Web interface and Load Balancer

Hello,

I have a HA (2 master) node icinga2 setup with icingaweb2 installed on both masters.
I have put the web interface behind a Load balancer (haproxy). but when logging in, it causes a redirect loop and errors out “too many redirects”

Is the web interface incompatible with Load balancing? is there a configuration needed in the load balancer (some http header?)

Icingaweb2 is running in Apache on each of the hosts

Haproxy

backend nms_web_back
    description nms/icinga2 web interface
    mode http

    option httpchk OPTIONS * HTTP/1.1
    http-check send hdr Host nms.internal
    http-check expect ! rstatus ^5 # only 5xx is bad
    balance roundrobin
    server nms01 host1.internal:443 check ssl verify required ca-file ca-certificates.crt fall 2 rise 2 inter 2000
    server nms02 host2.internal:443 check ssl verify required ca-file ca-certificates.crt fall 2 rise 2 inter 2000

Give as much information as you can, e.g.

  • Icinga Web 2 version
    2.8.2
  • Used modules and their versions (System - About)

setup	2.8.2
grafana	1.4.2
monitoring	2.8.2
  • Web browser used
    Chrome 91
  • Icinga 2 version used (icinga2 --version)
    r2.12.4-1
  • PHP version used (php --version)
    php 7.4
  • Server operating system and version
 Platform: Ubuntu
  Platform version: 20.04.2 LTS (Focal Fossa)

Still trying to debug this.

Adding a image of the browser network tab, which shows the repeated redirect between the dashboard and login.

Also, looked through the apache access logs on the 2 hosts themselves.

host1

nms.internal:443 xx.xx.xx.xx - - [09/Jul/2021:10:11:41 -0400] "GET /authentication/login?redirect=/dashboard?renderLayout&renderLayout HTTP/1.1" 200 448 "https://nms.internal/dashboard" "Mozilla/5.0 (Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36

host 2

nms.internal:443 xx.xx.xx.xx - - [09/Jul/2021:10:11:41 -0400] "GET /dashboard?renderLayout HTTP/1.1" 403 413 "https://nms.internal/authentication/login?redirect=/dashboard?renderLayout" "Mozilla/5.0 (Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"

So the first request to login goes to host1, and then subsequent request for load the dashboard goes to host2 which i guess fails the authentication and redirects to login again (back on host1), repeat ad infinitum

It appears based on all my debugging and googling that icingaweb2 uses cookie based session storage to maintain authentication state (logged in). Based on that it seems that it is incompatible with Load balancing without having some kind of LB persistence enabled.

Can someone confirm that this is the case? that you need to enable Load balancer stickiness/persistence so that icingaweb2 can be load balanced?

Implemented cookie stickiness in Haproxy and it worked.

backend somename
    mode http
    cookie Icingaweb2 prefix nocache
    balance roundrobin
    server name1 hostname check cookie name1 fall 2 rise 2 inter 2000
    server name2 hostname check cookie name2 fall 2 rise 2 inter 2000