[X2Go-User] x2go loadbalancing with HAProxy

Thierry Kauffmann thierry.kauffmann at univ-montp2.fr
Fri Mar 7 10:00:38 CET 2014 

Hi,

As promised I tell you about my experience with loadbalancing x2go.

I had first tried to use the default loadbalancing setup of x2go broker. 
It was working fine except that the Windows client was not connecting to 
the https broker (due to a bug in the client). It has been fixed quickly 
and I thank the development team for their reactivity.

In the meanwhile, I had looked up alternative solutions and here is what 
I set up :

The broker is a simple HAProxy <http://haproxy.1wt.eu/> loadbalancer 
configured for ssh connections balancing. For us it listens on port 
10000 and dispatches ssh/tcp connections over 2 x2go servers on ports 22 
(the default ssh port !). The balancing algorithm is based upon source 
ip hashing : It gives returning users a chance to be sent to the same 
x2go server next time and have the possibility to resume a suspended 
session (better than round-robin).

Advantages of that solution :
- x2go servers are not exposed to the outside world and there is no need 
to open ports on the firewall for each x2go server : You only need to 
open ports for the loadbalancer, which you can put in your dmz.
- HAProxy cares to dispatch connections only to x2go servers that are up 
(timeout configuration).
- Authentication is only made once on x2go servers (they are configured 
with ldap_pam).
- No need to install a session broker agent on x2go servers.

Drawbacks :
- When a user connects with a different public ip, he wont probably be 
sent to the same x2go server where he could have a suspended session.
- Authentication is not made by the loadbalancer so there aren't acl 
management as with the regular x2go broker.
- Every connections transit through the loadbalancer so there might be a 
little overhead. HAProxy is pretty optimized though and it is not 
noticeable.

I join hereby the HAProxy configuration file I am using.

It really works fine for us. I hope it will be useful to others.

Best regards,

Thierry

-- 
<http://www.fdsweb.univ-montp2.fr> 	

Thierry KAUFFMANN

Chef du service informatique (SIF)

Tél : +33 4 67 14 31 58 <tel:+33%204%2067%2014%2031%2058>

Mail : Thierry.Kauffmann at univ-montp2.fr 
<mailto:Thierry.Kauffmann at univ-montp2.fr>

CC 437 - Place Eugène Bataillon. 34095 Montpellier Cedex 5 - FRANCE.

www.fdsweb.univ-montp2.fr <http://www.fdsweb.univ-montp2.fr>

FACULTÉ DES SCIENCES/ UNIVERSITÉ MONTPELLIER 2

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x2go.org/pipermail/x2go-user/attachments/20140307/5a3ae026/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ghcjhbhh.png
Type: image/png
Size: 3944 bytes
Desc: not available
URL: <http://lists.x2go.org/pipermail/x2go-user/attachments/20140307/5a3ae026/attachment.png>
-------------- next part --------------
# this config needs haproxy-1.1.28 or haproxy-1.2.1

global
	log 127.0.0.1	local0
	log 127.0.0.1	local1 notice
	#log loghost	local0 info
	maxconn 4096
	#chroot /usr/share/haproxy
	user haproxy
	group haproxy
	daemon
	#debug
	#quiet

defaults
	retries	3
	option redispatch
	maxconn	2000
	contimeout	5000
	clitimeout	50000
	srvtimeout	50000

frontend x2go-ssh-in
	bind :10000
	mode	tcp
	log global
	option	tcplog
	option logasap
	option	dontlognull
	default_backend x2go-servers

backend x2go-servers
	balance	source
	server	x2go1 10.127.0.1:22
	server	x2go2 10.127.0.2:22

More information about the x2go-user mailing list