Sunday, November 05, 2017

Rocket.Chat - HA Cluster

This guide shows you how to install Rocket.Chat as HA with mongodb replicaset as backend.

You will need at least three things:

  • A reverse proxy able to proxy requests to both instances..
  • Use a replica set mongodb because rocket.chat needs oplog tailing for multi-instances
  • Both instances will need to have access to each other.. you can set a env var called INSTANCE_IP to set a private IP which an instance can talk to each other

Install MongoDB replicaset:
Create rocket.chat docker container:
  • Use example docker-compose.yaml in repo
  • Fill the INSTANCE_IP env with the local ip of the docker-host (in a 3 node setup this is unique on every host)
  • Fill the passwords from rocket and oplogger
  • Change the IP of every host in the example docker-compose.yaml -> extra_hosts inserts host entrys so each rocketchat-container could resolve the others by the name
  • Be sure that the instances could communicate on port 3000 with each other, this is important to see messages on other hosts directly

Example docker-compose.yml file:
rocketchat:
  image: rocketchat/rocket.chat:latest
  environment:
    - PORT=3000
    - ROOT_URL=https://chat.domain.de
    - MONGO_URL=mongodb://rocket:password@rocket-1:27017,rocket-2:27017,rocket-3:27017/rocketchat?replicaSet=rs0&readPreference=nearest&w=majority
    - MONGO_OPLOG_URL=mongodb://username:password@rocket-1:27017,rocket-2:27017,rocket-3:27017/local?authSource=admin&replicaSet=rs0
    - INSTANCE_IP=<ip of the local instance>

  ports:
    - 3000:3000

  extra_hosts:
    - "rocket-1:10.250.250.13"
    - "rocket-2:10.250.250.14"
    - "rocket-3:10.250.250.17"

Create Loadbalancer:
  • Now setup up a reverse proxy on each host to terminate ssl on each rocket.chat node (use example apache2 config in repo) or terminate ssl on the loadbalancer, this is up to you
  • Setup a loadbalancer to reach each instance on 443 or 3000 (depends on the choice above)
Apache virtualhost configuration file:
<VirtualHost *:443>
                ServerName chat.domain.de
                ServerAdmin webmaster@domain.de

                #Log
                ErrorLog ${APACHE_LOG_DIR}/error-chat.log
                CustomLog ${APACHE_LOG_DIR}/access-chat.log combined

                #SSL
                SSLEngine on
                SSLCertificateFile      /etc/apache2/ssl/cert.public
                SSLCertificateKeyFile /etc/apache2/ssl/cert.private
                SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt

                #SSL Tuning
                SSLCompression off
                SSLProtocol All -SSLv2 -SSLv3
                SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

                #HSTS
                Header always set Strict-Transport-Security "max-age=15768000; preload"

                #Proxy
                SSLProxyEngine On
                ProxyPreserveHost On
                ProxyPassMatch ^/sockjs/(.*)/websocket ws://127.0.0.1:3000/sockjs/$1/websocket
                ProxyPass / http://127.0.0.1:3000/
                ProxyPassReverse / http://127.0.0.1:3000/
</VirtualHost>

No comments: