Skip to main content

Configuring Access Control for High Availability Environments

Configuring Access Control for High Availability (HA) in CxSAST v9.0.0 and up ensures optimal operational performance – even at times of high loads, and provides failover support in case of CxManager failure to ensure application availability.

This High Availability architecture supports two or more servers (CxManager) installed behind the organization’s external network load balancer that allows for accessing the same DB, to ensure full system operability in the event a machine failure.

This instruction defines the procedure for configuring Access Control in High Availability environments for v9.0.0 and up.

Notice

High Availability can be configured on a local server, or via a cloud environment.

Configuring the CxAccessControl Database

Once the CxSAST v9.0.0 (and up) environment is installed and fully configured, do the following:

1. Open MS SQL Server Management Studio.

2. Connect to the SQL server.

3. Go to: Databases > CxAccessControl > Tables.

6436183791.png

4. Right-click on the accesscontrol.ConfigurationItems table and open Edit Top 200 Rows.

6436183794.png

5. In the field of the SERVER_PUBLIC_ORIGIN key, and enter the load balancer URL in the Value field as follows:

    http:// {Access Control URL in Load Balancer: Port}

6. Go to Databases > CxDB > Tables, right-click the dbo.CxComponentConfiguration table and then open Edit Top 200 Rows.

7. Select the IdentityAuthority key and enter the same load balancer URL (the base URL of the identity server) in the Value field as follows:

    http:// {Access Control URL in Load Balancer: Port} /cxrestapi/auth
6436183797.png

Configuring the Host Header in the Load Balancer / Proxy

When working with a load balancer or proxy it is important that requests that reach the Access Control service contain the original ‘Host header’. In certain instances, there may be errors, and this is usually because the ‘Host’ header contains the address of the backend server instead of its original value. By default, the ‘Host header’ changes once a new request is created. To fix this, you can manually configure the ‘Host header’ in the load balancer / proxy configuration. For this example, we will use NGINX as the installed load balancer.

To configure the ‘Host header’ in the load balancer, do the following:

1. Open the NGINX configuration file (<nginx installation path>/conf/nginx.conf) using a text editor.

2. Navigate to the ‘http.server.location’ segment as illustrated in the example below.

3. Set the ‘Host header under the ‘http.server.location’ segment as: proxy_set_header Host {load_balancer_address}, where the load_balancer_address is defined as the station on which NGINX is installed.

Notice

  • The ‘Upstream’, proxy_pass and proxy_set_header Host definitions must match.

  • When uploading a large source zip archive to the SAST Portal, make sure that the client_max_body_size value is set to at least the size of this zip archive. The example above reflects this value set to 1000 MB.

4. Save the NGINX configuration file and exit the editor.

5. Restart NGINX.