VMware Horizon Community
gabeoverse
Contributor
Contributor
Jump to solution

NGINX Loadbalancer to Horizon Connection Server does not work

Hello Everyone
I am trying to set up a loadbalancer to connect to my connection servers. I followed this guide for it: https://blah.cloud/infrastructure/using-nginx-load-balancer-vmware-horizon-view-security-servers/#ar...
Here are my configurations:
 
 

 

 

Default site file:
#redirect all http to https
server {
listen 80 default;
server_name view.horz.local:
rewrite ^ https://view.horz.local permanent;
}
 
server{
listen 443 ssl;
server_name view.horz.local;
ssl on;
ssl_certificate /ssl/view.horz.local.crt;
ssl_certificate_key /ssl/view.horz.local.key;
 
location / {
proxy_pass https://hrz-view-cluster;
}

And my conf-file:

# enable reverse proxy
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
client_header_buffer_size 64k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 16k;
proxy_buffers 32 16k;
proxy_busy_buffers_size 64k;
 
upstream hrz-view-cluster {
server 192.168.1.21:443 fail_timeout=1s max_fails=1;
server 192.168.1.31:443 backup;
}

 

 

}
The service starts without any issues, but I cannot reach anything over the IP-Address or "view.horz.local" also not with the horizon view client.
All ends can ping each other, and all firewalls are turned off. 
 
Do you may see what Im doing wrong?
 
Thank you for your help.
Cheers,
 
Gabe
 
Reply
0 Kudos
1 Solution

Accepted Solutions
gabeoverse
Contributor
Contributor
Jump to solution

Okay, I was to figure it out, I didn't include the default-site in the conf-file....

View solution in original post

4 Replies
Mickeybyte
Hot Shot
Hot Shot
Jump to solution

@gabeoverse 

The site you followed refers to load-balancing security servers for external access to Horizon. I don't know what version of Horizon you are running but I do hope you don't have any security servers running anymore because they've been EOL for several years. 

I've made a blog to use HAProxy as Load Balancer in front of Horizon connection servers, you might want to check that out and maybe use it as base for your NGINX config. You can find the blog post here: https://itpro.peene.be/vmware-horizon-appvolumes-lb-with-haproxy-and-keepalived-on-photonos/

 


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
Reply
0 Kudos
ertgrhyuetd
Contributor
Contributor
Jump to solution

apt -y install nginx-full
 
systemctl enable nginx
 
rm -f /etc/nginx/sites-enabled/default
 
echo \
'user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
 
events {
worker_connections 1000;
}
 
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
 
include /etc/nginx/mime.types;
default_type application/octet-stream;
 
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
 
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 
}' > /etc/nginx/nginx.conf
 
echo \
'ssl on;
 
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
 
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
 
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
 
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_file /etc/nginx/ssl/nginx-staple.crt;
resolver 10.10.10.8 valid=300s;
resolver_timeout 5s;' > /etc/nginx/conf.d/ssl.conf
 
echo \
'add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
add_header Accept "*";
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT" always;
add_header Access-Control-Expose-Headers "Authorization" always;
 
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
 
proxy_cookie_path / "/; HTTPOnly; Secure";' > /etc/nginx/conf.d/hsts.conf
 
echo \
'upstream uags {
    ip_hash;
    server 10.10.10.101:443;
    server 10.10.10.102:443;
}
 
server {
    listen 80;
    server_name horizon.local;
    return 301 https://$server_name$request_uri;
}
 
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=uag_cache:10m max_size=3g inactive=120m use_temp_path=off;
 
server {
    listen 443 ssl;
    server_name horizon.local;
 
    access_log /var/log/nginx/cloud-access.log;
    error_log /var/log/nginx/cloud-errors.log;
 
    location ~ / {
        client_max_body_size 50M;
        proxy_set_header Connection "";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Frame-Options SAMEORIGIN;
        proxy_buffers 256 16k;
        proxy_buffer_size 16k;
        proxy_read_timeout 600s;
        proxy_cache uag_cache;
        proxy_cache_revalidate on;
        proxy_cache_min_uses 2;
        proxy_cache_use_stale timeout;
        proxy_cache_lock on;
        proxy_http_version 1.1;
 
        proxy_pass https://uags;
    }
 
    include /etc/nginx/conf.d/ssl.conf;
include /etc/nginx/conf.d/hsts.conf;
 
}' > /etc/nginx/sites-available/lb
 
ln -s /etc/nginx/sites-available/lb -t /etc/nginx/sites-enabled/
 
systemctl restart nginx

 

Reply
0 Kudos
gabeoverse
Contributor
Contributor
Jump to solution

Hi


Thank you for your help...i am trying to access the address ,but I get a timeout...do you have an idea what the issue could be?

 

Kind regards,


Gabe

Reply
0 Kudos
gabeoverse
Contributor
Contributor
Jump to solution

Okay, I was to figure it out, I didn't include the default-site in the conf-file....