• Arun Nukula

Reverse Proxy in vRealize Automation


Understanding Reverse Proxy ( haproxy )

On vRealize Automation Appliance we have multiple services running simultaneously.

An Open-Source application called HA Proxy is used to provide a reverse proxy on port 443 , routing traffic to each service appropriately.

Each incoming request is analyzed on where it should be routed.

Routing is determined by looking at the configuration files that contains a set of rules which live under /etc/haproxy/conf.d/


These rules outline

  • What url should be directed where

  • Any checks that needs to be done before routing traffic

  • What to do by default

In order to understand how reverse proxy functions in vRealize Automation , let's look at the configuration files

When haproxy starts each *cfg file is loaded in alphanumeric order. The default and recommended naming convention is to start each file with 2 digit number. These file define what to do with each requests coming in.

Let's look at /etc/haproxy/conf.d/20-vcac.cfg , we can learn how routing is determined


The snippet shown above defines requests for orchestrator and health-checks , then states what to do with these requests.

Lines 25 to 29 starting with acl says what URI to look for , for example /vco or /vcac/services/api/health

If /vco is found then it would use backend-vro ( Line#33 )

If /vcac/services/api/health is found then backend-vra-health is used ( Line#34 )

If nothing is found or none of the conditions are met , then default backend is used that's backend-vra


If we go down the configuration file , we can find the respective backend code as well.

Line#66 in the above screenshot shows us backend-vra-health , Line#80 shows us backend-vro

In the above example , if backend-vro is used then the traffic will be routed to port 8280 on the localhost

Let's now see how Reverse Proxy is used in vRealize Automation with an example

  • When a user navigates to https://<vra>/vcac/ a check is performed for a valid SAML token. In this case , if the user did not login into vRA for a while and does not have a valid token.Reverse Proxy , then forwards the connection to vIDM for authentication.

  • When authentication is complete , a valid SAML token is cached into browser. Browser sends the login request again to Reverse Proxy , now since a valid SAML token is present it forwards connection to vRA CAFE

  • If a valid SAML token was found in the first instance , then Reverse Proxy would have directly forwarded the connection to vRA CAFE

  • Some requests like vRO API calls are done through URI. If request comes in like https://<vra>/vco , then Reverse Proxy forwards it to vRO directly

Reverse Proxy Logging

By default Reverse Proxy ( haproxy ) logging is disabled. In my experience, never came across any issues with this component of vRealize Automation.

If you still want to enable logging for haproxy then we can accomplish it at /etc/haproxy/haproxy.cfg

Note: Backup /etc/haproxy/haproxy.cfg before making any configuration changes to it

To enable logging we need to add following lines to haproxy.cfg and then restart services

stats enable stats uri /stats stats realm Strictly\ Private stats auth admin:VMware123!

The first line enables stats view

Second line set's access URI to stats , that means that there is a new view set at https://<vra>/stats

Third line set's access to private

Fourth line set's the username and password ( you may set password as you want )

Post these additions to the file , you would have to restart the haproxy service

service haproxy restart

Captured these steps in screenshot for reference



To confirm if Reverse proxy is functional

We can check it's service status that's

service haproxy status


Find Listening Ports and Running Process

netstat -plnt | grep haproxy

ps -ef | grep haproxy


haproxy stats page



0 views

Subscribe Now

  • Twitter
  • Facebook Social Icon

Copyright © 2019 nukescloud