Knowledge base

Scaling & high availability · updated 17 June 2024 · reviewed 9 July 2026

Using an external load balancer for appliance services

Terminate TLS on an external proxy and balance NtkAS and NtkSSO across multiple appliance nodes, with HAProxy and Nginx examples.

Normally TLS for HTTP requests is terminated on the built-in reverse proxy, but if the application needs to be scaled over multiple hosts, this can be changed.

To use an external proxy and balance requests between nodes, issue the following commands.

For Authentication Server service (NtkAS):

$ ntk cfg setc nas.external_proxy on
$ ntk redis start
$ ntk cfg set :nas.redis_url redis://10.0.1.98:6379/cache
$ ntk as restart

Replace the IP address 10.0.1.98 with your node address that will be running the Redis accelerator. It is recommended to use the VRRP service to configure Redis accelerator service high availability. See Setup REDIS service with VRRP.

For SSO service (NtkSSO):

$ ntk cfg setc sso.external_proxy on
$ ntk sso restart

Commands need to be executed on every node that will take part in the external load balancer backend pool.

Services expect that the real remote IP address will be provided in the X-Real-IP HTTP header. This is relevant if you are using different security policies depending on user location in network.

After reconfiguration the NtkAS service will be exposed on tcp/5000 on the node, service NtkSSO will be on tcp/7000. These endpoints have to be added to the external load balancer pool. Use ntk net eth0 address to discover the internal node IP address.

If the management port setting is non-default and dual instance mode is active (:nas.dual_instance_mode = on), the management interface will also be exposed on tcp/6000, but additional protection should be used to protect this service if exposing the administrative interface publicly. Otherwise you can use the built-in proxy service to access management directly on the internal node IP address. You can configure the VRRP service to use a single internal IP address for all nodes. See the documentation for more details.

See below for configuration examples of common load balancing solutions.

HAProxy configuration for a NtkAS service

backend notakey-backend
        mode http
        balance roundrobin
        option forwardfor
        option httpchk
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request set-header X-Real-IP %[src_addr]
        http-request add-header X-Forwarded-Proto https if { ssl_fc }
        server node01 10.0.1.71:5000 check
        server node02 10.0.1.72:5000 check
        server node03 10.0.1.73:5000 check

Nginx configuration for a NtkAS service

http {
    include    conf/mime.types;
    index    index.html index.htm index.php;
    access_log   logs/access.log  main;
    sendfile     on;
    tcp_nopush   on;
    server_names_hash_bucket_size 128; # this seems to be required for some vhosts


    upstream ntkservers {
        server 10.0.1.71:5000;
        server 10.0.1.72:5000;
        server 10.0.1.73:5000;
        # Nginx open source monitors backends by analyzing requests
        # If request times out, backend is marked as unavailable
        # This may lead to unintended failures during appliance updates
    }

    ; Nginx Plus config
    match server_ok {
        status 200;
    }

    server {
        listen 443 ssl http2;
        root /app/public;

        ssl_certificate /etc/nginx/ssl/ntkchain.pem;
        ssl_certificate_key /etc/nginx/ssl/ntk.key;
        ssl_session_timeout 1d;
        ssl_session_cache shared:MySSL:10m;
        ssl_session_tickets off;

        ssl_protocols TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

        location / {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-Port $server_port;

            client_max_body_size    10m;
            client_body_buffer_size 128k;

            proxy_connect_timeout   10;
            proxy_send_timeout      90;
            proxy_read_timeout      90;
            proxy_buffers           32 4k;

            proxy_redirect off;
            proxy_pass http://ntkservers;
            # Nginx Plus config
            health_check interval=10 uri=/api/health match=server_ok;
        }
    }
}

← Back to support

See your first passwordless login this week

A 30-minute call with an engineer, not a sales deck. We’ll map your VPN, SSO or Windows setup to a working pilot.