Install
Embedded
Fortunately, you don't have to install JLupin Edge Balance in embedded mode, because Edge Balancer is already installed, integrated and provided with JLupin Platform package, ready to download, install and use. It operates and is managed as a technical microservice located in $JLUPIN_HOME/platform/technical
.
JLupin CLI Console provides commands that helps manage embedded Edge Balancer. For example:
- Display status:
> microservice tech nginx status
- Stop (graceful):
> microservice tech nginx status
- Terminate:
> microservice tech nginx terminate
- Online reload (Edge Balancer configuration reload):
> microservice tech nginx reload
Enjoy :)
Standalone
If you would like to use Edge Balancer outside JLupin management, we recommend to download the latest version of JLupin Edge Balnacer from download section (Community) and follow the instructions (on the example of Linux OS):
- Prepare a directory for JLupin software (ex.
/opt/jlupin
) - Add a dedicated user (group) for JLupin software (ex.
groupadd jlapp && useradd -g jlapp jlapp
) and login using it and login using it. - Unzip the package into the prepared directory
- if you want to run Edge Balancer, please add the following parameters on the top of
$JLUPIN_HOME/nginx/linux/conf/edge.conf
configuration file (change values accordingly to your environment):
user jlapp;
group jlapp;
-
Start your journey with JLupn Edge Balancer working in standalone by using management scipts located in
$JLUPIN_HOME/nginx/<os_type>/bin/
: -
start.sh
/start.cmd
- start Edge Balancer stop.sh
/stop.cmd
- graceful stop (SIGTERM)terminate.sh
/terminate.cmd
- immediate stop (SIGKILL)reload.sh
/reload.cmd
- online reload of configuration (new workers are created while older are finishing their job)
SSL certificates
SSL certificates are used for securing admin virtual servers (by default) as well data ones (optionally). JLupin Platform package (and JLupin Edge Balancer package as well) includes the default set of certificates that probably you would like to update to yours.
Generate certificates
- Choose FQDN (DNS name + domain) of the virtual server (for example:
admin.node1.ebank.jlupin.corp
) - Register FQDN in your DNS
- Generate CSR and private key
$ openssl req -out edge_admin.csr -new -newkey rsa:2048 -nodes -keyout edge_admin.key
Generating a 2048 bit RSA private key
....................................................+++
....................................+++
writing new private key to 'edge_admin.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PL
State or Province Name (full name) []:MALOPOLSKIE
Locality Name (eg, city) [Default City]:KRAKOW
Organization Name (eg, company) [Default Company Ltd]:JLUPIN
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:admin.node1.ebank.jlupin.corp
Email Address []:admin@jlupin.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
If you have internal domains supported by PKI or JLupin Platform works with public IP addresses - give the CSR to be signed. In other case probably you need self-signed certificate, do it like this:
$ openssl req -x509 -sha256 -days 365 -in edge_admin.csr -key edge_admin.key -out edge_admin.crt
Update certificates for default admin
Embedded
- Copy newly generated certificate (
edge_admin.crt
) and private key (edge_admin.key
) into$JLUPIN_HOME/platform/start/configuration/edge_ssl
(or%JLUPIN_HOME%\platform\start\configuration\edge_ssl
) - Reload Edge Balancer:
microservice tech nginx reload
(using JLupin CLI Console)
Standalone
- Copy newly generated certificate (
edge_admin.crt
) and private key (edge_admin.key
) into$JLUPIN_HOME/nginx/linux/conf/edge_ssl
(or%JLUPIN_HOME%\nginx\windows\conf\edge_ssl
) - Reload Edge Balancer:
$JLUPIN_HOME/nginx/linux/bin/reload.sh
(or%JLUPIN_HOME%\nginx\windows\bin\reload.cmd
)
Secure data virtual server
You can also install SSL certificates for data virtual servers (for example to provide frontends) following the below procedure:
- Choose FQDN for your service (for example:
ebank.jlupin.corp
) - Register FQDN in your DNS
- Assume that your service is provided on
edge8000
virtual server - Generate certificate and private key using procedure for admin virtual server, but enter chosen FQDN for the service as 'Common Name', and change name of the certificate and private key file to
edge8000.crt
andedge8000.key
respectively. - Copy newly generated certificate (in this example:
edge8000.crt
) and private key (in this example:edge8000.key
) for data virtual server intoedge_ssl
directory, next to other SSL resources including those for default admin virtual server. - Add the featured lines (
# SSL config
)to data virtual server definition (in this example:edge8000.conf
) located in$JLUPIN_HOME/platform/start/configuration/edge_servers
(or%JLUPIN_HOME%\platform\start\configuration\edge_servers
) in embedded more or$JLUPIN_HOME/nginx/linux/conf/edge_servers
(or%JLUPIN_HOME%\nginx\windows\conf\edge_servers
) in standalone mode:
server {
listen 8000;
server_name edge8000;
set $server_type 'data';
include servers/data.conf;
include services/ssl.conf; # SSL config
ssl_certificate ../../../../start/configuration/edge_ssl/edge8000.crt; # SSL config
ssl_certificate_key ../../../../start/configuration/edge_ssl/edge8000.key; # SSL config
}
- Reload Edge Balancer:
microservice tech nginx reload
(using JLupin CLI Console in embedded mode) or$JLUPIN_HOME/nginx/linux/bin/reload.sh
(or%JLUPIN_HOME%\nginx\windows\bin\reload.cmd
) in standalone mode.
SSL two-way authentication
If you would like additionally protect your services you can configure SSL two-way authentication on selected virtual servers, extending above configuration by:
ssl_client_certificate
directive that points to client's certificate.ssl_verify_client
directive that controls client's certificate verification process.
The example configuration is presented below:
server {
listen 8000;
server_name edge8000;
set $server_type 'data';
include servers/data.conf;
include services/ssl.conf; # SSL config
ssl_certificate ../../../../start/configuration/edge_ssl/edge8000.crt; # SSL config
ssl_certificate_key ../../../../start/configuration/edge_ssl/edge8000.key; # SSL config
ssl_client_certificate ../../../../start/configuration/edge_ssl/edge8000_client.crt; # SSL two-way authentication config
ssl_verify_client on; # SSL two-way authentication config
}