Skip to content

Cluster Configuration Sync

Web Safety is able to automatically sync configuration settings between designated master node and any number of worker nodes.

To enable configuration sync do the following steps.

  • Upload the same Decryption Certificate to all nodes of the cluster. Connections from worker nodes to master node are done using HTTPS protocol with mutual authentication of master and worker nodes using Decryption Certificate and its corresponding private key. Thus to succeed the Decryption Certificate must be the same on all nodes.

  • Deliberately choose one node as master node. In future all changes of the web filter configuration should be done using this node. Worker nodes will automatically get their configuration from master node.

  • Configure master node web filtering policies and Squid proxy settings as desired using Admin UI.

  • Configure master node as configuration server. This can be done in Admin UI / Dashboard / Config Sync as indicated on the following screenshot. Click Save and Restart.

Sync Server

  • Select type of configuration sync according to the following screenshot. The recommended sync type is HTTPS with mutual authentication of server and client.

Sync Mode

  • Configure any number of worker nodes as configuration clients. This can be done in Admin UI / Dashboard / Config Sync as indicated on the following screenshot. Click Save and Restart. Do not forget to put the IP address of master server and select the same sync type as on the server.

Sync Client

From now on worker nodes will automatically download configuration from master node. All services on the client will be automatically restarted by running the /opt/websafety/bin/cluster.sh script. Log of restart will be stored in /opt/websafety/var/log/cluster_sh.log and sync log will be shown in the Admin UI.

Note

Please note, all nodes in the cluster MUST have the same version of Web Safety installed. All nodes in the cluster MUST run on the same operating system.

By default, cluster sync is done using port 18999. If you are using firewall on Squid nodes it might be needed to add the following iptables rules on all cluster nodes (here, ens160 is the NIC name used in virtual appliance, yours might be different of course).

-A INPUT -i ens160 -p tcp --dport 18999 -j ACCEPT