Cluster Configuration Sync

Note

Please note, cluster sync is still considered as experimental. If you have any issues or comments regarding this module please send e-mail to support@diladele.com.

Web Safety is able to automatically sync configuration settings between designated master node and any number of cluster node.

To enable configuration sync:

  • Upload the same Root CA certificate to all nodes of the cluster. Connections from slave nodes to master node are done using HTTPS protocol with mutual authentication of master and slave nodes using Root CA’s private key and certificate. Thus to succeed the Root CA must be the same on all nodes.
  • Choose one node as master node. In future all changes of the web filter configuration should be done using this node. Slave nodes will automatically get their configuration from master node.
  • Configure master node web filtering policies and Squid proxy settings as desired using Web UI.
  • Configure master node as configuration server. This can be done in Web UI / Dashboard / Config Sync as indicated on the following screenshot. Click Save and Restart.
../../../_images/sync_server6.png
  • Configure any number of slave nodes as configuration clients. This can be done in Web UI / Dashboard / Config Sync as indicated on the following screenshot. Click Save and Restart. Do not forget to put the IP address of master server.
../../../_images/sync_client6.png

From now on slave nodes will automatically download configuration from master node. The list of connected nodes and sync log will be shown in the Web UI.

Note

Please note, all nodes in the cluster MUST have the same version of Web Safety installed. All nodes in the cluster MUST run on the same operating system.

Note

Cluster sync is done using ports 18999 and 18889. If you are using firewall on Squid nodes it might be needed to add the following iptables rules on all cluster nodes (here, ens160 is the NIC name used in virtual appliance, yours might be different of course).

-A INPUT -i ens160 -p tcp --dport 18999 -j ACCEPT
-A INPUT -i ens160 -p tcp --dport 18889 -j ACCEPT