Written by dennislorist

Making NGINX Reverse Proxy and TURN Highly Available

Here we advertise a virtual IP to web users (more likely a DNS record resolving to it). Installing keepalived on the RPs allows for one RP to be configured as a master while a second RP is waiting to step up in the event that the master fails. When the master comes back to life again, it will resume it’s role as the master.

Start by installing our Pexip RP OVA. In this example I have installed it twice, once as the master and then as the backup. Topology above.
Install the RPs as you normally would. Configure them identically ( accept for the IP address obviously). The following steps must be carried out on both RPs.
 rp_ha
Update the package versions:
sudo apt-get update

 

Add rules in iptables to allow the virtual router redundancy protocol (https://en.wikipedia.org/wiki/Virtual_Router_Redundancy_Protocol)

 

sudo iptables -I INPUT -d 224.0.0.0/8 -j ACCEPT
sudo iptables -I INPUT -p vrrp -j ACCEPT

 

Now save and activate the new rules:
sudo service iptables-persistent save

 

Tell the OS that it can bind the virtual IP:
sudo nano /etc/sysctl.conf

 

Add the following line to the bottom of the file then save:
net.ipv4.ip_nonlocal_bind = 1

 

Activate the change:
sudo sysctl -p

 

Install the keepalived daemon:
sudo apt-get install keepalived

 

Create a new file called /etc/keepalived/keepalived.conf:
sudo nano /etc/keepalived/keepalived.conf
Add the following and save the file:
vrrp_script chk_nginx {
        script "killall -0 nginx"
        interval 2
        weight 2
}

vrrp_instance VI_1 {
        interface eth0
        state MASTER
        virtual_router_id 1
        priority 100                    # 101 on master, 100 on backup
        virtual_ipaddress {
            192.168.10.22           # this is the shared virtual IP address
        }
        track_script 
            chk_nginx
        }
}

 

Start keepalived:
sudo service keepalived start

 

For TURN, configure the /etc/turnserver.conf file the same way for both the master and the slave. Example for a TURN server has an internal ip and a NATed public IP:

NAT IP: 203.10.10.10

Internal IP: 192.168.10.22

# Config generated by Pexip RP
listening-ip=192.168.10.22
external-ip=203.10.10.10
realm=pexip.com.au
lt-cred-mech
no-tls
no-dtls
no-loopback-peers
no-multicast-peers
stale-nonce
#proc-user=turnserver
#proc-group=turnserver
#no-cli
no-stdout-log
syslog
userdb=/etc/turnuserdb.conf
You’re done. Note that is the active TURN server goes down while it is relaying media, the users will get a frozen image and audio will stop. When they dial back in, their media will be handled by the active TURN server.
Testing:

 

Check to see that on the master RP you have the virtual IP hosted. Type: ip addr sh eth0 | grep ‘inet ‘
The output should show the local IP and the virtual one.

 

inet 192.168.10.21/24 brd 192.168.10.255 scope global eth0
inet 192.168.10.22/32 scope global eth0

 

Do the same on the backup:

ip addr sh eth0 | grep 'inet'

The output should only show the local IP.
inet 192.168.10.20/24 brd 192.168.10.255 scope global eth0

 

Manual failover:
Stop nginx on the master. Type:

sudo service nginx stop

Now verify that the virtual IP is active on the backup. Type:

ip addr sh eth0 | grep 'inet'

Now you should see that the virtual IP has moved from the master RP to the backup:

inet 192.168.10.20/24 brd 192.168.10.255 scope global eth0
inet 192.168.10.22/32 scope global eth0

If you start the nginx service back up on the master, then virtual IP will be moved back to the master. Type:

sudo service nginx start

One thought on “Making NGINX Reverse Proxy and TURN Highly Available

  1. Pingback: Pexip Geo Policy Server – Dennis Lorist

Leave a comment