27 Apr 2024 06:23 AM - last edited on 06 May 2024 02:07 PM by MaciejNeumann
Hi All
We have a 3-node managed cluster, and recently we configured Dynatrace Managed cluster nodes behind our F5 Load Balancer (LB). However, when attempting to access it using the hostname (DNS), we encounter an HTTP 403 Page error with the message “SSI: not_set” and the host as dyna.customer.com.
Interestingly, accessing the same resources using the LB VIP IP address works perfectly fine.
Could you please suggest any additional configurations that might be required to resolve the “SSI: not_set” issue?
PS: I am aware of internal load balancing using Nginx webserver (DNS Round Robin) but customer still wants to use LB for various org reasons.
Regards,
Mohit
Solved! Go to Solution.
27 Apr 2024 09:47 AM
Hi Team,
By adding the following IF statement to the nginx.conf file on each cluster node for below locations, I was able to address the problem
Added below IF statement just before last IF statement where it evaluates the $is_host_ok validity
if ( $host ~* \.customer\.com$ ) ) {
set $is_host_ok "$1:1";
}
This adjustment allowed me to seamlessly access the Dynatrace Web UI using the FQDN of the load balancer. However, I’d appreciate your insights on whether this approach aligns with best practices or if there’s a more optimal solution.
Additionally, I have a question about configuration retention during upgrades. Will this additional configuration persist after an upgrade, or do we need to take any specific steps to ensure its continuity?
Regards,
Mohit
29 Apr 2024 07:47 AM - edited 29 Apr 2024 07:50 AM
Hi @mohit_gupta
Did you followed these recommendations?
https://docs.dynatrace.com/managed/shortlink/managed-load-balancer#general-guidelines
29 Apr 2024 07:50 AM
Yes @PacoPorro
They are very well aware. However, due to some org level standards and compliance points they have to use LB now.
Regards,
Mohit
29 Apr 2024 07:51 AM
Sorry, I mixed answers.
27 Apr 2024 11:14 AM
Hi @mohit_gupta
AFAIK:
Can you please elaborate on your setting? what is shown up in each one of above sections in your customer site? and what is your goal exactly?
Setting the nginx.conf is not recommended as probably it will be erased upon cluster upgrade.
Yos
27 Apr 2024 12:26 PM - edited 27 Apr 2024 12:29 PM
HI @Yosi_Neuman ,
Yes, we have the same setup as you mentioned like cluster node own IP address configured on each nodes WEB UI IP section and Custom SSL certificate is installed on each node.
Currently, we are using DNS based load balancing where my existing FQDN (Configured in Public endpoint section) resolves to all 3 cluster node IP address. However, customer is now asking to have a F5 load balancer instead of DNS load balancing. We have configured the F5 LB with cluster nodes as backend on 443 port but when we are accessing the Dynatrace using LB FQDN it is redirecting to Dynatrace Error page SSI: not_set (refer to attached image in main post) but same working fine when accessed with LB VIP IP.
While I checked the Nginx configuration file of cluster node I found that there is a condition where it checks if the SSL_Server_Name is equal to the Hostname (if not redirects to HTTP 403 page)
(Condition highlighted in below snapshot)
hence I made the mentioned changes (3rd IF statement in above snapshot) in the config file to bypass this condition since "ssl_server_name" is coming null from F5 in my case. I have also raised this with F5 team to check on SNI settings at there end.
After adding the mentioned IF statement I am now able to access Dynatrace using LB FQDN but I agree that making changes in the config file is not correct hence waiting for F5 team to check at their end and update.
Regards,
Mohit
27 Apr 2024 01:58 PM - edited 27 Apr 2024 02:12 PM
Hi @mohit_gupta
Lets assume the follows:
AFIAK, Once you set the F5 VIP FDQN as cluster endpoint Cluster VIP FQDN will not work.
How ever if you will set for each node the Web UI ip to the Cluster VIP and you have a DNS resolving for Cluster VIP FQDN pointing to this ip this should work.
HTH
Yos
29 Apr 2024 04:47 AM - edited 29 Apr 2024 07:53 AM
Hi @Yosi_Neuman
As I suspected and mentioned earlier, Dynatrace support has confirmed that the functionality/conditions written in Nginx configuration to check the host name is causing this issue.
Resolution
1) Work with LB team and check why the FQDN and Host HTTP header value are not same when the requests are coming from F5 load balancer to cluster node (SNI needs to be enabled at LB end)
2) Disable the Host header check (below is the support response)
We have disabled the Host Header check and issue got resolved
Regards,
Mohit
29 Apr 2024 09:27 AM
Thanks for the update @mohit_gupta
Learned a bit more about Managed cluster
Yos