Load Balancer

  • Updated on Jun 4, 2025
  • Published on Sep 17, 2024
  • 2 minute(s) read
Prev Next

As part of High Availability and Disaster Recovery (HA/DR) best practices, we recommend deploying the Hyperscience application on multiple machines and using a load balancer to distribute web requests.

Note that the trainer does not distribute any web requests and should not be included in your load balancer setup.

Supported Configurations

Hyperscience supports the following two configurations:

  • SSL passthrough

  • SSL/TLS offloading

SSL/TLS offloading

We strongly recommend SSL/TLS offloading to the load balancer. This configuration relieves the web configuration of the processing burden of decrypting and/or encrypting SSL/TLS traffic. The load balancer decrypts the data and sends it to the web server. To configure SSL/TLS offloading to the load balancer, you need to open port 80 on all machines where the application server is installed and route HTTP traffic to this port.

SSL/TLS passthrough

If you would like to configure SSL passthrough, you need to:

  1. Open port 443 on all application machines.

  2. Configure the load balancer to route HTTP traffic to port 443 on all application machines.

  3. (Optional but recommended) Configure an HTTP ➜ HTTPS redirection rule. If you do not configure this redirection rule, some web browsers will fail to load the Hyperscience web application if the URL is not specifically prepended with “https://”. You can configure the redirection rule in one of the following ways:

    • Inside the load balancer

    • Inside Hyperscience. You need to open port 80 on all application machines. Configure the load balancer to route HTTP traffic to port 80 on all application machines. You can enable the HTTP ➜ HTTPS redirection rule in the “.env” file:

      NGINX_ENABLE_SSL_REDIRECT=yes

If you would like to make any SSL/TLS changes, you need to re-configure each machine separately. For example, if you need to change the SSL certificate, you need to update the certificate on each machine.

In v40 and later, you can choose the minimum level of severity that NGINX-related errors need to have in order to be logged by the syslog utility. To learn more, see Security.

HS_CSRF_TRUSTED_ORIGINS

In v38 and later, we validate POST requests' Origin header against a list of trusted domains. If you are using a load balancer, you need to set the environment variable HS_CSRF_TRUSTED_ORIGINS to the load balancer's domain. Otherwise, "authentication required" errors may occur.

The value should be the complete URL of the load balancer, including the protocol (e.g., https://example-domain.com).  If you are using a subdomain, a wildcard character must be used (e.g., https://*.example-subdomain.com).

If you want to set multiple trusted domains, the value must to be a string that includes all the domains in a comma-separated list:

HS_CSRF_TRUSTED_ORIGINS=https://example-domain.com,https://*.example-subdomain.com

Recommended Settings

We recommend using the following load balancer settings:

  • Set the load balancer’s healthcheck endpoint to /login.

  • Set your load balancer’s timeout settings to at least 30 minutes for HTTP requests. A 30-minute timeout ensures that all Hyperscience operations can be completed successfully.

  • Disable sticky sessions if your load balancer allows.

  • Use the load balancer’s default routing algorithm or choose one based on existing policies.