Configuration

To use multiple instances of MetaDefender MFT HA Controller™ in your setup you have to edit the appsettings.json file. Focusing on the Kestrel:Endpoints and on the ClusterSettings sections.

It is recommended that before using the MetaDefender MFT HA Controller™ in a clustered environment, try it out in with a single instance configuration. If that works, then continue the configuration with the cluster settings.

Configuring the HA cluster consists of the following steps:

1. Set up the nodes for the MetaDefender® MFT in appsettings.json. (See Initial Setup section).
2. Test the failover (See Manually triggered failover section)
3. Setting up the Raft listener endpoint
4. Specify Cluster Settings

See the detailed instructions below.

Setting up the Raft listener endpoint

The Raft endpoint is used by the cluster peers to communicate with each other, and elect a leader based on the Raft consensus protocol. This ensures, that only a single leader can initiate a failover mechanism, avoiding conflicts. The non-leader peers still can serve requests, without managing the failover of the MetaDefender® MFT nodes.

To add a new Raft endpoint for the cluster communication, edit the appsettings.json file. Under the section Kestrel:Endpoints, a section named Http already exists by default, this is used for proxying traffic to MetaDefender MFT HA Controller™. The new endpoint should listen on a free port, which is different than the port defined in the Http section. In this example we defined port 5000 on which the the cluster listener is working.

Raft endpoint example

{

  // ...,

  "Kestrel": {

    "Endpoints": {

      "Http": {

        "Url": "http://0.0.0.0:8100"

      },

      "Raft": {    

        "Url": "http://0.0.0.0:5000"

      }

    }

  },

  // ...

}

Specify Cluster Settings

Cluster Settings can be set up in the appsettings.json as well. This is not present in the file by default, it should be added manually, if cluster behavior is needed. The name of the section must be ClusterSettings. This section is used to specify all the peers in the cluster.

ClusterSettings properties:

• IgnoreCertificateErrors is a boolean field. In case when using HTTPS, it can be set to false. This makes testing easier. Default value is false. In production environment it is recommended to be false.
• Peers: List of peers including the current.
  • Address: The endpoint of the peer on which its Raft URL is configured.
  • ApiKey: This is the ApiKey used for the peer. It is configured in the localpeer.json file located in the installation directory. This file should be automatically generated by the installer, and must exist on all peers where ha_controller_product_name_short is installed. If the ApiKey does not match the actual ApiKey of the peer, it will not be able to function within the cluster.

Example configuration

The following example shows what the configuration should look like in a cluster configuration setup:

• ClusterSettings section added. The peers should contain all the peers, including the local peer's endpoint.
• Raft section added to the Kestrel endpoints.

{

  "HighAvailabilitySettings": {

    "HealthCheckInterval": "00:00:01",

    "NumberOfFailedHealthChecksBeforeFailover": 2,

    "NodeManagerClientTimeout": "00:00:30",

    "ApplicationClientTimeout": "00:02:00",

    "Nodes": [

      {

        "Name": "MFT1",

        "ApplicationAddress": "http://<your.host-1.address.local>:8010",

        "NodeManagerAddress": "http://<your.host-1.address.local>:8010/node_manager/",

        "ApiKey": "<your-api-key-1>"

      },

      {

        "Name": "MFT2",

        "ApplicationAddress": "http://<your.host-2.address.local>:8010",

        "NodeManagerAddress": "http://<your.host-2.address.local>:8010/node_manager/",

        "ApiKey": "<your-api-key-2>"

      }

    ]

  },

  "AllowedHosts": "*",

  "Kestrel": {

    "Endpoints": {

      "Http": {

        "Url": "http://0.0.0.0:8100"

      },

      "Raft": {

        "Url": "http://0.0.0.0:5000"

      }

    }

  },

​

  "ClusterSettings": {

    "IgnoreCertificateErrors": false,

    "Peers": [

      {

        "Address": "http://<controller-1.address.local>:5000",

        "ApiKey": "peer1-api-key"

      },

      {

        "Address": "http://<controller-2.address.local>:5000",

        "ApiKey": "peer2-api-key"

      },

      {

        "Address": "http://<controller-3.address.local>:5000",

        "ApiKey": "peer3-api-key"

      }

    ]

  },

​

  "Logs": {

    "MinimumLevel": {

      "Default": "Information",

      "Override": {

        "Microsoft": "Warning",

        "System": "Warning"

      }

    },

    "WriteTo": [

      {

        "Name": "File",

        "Args": {

          "path": "Logs\\ha-controller.log",

          "fileSizeLimitBytes": 104857600,

          "rollOnFileSizeLimit": true,

          "retainedFileCountLimit": 30,

          "outputTemplate": "[{Timestamp:yyyy-MM-dd HH:mm:ss.fff} {Level:u3}] {Message:lj} {Exception:j}{NewLine}"

        }

      }

    ]

  }

}

HTTPS

Enabling HTTPS on the Raft endpoint is similar to enable in the Http endpoint. See the Configuration section.

For further details see Configure endpoints for the ASP.NET Core Kestrel web server | Microsoft Learn

HTTPS example

{

  ...

  "Kestrel": {

    "Endpoints": {

      "Http": {

        "Url": "https://0.0.0.0:8100",

        "Certificate": {

          "Path": "<path to .pem/.crt file>",

          "KeyPath": "<path to .key file>"

        }

      },

      "Raft": {

        "Url": "https://0.0.0.0:5000",

        "Certificate": {

          "Path": "<path to .pem/.crt file>",

          "KeyPath": "<path to .key file>"

        }

      }

    }

  }

  ...

}