HA Proxy Configuration for Powerschool

Powerschool is a popular Student Information System in use by many school districts.  If your district is larger than a few thousands students, you will likely need to scale out your installation to include multiple application nodes.  Often it will be recommended that you pay a consultant to perform a high availability setup, but in my opinion this is something that can be done in-house with open-source software.  In this tutorial, we will use HAProxy 1.5 running on Ubuntu 14.04 to balance two applications nodes.  This tutorial assumes that you have SSL setup on both of your application nodes already.

There are many tutorials out there covering how to setup HAProxy, so in this tutorial, we will focus on the setup with Powerschool.

We will do everything over SSL so you will need your PEM file.

Install Ubuntu 14.04 Server

To get started install Ubuntu 14.04 server, you don’t need a ton or memory of CPU power for this box, I would recommend 2GB of memory for most cases.  Make sure during installation that you setup a static IP address on this box.  If you miss the opportunity to configure a static IP address, here is how it can be done after installation is complete.

sudo nano /etc/network/interfaces

In this file you will want to enter something like this:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
 address 192.168.2.77
 netmask 255.255.255.0
 network 192.168.2.0
 broadcast 192.168.2.255
 gateway 192.168.2.1
 dns-nameservers 8.8.8.8
 dns-search cwssoft.com

Make sure you update your server installation by running:

sudo apt-get update
sudo apt-get upgrade

Upload your SSL PEM file

We need to get your SSL file on the server and the easiest way to do this is probably with openssh and a sftp client on your workstation.

Install openssh on the haproxy server with:

sudo apt-get install openssh-server

From your workstation you will need to install a sftp client (like filezilla) and transfer the file to your home directory on the server.

Once the file is on the server, you can transfer the file to its final location with:

sudo cp ~/[yourpemfilename].pem /etc/ssl/private/cert.pem

Install HAProxy

We want to use the latest version of HAProxy, which as of writing is 1.5.  This version isn’t available on Ubuntu 14.04, so we will need to add a repo to install it.

sudo add-apt-repository ppa:vbernat/haproxy-1.5
sudo apt-get update
sudo apt-get install haproxy

Configure HAProxy

Let’s backup our HAProxy configuration file, this can be done with the following command:

sudo cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.orig

Now let’s dig into the configuration file and setup our balancer.

sudo nano /etc/haproxy/haproxy.cfg

Make the following changes to the default file:

Change:

....
daemon

# Default SSL material locations
....

to

....
daemon
maxconn 4096
ssl-server-verify none
tune.ssl.default-dh-param 2048
# Default SSL material locations
....

So what we did is increase the max connections to 4096, and disabled SSL cert verification on HAProxy.

In the defaults section, add the following:

 option forwardfor
 option http-server-close

The forwardfor option allows Powerschool to see the IP address of the true client by adding the X-Forwarded-For header to the request being sent to Powerschool.

Now at the bottom of the file, we need to add our configuration for our application nodes that we would like to balance.

Add the following to the bottom of the config file, adding the correct IP addresses for your Powerschool application nodes.

frontend www-http443
 bind *:443 ssl crt /etc/ssl/private/cert.pem
 reqadd X-Forwarded-Proto:\ https
 default_backend www-backend

frontend www-http80
 bind *:80
 default_backend www-backend

frontend reportworks8443
 bind *:8443 ssl crt /etc/ssl/private/[yoursslpemhere].pem
 reqadd X-Forwarded-Proto:\ https
 default_backend reportworks8443-backend

backend www-backend
 option httpchk GET /admin
 balance roundrobin
 cookie SERVERID insert indirect nocache
 server www-1 x.x.x.x:443 check cookie www1 ssl
 server www-2 x.x.x.x:443 check cookie www2 ssl

backend reportworks8443-backend
 balance source
 server www-1 x.x.x.x:8443 check ssl
 server www-2 x.x.x.x:8443 check ssl

listen stats *:8080
 stats enable
 stats uri /
 stats realm Haproxy\ Statistics
 stats auth admin:supersecretpassword
 stats refresh 10s
 stats admin if TRUE

Powerschool Configuration

Now lets do some basic configuration on Powerschool.  Log into Powerschool admin and navigate to:

System Administrator > System Settings > Edit Global Server Settings

You’ll want to setup your hostnames (ie: ps.yourdomain.com) and ports as follows:

Powerschool Global Settings

Finish Things Up

So, let’s test everything out.  First let’s make sure the HAProxy will restart with our new configuration.

sudo service haproxy restart

If that works, let’s see if we can log into the stats web interface, so open a browser and navigate to http://x.x.x.x:8080

You will be prompted to login, so enter the username and password that are present in your config file.  If you can see the interface and the nodes under www-backend are green, then we should be able to access Powerschool through our haproxy server.

Lastly update your DNS records for Powerschool to now point to your HAProxy server. You should now be able to access Powerschool  by DNS name and you should be load balanced and fault tolerant.  You can now monitor connections through the stats interface running on port 8080 as well.

If you encounter SSL issues with PowerTeacher Gradebook, ensure that your SSL PEM file is complete with the intermediate certificates.  If all else fails, checkout the haproxy log file in /var/log.