Sunday, November 05, 2017

Rocket.Chat - HA Cluster

This guide shows you how to install Rocket.Chat as HA with mongodb replicaset as backend.

You will need at least three things:

  • A reverse proxy able to proxy requests to both instances..
  • Use a replica set mongodb because needs oplog tailing for multi-instances
  • Both instances will need to have access to each other.. you can set a env var called INSTANCE_IP to set a private IP which an instance can talk to each other

Install MongoDB replicaset:
Create docker container:
  • Use example docker-compose.yaml in repo
  • Fill the INSTANCE_IP env with the local ip of the docker-host (in a 3 node setup this is unique on every host)
  • Fill the passwords from rocket and oplogger
  • Change the IP of every host in the example docker-compose.yaml -> extra_hosts inserts host entrys so each rocketchat-container could resolve the others by the name
  • Be sure that the instances could communicate on port 3000 with each other, this is important to see messages on other hosts directly

Example docker-compose.yml file:
  image: rocketchat/
    - PORT=3000
    - ROOT_URL=
    - MONGO_URL=mongodb://rocket:password@rocket-1:27017,rocket-2:27017,rocket-3:27017/rocketchat?replicaSet=rs0&readPreference=nearest&w=majority
    - MONGO_OPLOG_URL=mongodb://username:password@rocket-1:27017,rocket-2:27017,rocket-3:27017/local?authSource=admin&replicaSet=rs0
    - INSTANCE_IP=<ip of the local instance>

    - 3000:3000

    - "rocket-1:"
    - "rocket-2:"
    - "rocket-3:"

Create Loadbalancer:
  • Now setup up a reverse proxy on each host to terminate ssl on each node (use example apache2 config in repo) or terminate ssl on the loadbalancer, this is up to you
  • Setup a loadbalancer to reach each instance on 443 or 3000 (depends on the choice above)
Apache virtualhost configuration file:
<VirtualHost *:443>

                ErrorLog ${APACHE_LOG_DIR}/error-chat.log
                CustomLog ${APACHE_LOG_DIR}/access-chat.log combined

                SSLEngine on
                SSLCertificateFile      /etc/apache2/ssl/cert.public
                SSLCertificateKeyFile /etc/apache2/ssl/cert.private
                SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt

                #SSL Tuning
                SSLCompression off
                SSLProtocol All -SSLv2 -SSLv3
                SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

                Header always set Strict-Transport-Security "max-age=15768000; preload"

                SSLProxyEngine On
                ProxyPreserveHost On
                ProxyPassMatch ^/sockjs/(.*)/websocket ws://$1/websocket
                ProxyPass /
                ProxyPassReverse /

No comments: