mysql_error());
mysql_select_db($dbname);
 
 
$query = "SELECT count(*) as count FROM " . $dbtable . " WHERE hash='" . $_GET['hash'] . "';";
$result = mysql_query($query);
 
 
$row = mysql_fetch_assoc(mysql_query($query));
if ($row['count'] >= 1) {
 
 
  $file = "" . "\n";
  $member_query = "SELECT hostname, loadfactor FROM " . $dbtable . ";";
  $member_result = mysql_query($member_query);
 
 
  while ($row = mysql_fetch_array($member_result, MYSQL_BOTH)) {
    $file .= "   BalancerMember http://" . $row['hostname'] . " ";
    $file .= ($row['loadfactor'] > 1) ? ("loadfactor=" . $row['loadfactor'] . "\n") : "\n";
  }
  $file .= "";
 
 
  exec('echo "' . $file . '" > /etc/httpd/conf.d/balancer_members.conf');
  exec("sudo /usr/local/bin/reload_httpd");
}
 
 
mysql_close($conn);

You can tell a few things about the server configuration by looking at the script:
1. User apache will need to be able to write to the “/etc/httpd/conf.d/balancer_members.conf” file.
2. User apache will need to be able to execute the script “/usr/local/bin/reload_httpd”.
3. User apache will need sudoer rights.
4. This script was used for debugging, and not by a server that is actually registering… tyou can see that deregistration is not handled yet.

To grant write privileges to apache, I changed the owner of the balancer_members.conf to apache.

chown apache /etc/httpd/conf.d/balancer_members.conf

This is probably the least secure aspect of my solution, as if the apache user were compromised, then any directives could be written to this file. I’m not sure how big a threat this is, but it’s something that concerns me at least enough to think about this some more (and invite suggestions).

Next is to grant apache privileges to execute “/usr/local/bin/reload_httpd”. We could accomplish this the same as we did above, but then it wouldn’t allow apache to execute what’s inside of the script, which is this:

#!/bin/bash
service httpd reload

unless we give execution rights to apache on service, which we don’t want. What we also don’t want is for apache to be able to write to the file reload_httpd. So what I ended up doing was, as you see in the script, to make root the owner of reload_httpd and remove write privileges for all (so apache couldn’t change it) and then add apache to the sudoers file, granting rights to execute this script without a password.

visudo

is the generally accepted way to edit the sudoers file. And I added this line:

apache ALL=(ALL) NOPASSWD: /usr/local/bin/reload_httpd

I’m open to more secure ways of implementing this aspect as well, as I don’t consider myself a sudo configuration expert. I think this gives apache rights to execute everything from anywhere if he knows the password; but he can also execute the /usr/local/bin/reload_httpd script without a password.

I also had to comment out the line:

#Defaults   requiretty

to allow sudo to function properly from a script not executed in a terminal.

Finally I had to disable proxying for the register script in my balancer.conf file:

ProxyPass /register/ !

And then your server is configured to dynamically update its list of balance members, you can check by going to the balancer-manager if you’ve got that enabled. Next I will discuss how to handle the web server side of things.

Tags: , , , , , , ,

One Response to “Apache mod_proxy_balancer Self Registration : Part 1”

  1. Christoph M.
    January 11th, 2013 at 08:55
    1

    Hi there,

    nice work so far, i am working on an equal projekt, but one big problem i got is, that a soft-reload (e.g. service apache2 reload or forece-reload) ist not enough to enalbe the new balancer-member-set, you have to do a real “restart” to get the new balancer-config accepted.

    does your programm work with this dynamic register and soft-reload?

    Bye!

Leave a Comment

*