(Deprecated) Cloud License Server Proxy¶
Note
Topics covered in this page require you to have administrator/root access to your machine(s) to install/deploy software.
Note
Topics covered in this page refer to legacy Thinkbox usage-based licensing (UBL), which is deprecated. The Thinkbox UBL Marketplace will no longer support purchases of products other than V-Ray and RenderMan starting April 30, 2025. The UBL feature in Deadline 10 is now available via the new Deadline Cloud UBL. For detailed instructions, please see the Deadline Cloud UBL Documentation.
You can continue to use your existing purchases until September 30, 2025. For more details, please refer to this FAQ. For any questions about existing UBL purchases, please reach out to: thinkbox-sales@amazon.com.
Overview¶
When using Legacy Usage-Based Licensing with a Cloud License Server, it is normally required that all Deadline Worker machines have access to the internet. However, this is not always possible due to security reasons. The recommended alternative is to set up a Cloud License Server Proxy on a single machine that does have internet access, and have the Deadline Workers point to it instead.
This documentation will go through the steps of installing and configuring a Cloud License Server Proxy using HAProxy on an Ubuntu machine. Note that this can be a physical or virtual machine. While there are probably many ways to set up a Cloud License Server Proxy, this is the solution we have tested and we can confirm it works.
Please contact Thinkbox Support if you need help setting up the Cloud License Server Proxy.
Installing HAProxy¶
Ubuntu¶
On Ubuntu to ensure you are using the latest version of HAProxy, you need to download and build before installing.
You must first install the required packages on your Ubuntu machine:
>>> sudo -s
>>> apt-get install build-essential libopenssl-dev
After those packages have finished installing, download HAProxy and extract the HAProxy tarball to a temporary location. Then open a Terminal, change directories to the extracted HAProxy folder, and compile HAProxy:
>>> make TARGET=linux2628 USE_OPENSSL=1
After compiling HAProxy, you can install it:
>>> make install
CentOS/RedHat¶
On RHEL/CentOS 7, we can use the EPEL repository RPM:
>>> sudo -s
>>> wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
>>> rpm -ivh epel-release-latest-7.noarch.rpm
>>> yum install haproxy
SSL Certificate¶
Before you can start using HAProxy, you need to generate an SSL certificate for HAProxy’s internal listener. This can either be signed by a trusted certificate authority, or it can be self-signed. To generate a self-signed CA and certificate, you can follow these instructions.
For the commands below, note that the ‘-days’ field configures the expiry date for the certificate. These can be customized as needed, keeping in mind that certificates will need to be re-generated and replaced before their expiry dates to avoid connectivity issues. The example below is set to 10 years (3650 days) for the CA certificate, and 1 year (365 days) for the server certificate.
First, ensure that you have OpenSSL installed. Then open a terminal, change to a directory where you want to create the certificates, and run the following commands:
# Generate a self-signed certificate authority, entering the requested organization information when prompted, with "CA" as the "Common Name"
>>> openssl genpkey -algorithm RSA -out ca.key
>>> openssl req -new -x509 -key ca.key -out ca.crt -days 3650
# Generate a private key and certificate signing request, entering the requested organization information, with "haproxy-01" as the "Common Name"
>>> openssl req -new -nodes -keyout haproxy-01.key -out haproxy-01-req.pem
# Sign the key to create the certificate file
>>> openssl x509 -req -days 365 -in haproxy-01-req.pem -out haproxy-01.crt -CA ca.crt -CAkey ca.key
# Concatenate the server key and certificate into one pem file
>>> cat haproxy-01.crt haproxy-01.key > haproxy-01.pem
The resulting ‘haproxy.pem’ file will be referenced in the HAProxy configuration file below.
Configuring HAProxy¶
The next step is to configure HAProxy to use your SSL certificate and redirect traffic to the Cloud License Server. First, create a folder named /etc/haproxy, and then copy the keys folder that you created above to /etc/haproxy/keys.
Now create an HAProxy configuration file at /etc/haproxy/haproxy.cfg with the following contents. Note that the following lines in the frontend incoming_https section below need to be updated:
In the bind line, change the haproxy01.pem certificate name to reference the certificate you created avobe.
In the reqrep line, replace the haproxy-01 host name with the DNS name or IP address of the HAProxy server (the same host that you created the certificate for).
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
ca-base /etc/haproxy/keys
crt-base /etc/haproxy/keys
tune.ssl.default-dh-param 1024
defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 5000
timeout client 3600000
timeout server 3600000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend incoming_https
bind \*:443 ssl crt haproxy-01.pem ca-file ca.crt
reqrep "Host: haproxy-01" "Host: thinkbox.compliance.flexnetoperations.com"
option tcplog
mode tcp
default_backend fno
backend fno
mode tcp
option ssl-hello-chk
server fno thinkbox.compliance.flexnetoperations.com:443 ssl verify none
Now create an init script at /etc/init.d/haproxy with the following contents:
#!/bin/sh
### BEGIN INIT INFO
# Provides: haproxy
# Required-Start: $local_fs $network $remote_fs
# Required-Stop: $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: fast and reliable load balancing reverse proxy
# Description: This file should be used to start and stop haproxy.
### END INIT INFO
# Author: Arnaud Cornet <acornet@debian.org>
PATH=/sbin:/usr/sbin:/bin:/usr/bin
PIDFILE=/var/run/haproxy.pid
CONFIG=/etc/haproxy/haproxy.cfg
HAPROXY=/usr/local/sbin/haproxy
EXTRAOPTS=
ENABLED=0
test -x $HAPROXY || exit 0
if [ -e /etc/default/haproxy ]; then
. /etc/default/haproxy
fi
test -f "$CONFIG" || exit 0
test "$ENABLED" != "0" || exit 0
[ -f /etc/default/rcS ] && . /etc/default/rcS
. /lib/lsb/init-functions
clean()
{
if [ -e "$tmp" ];then
rm -f "$tmp"
fi
}
trap clean EXIT
check_haproxy_config()
{
$HAPROXY -c -f "$CONFIG" >/dev/null
if [ $? -eq 1 ]; then
log_end_msg 1
exit 1
fi
}
haproxy_start()
{
check_haproxy_config
start-stop-daemon --quiet --oknodo --start --pidfile "$PIDFILE" \
--exec $HAPROXY -- -f "$CONFIG" -D -p "$PIDFILE" \
$EXTRAOPTS || return 2
return 0
}
haproxy_stop()
{
tmp=$(tempfile -s .haproxy.init)
if [ ! -f $PIDFILE ] ; then
# This is a success according to LSB
return 0
fi
ret=0
for pid in $(cat $PIDFILE); do
echo $pid > "$tmp"
start-stop-daemon --quiet --oknodo --stop \
--retry 5 --pidfile "$tmp" --exec $HAPROXY || ret=$?
done
[ $ret -eq 0 ] && rm -f $PIDFILE
return $ret
}
haproxy_reload()
{
check_haproxy_config
$HAPROXY -f "$CONFIG" -p $PIDFILE -D $EXTRAOPTS -sf $(cat $PIDFILE) \
|| return 2
return 0
}
haproxy_status()
{
if [ ! -f $PIDFILE ] ; then
# program not running
return 3
fi
for pid in $(cat $PIDFILE) ; do
if ! ps --no-headers p "$pid" | grep haproxy > /dev/null ; then
# program running, bogus pidfile
return 1
fi
done
return 0
}
case "$1" in
start)
log_daemon_msg "Starting haproxy" "haproxy"
haproxy_start
ret=$?
case "$ret" in
0)
log_end_msg 0
;;
1)
log_end_msg 1
echo "pid file '$PIDFILE' found, haproxy not started."
;;
2)
log_end_msg 1
;;
esac
exit $ret
;;
stop)
log_daemon_msg "Stopping haproxy" "haproxy"
haproxy_stop
ret=$?
case "$ret" in
0|1)
log_end_msg 0
;;
2)
log_end_msg 1
;;
esac
exit $ret
;;
reload|force-reload)
log_daemon_msg "Reloading haproxy" "haproxy"
haproxy_reload
ret=$?
case "$ret" in
0|1)
log_end_msg 0
;;
2)
log_end_msg 1
;;
esac
exit $ret
;;
restart)
log_daemon_msg "Restarting haproxy" "haproxy"
haproxy_stop
haproxy_start
ret=$?
case "$ret" in
0)
log_end_msg 0
;;
1)
log_end_msg 1
;;
2)
log_end_msg 1
;;
esac
exit $ret
;;
status)
haproxy_status
ret=$?
case "$ret" in
0)
echo "haproxy is running."
;;
1)
echo "haproxy dead, but $PIDFILE exists."
;;
*)
echo "haproxy not running."
;;
esac
exit $ret
;;
*)
echo "Usage: /etc/init.d/haproxy {start|stop|reload|restart|status}"
exit 2
;;
esac
:
Running HAProxy¶
Now that HAProxy is configured, it’s almost ready to run. First, you need to restart rsyslog:
>>> service rsyslog restart
Next, add HAProxy to the default runlevels:
>>> update-rc.d haproxy defaults
or on CentOS/RedHat:
>>> chkconfig haproxy on
Finally, you can start HAProxy:
>>> service haproxy start
Network Access Requirements¶
There are a couple network access requirements to allow the Deadline Workers to connect to the Proxy, and to allow the Proxy to connect to the Cloud License Server.
First, you must ensure that the render nodes that the Deadline Workers are running on can reach the Proxy on TCP port 443.
Second, you must ensure that the Proxy can reach thinkbox.compliance.flexnetoperations.com on TCP Port 443. If you need help determining the IP address for thinkbox.compliance.flexnetoperations.com, you can do so by running the following command in a command prompt or terminal:
>>> nslookup thinkbox.compliance.flexnetoperations.com
Simply look in the “Address” field of the output. Note that the nslookup command is generally available on Windows, macOS or Linux.
Configuring Deadline¶
Now that the Cloud License Server Proxy is running, you need to configure the Deadline Workers to point to it. The process is almost the same as if you were pointing to the Cloud License Server directly. The only difference is that instead of entering the URL to the Cloud License Server, you’ll be entering the URL to the Cloud License Server Proxy server. Note that you still enter an Activation Code as usual.
For example, let’s assume that the original URL was this:
https://thinkboxuat.compliance.flexnetoperations.com/instances/A1B2C3D4E5F6/request
If your Cloud License Server Proxy machine is called haproxy-01, you’ll enter in the following URL instead:
https://haproxy-01/instances/A1B2C3D4E5F6/request
Finally, if you used a self-signed CA certificate, you’ll need to import /etc/haproxy/keys/ca.crt as a trusted root certificate on any Deadline Worker machines that will be pulling licenses through the Cloud License Server Proxy. Once this is done, the Deadline Workers should be able to check out render time as if they were connected directly to the Cloud License Server.
