(r1) ELMRateLimiting < Deployment

Engineering Lifecycle Management Wiki - Deployment
Community information and contribution guidelines
~~EditAttach~~Printable
TWiki > Deployment Web > DeploymentMigratingAndEvolving > ELMRateLimiting
Revision 1 - 2024-04-18 - 11:26:54 - ShubjitNaik
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%">
---+!! Configuring Rate Limiting for ELM Applications <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/uc.png" alt="uc.png" width="50" height="50" align="right"> 
%DKGRAY% Authors: Main.ArtaChaudhury, Main.BharathRao , Main.RalphSchoon <br>
Build basis: Engineering Lifecycle Management 7.0.3 and higher
%ENDCOLOR%</div></sticky>

<!-- Page contents top of page on right hand side in box -->
<sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;">
%TOC{title="Page contents"}%
</div></sticky>

<sticky><div style="margin:15px;"></sticky>

Rate limiting is a technique used to control the rate of incoming or outgoing traffic to or from a system by imposing restrictions on the number of requests within a specified time frame. Its primary purpose is to prevent resource exhaustion, protect against abuse, and ensure fair usage among users or clients. 

ELM Applications, underlying Liberty Application Server and the supported Reverse Proxy (IBM HTTP Server) does not include / support Rate limiting. There are third party and open-source software like HAProxy 

We have performed a simple configuration of HAProxy with ELM applications and documented instructions of the setup in this article


---++ Introduction and Scope of Support

For open-source software, including HAProxy, the following IBM Policy applies:  
[[https://www.ibm.com/support/pages/node/737271][IBM Open Source and Third-party software policy]]

We have performed a simple rate limiting configuration using HAProxy with ELM applications and documented the instructions of the setup and use cases in this article. For detailed instructions please visit http://www.haproxy.org/ 

[[http://www.haproxy.org/][HAProxy]] is a free and open source software that provides a high availability load balancer and reverse proxy. It supports a rich set of [[http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#4.2-balance][Load Balancing algorithms]] and the default is Leastconn. We have tested the use of HAProxy with EWM/ETM Clustering and hence are documenting the setup of HAProxy for LQE load balancing. 
HAProxy is not supported on Microsoft Windows Operating System. You can continue to the next step if your environment is Linux based.

---++ Install and Setup HAProxy

The steps provided this section is a simple setup of HAProxy. For detailed instructions please visit http://www.haproxy.org/.
The Idea if this setup is to introduce a HAProxy later inbetween IBM HTTP Server and the IBM Liberty Server hosting ELM Application.

---+++ Install HAProxy

You need a Linux based server in your environment to install and configure HAProxy. Run the following commands
   <verbatim>
   # yum update
   # yum install haproxy    </verbatim>

---+++ Create Open SSL Certificates for HAProxy

Generate SSL Certificates to be used with HAProxy via !OpenSSL
   <verbatim>
   # mkdir /etc/haproxy/ssl
   # cd /etc/haproxy/ssl
   # openssl req -newkey rsa:3072 -sha256 -new -x509 -days 3652 -nodes -out haproxy.crt -keyout haproxy.key
   # cat haproxy.crt haproxy.key > haproxy.pem
   # chmod +rx haproxy.*   </verbatim>

Import this certificate and key file into IBM HTTP Server certificate kdb file and the Plugin kdb file.

---+++ Edit/Create HAProxy config file

Here is a sample =haproxy.cfg= file for load balancing 2 LQE nodes. You could change the ports (8080, 8443, 1936) to the ports of your choice and the user/group as well.
In addition, change the path to the SSL certificate to the one created in the previous step.

   * # vi /etc/haproxy/haproxy.cfg

   <verbatim>global
    log 127.0.0.1:514 local0
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    stats socket /var/lib/haproxy/stats
    tune.ssl.default-dh-param 2048

defaults
    mode                    http
    log                     global
    option                  http-keep-alive
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          2h
    timeout server          2h
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 4000

# Connect to LQE cluster
  frontend lqe-proxy
    bind  *:8080
    bind  *:8443 ssl crt /etc/haproxy/ssl/haproxy.pem no-sslv3
    log   global
    option httplog
    mode  http
    capture  cookie SERVERID len 32
    redirect scheme https if !{ ssl_fc }
    maxconn 1000 # The expected number of the users of the system.

    default_backend elm

  backend lqe
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    fullconn 1000         # if not specified, HAProxy will set this to 10% of 'maxconn' specified on the frontend
    balance leastconn
    cookie SERVERID insert indirect nocache

# Edit the following to include the Liberty server hosting the ELM Application. Here is an example for EWM.  Change the Hostname, Port and Minimum and Maximum connections as per you need. For another node, add 
    server ccm <EWM_Hostname>:<PORT> minconn 100 maxconn 500 ssl check cookie ewmnode verify none


# The following configuration opens the Load Balancing Statistics Page,, change user password per your requirement
        listen statistics
        bind *:1936
        stats uri /
        stats admin if TRUE
        stats enable
        stats hide-version
        stats auth admin:password
        stats refresh 5s </verbatim>

---+++ Enable and start HAProxy server

Run the following commands to start the HAProxy Server, enable it to auto start during machine startup and to check status of the HAProxy server
   <verbatim>
   # systemctl start haproxy
   # systemctl enable haproxy
   # systemctl status haproxy </verbatim>

---+++ Update IBM HTTP Server

Edit the merged plugin file for IBM HTTP Server and update the host for EWM host to the HAProxy setup.

---++ Enable Rate Limiting for ELM Applications
We have documented several use cases ...

---+++ Use Case 1: 

---++ Heading 1

---+++++!! External links:          

   * [[https://www.ibm.com][IBM]]

---+++++!! Additional contributors: Main.TWikiUser, Main.TWikiUser

<sticky></div></sticky>
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.