cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Looking to upgrade from Dynatrace Managed to SaaS? See how

Managed Cluster Nodes with LB (F5)

mohit_gupta
Inactive

 

Hi All

 

We have a 3-node managed cluster, and recently we configured Dynatrace Managed cluster nodes behind our F5 Load Balancer (LB). However, when attempting to access it using the hostname (DNS), we encounter an HTTP 403 Page error with the message “SSI: not_set” and the host as dyna.customer.com.

Interestingly, accessing the same resources using the LB VIP IP address works perfectly fine.

Could you please suggest any additional configurations that might be required to resolve the “SSI: not_set” issue?

 

PS: I am aware of internal load balancing using Nginx webserver (DNS Round Robin) but customer still wants to use LB for various org reasons.

 

Regards,

Mohit 

Dynatrace Certified Professional | Tracing performance hiccups with Dynatrace as my magnifying glass.
9 REPLIES 9

mohit_gupta
Inactive

Hi Team,

 

By adding the following IF statement to the nginx.conf file on each cluster node for below locations, I was able to address the problem

  • location /api/
  • location ~* /e/[^/]+/api/
  • location /

Added below IF statement just before last IF statement where it evaluates the $is_host_ok validity

 

if ( $host ~* \.customer\.com$ ) ) {
       set $is_host_ok "$1:1";
       }

 

 

This adjustment allowed me to seamlessly access the Dynatrace Web UI using the FQDN of the load balancer. However, I’d appreciate your insights on whether this approach aligns with best practices or if there’s a more optimal solution.

 

Additionally, I have a question about configuration retention during upgrades. Will this additional configuration persist after an upgrade, or do we need to take any specific steps to ensure its continuity?

 

Regards,

Mohit

Dynatrace Certified Professional | Tracing performance hiccups with Dynatrace as my magnifying glass.

Yes @PacoPorro 

 

They are very well aware. However, due to some org level standards and compliance points they have to use LB now.

 

Regards,

Mohit

Dynatrace Certified Professional | Tracing performance hiccups with Dynatrace as my magnifying glass.

Sorry, I mixed answers.

Yosi_Neuman
DynaMight Guru
DynaMight Guru

Hi @mohit_gupta 

AFAIK:

  1. Managed can have only one WEB UI URL (set from CMC --> settings --> public endpoints).
  2. For each node you can add the Web UI IP.
  3. Certificate for HTTPS is added to each of the nodes.

Can you please elaborate on your setting? what is shown up in each one of above sections in your customer site? and what is your goal exactly?

Setting the nginx.conf is not recommended as probably it will be erased upon cluster upgrade. 

Yos 

dynatrace certificated professional - dynatrace master partner - Matrix Soft Ware Division - Israel

HI @Yosi_Neuman ,

 

Yes, we have the same setup as you mentioned like cluster node own IP address configured on each nodes WEB UI IP section and Custom SSL certificate is installed on each node. 

 

Currently, we are using DNS based load balancing where my existing FQDN (Configured in Public endpoint section) resolves to all 3 cluster node IP address. However, customer is now asking to have a F5 load balancer instead of DNS load balancing. We have configured the F5 LB with cluster nodes as backend on 443 port but when we are accessing the Dynatrace using LB FQDN it is redirecting to Dynatrace Error page SSI: not_set (refer to attached image in main post) but same working fine when accessed with LB VIP IP.

 

While I checked the Nginx configuration file of cluster node I found that there is a condition where it checks if the SSL_Server_Name is equal to the Hostname (if not redirects to HTTP 403 page)

(Condition highlighted in below snapshot)

mohit_gupta_0-1714216733506.png

 

hence I made the mentioned changes (3rd IF statement in above snapshot) in the config file to bypass this condition since "ssl_server_name" is coming null from F5 in my case. I have also raised this with F5 team to check on SNI settings at there end.

 

After adding the mentioned IF statement I am now able to access Dynatrace using LB FQDN but I agree that making changes in the config file is not correct hence waiting for F5 team to check at their end and update.

 

Regards,

Mohit  

Dynatrace Certified Professional | Tracing performance hiccups with Dynatrace as my magnifying glass.

Hi @mohit_gupta 

Lets assume the follows:

  • Cluster node1 ip = 10.10.10.1 
  • Cluster node2 ip = 10.10.10.2
  • Cluster node3 ip = 10.10.10.3
  • Cluster VIP = 10.10.10.10
  • Cluster VIP FQDN = dynacluster.costomer.com
  • F5 VIP = 10.10.20.1 (point to Cluster VIP)
  • F5 VIP FQDN = f5dynatracecluster.customer.com

AFIAK, Once you set the F5 VIP FDQN as cluster endpoint Cluster VIP FQDN will not work.

How ever if you will set for each node the Web UI ip to the Cluster VIP and you have a DNS resolving for Cluster VIP FQDN pointing to this ip this should work.

HTH

Yos 

dynatrace certificated professional - dynatrace master partner - Matrix Soft Ware Division - Israel

Hi @Yosi_Neuman 

 

As I suspected and mentioned earlier, Dynatrace support has confirmed that the functionality/conditions written in Nginx configuration to check the host name is causing this issue.

 

Resolution

 

1) Work with LB team and check why the FQDN and Host HTTP header value are not same when the requests are coming from F5 load balancer to cluster node (SNI needs to be enabled at LB end)

2) Disable the Host header check (below is the support response)

mohit_gupta_0-1714362317211.png

 

We have disabled the Host Header check and issue got resolved

 

Regards,

Mohit

Dynatrace Certified Professional | Tracing performance hiccups with Dynatrace as my magnifying glass.

Thanks for the update @mohit_gupta 

Learned a bit more about Managed cluster 

Yos

dynatrace certificated professional - dynatrace master partner - Matrix Soft Ware Division - Israel

Featured Posts