As part of High Availability and Disaster Recovery (HA/DR) best practices, we recommend deploying the Hyperscience application on multiple machines and using a load balancer to distribute web requests.
Note that the trainer does not distribute any web requests and should not be included in your load balancer setup.
Supported Configurations
Hyperscience supports the following two configurations:
SSL passthrough
SSL/TLS offloading
SSL/TLS offloading
We strongly recommend SSL/TLS offloading to the load balancer. This configuration relieves the web configuration of the processing burden of decrypting and/or encrypting SSL/TLS traffic. The load balancer decrypts the data and sends it to the web server. To configure SSL/TLS offloading to the load balancer, you need to open port 80 on all machines where the application server is installed and route HTTP traffic to this port.
SSL/TLS passthrough
If you would like to configure SSL passthrough, you need to:
Open port 443 on all application machines.
Configure the load balancer to route HTTP traffic to port 443 on all application machines.
(Optional but recommended) Configure an HTTP ➜ HTTPS redirection rule. If you do not configure this redirection rule, some web browsers will fail to load the Hyperscience web application if the URL is not specifically prepended with “https://”. You can configure the redirection rule in one of the following ways:
Inside the load balancer
Inside Hyperscience. You need to open port 80 on all application machines. Configure the load balancer to route HTTP traffic to port 80 on all application machines. You can enable the HTTP ➜ HTTPS redirection rule in the “.env” file:
NGINX_ENABLE_SSL_REDIRECT=yes
If you would like to make any SSL/TLS changes, you need to re-configure each machine separately. For example, if you need to change the SSL certificate, you need to update the certificate on each machine.
In v40 and later, you can choose the minimum level of severity that NGINX-related errors need to have in order to be logged by the syslog utility. To learn more, see Security.
HS_CSRF_TRUSTED_ORIGINS
In v38 and later, we validate POST requests' Origin
header against a list of trusted domains. If you are using a load balancer, you need to set the environment variable HS_CSRF_TRUSTED_ORIGINS
to the load balancer's domain. Otherwise, "authentication required" errors may occur.
The value should be the complete URL of the load balancer, including the protocol (e.g., https://example-domain.com
). If you are using a subdomain, a wildcard character must be used (e.g., https://*.example-subdomain.com
).
If you want to set multiple trusted domains, the value must to be a string that includes all the domains in a comma-separated list:
HS_CSRF_TRUSTED_ORIGINS=https://example-domain.com,https://*.example-subdomain.com
Recommended Settings
We recommend using the following load balancer settings:
Set the load balancer’s healthcheck endpoint to /login.
Set your load balancer’s timeout settings to at least 30 minutes for HTTP requests. A 30-minute timeout ensures that all Hyperscience operations can be completed successfully.
Disable sticky sessions if your load balancer allows.
Use the load balancer’s default routing algorithm or choose one based on existing policies.