Skip to main content

Deployment

This page covers best practices and recommendations for deploying your Load Balancer in production environments.

Reverse Proxy & HTTPS

danger

Never expose your Load Balancer directly to the public internet.

  • Use a reverse proxy (Nginx, Traefik, Caddy, Apache) to:
    • Terminate SSL/TLS (HTTPS)
    • Forward requests securely to your Load Balancer
    • Add authentication (basic auth, SSO, etc.) for /dashboard or /bull endpoints

Example Nginx config:

server {
  listen 443 ssl;
  server_name your-lb.example.com;

  ssl_certificate /etc/ssl/certs/your-cert.pem;
  ssl_certificate_key /etc/ssl/private/your-key.pem;

  location / {
    proxy_pass http://localhost:4000;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    # Optional: Basic Auth
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
  }

  location /dashboard/ {
    proxy_pass http://localhost:4000/dashboard/;
    # Same headers and auth as above
  }

  location /bull/ {
    proxy_pass http://localhost:4000/bull/;
    # Same headers and auth as above
  }
}

Docker as a Service

In production, we recommend using Docker and configuring it as a service. Here's how to configure your Load Balancer container as a service with systemd (compatible with Debian, Ubuntu, Fedora, CentOS 7+, RHEL 7+, Rocky, AlmaLinux, Arch Linux, etc.).

  1. Stop the Docker container if it was launched.

  2. Create a service:

    touch /etc/systemd/system/andera-load-balancer.service

  3. Complete it with your service configuration:

    [Unit]
    Description=Andera Load Balancer
    Requires=docker.service
    After=docker.service

    [Service]
    Type=oneshot
    WorkingDirectory=/var/www/andera-load-balancer
    ExecStart=/usr/bin/docker compose up -d
    ExecStop=/usr/bin/docker compose down
    RemainAfterExit=yes

    [Install]
    WantedBy=multi-user.target

  4. Activate the service:

    sudo systemctl daemon-reexec
    sudo systemctl enable andera-load-balancer
    sudo systemctl start andera-load-balancer

Authentication and Secure Communication

  • All requests to Load Balancer endpoints (except /health public info) require the LB_AUTH_KEY.
  • When the Load Balancer communicates with a Worker (for /task), it provides:
    • Authorization: <AUTH_KEY> (the target Worker's AUTH_KEY)
    • x-lb-auth: <LB_AUTH_KEY> (your Load Balancer's LB_AUTH_KEY)
  • Sensitive endpoints like /dashboard, /bull, and /logs should be protected by your reverse proxy (authentication, IP allowlist, etc.).
  • Use HTTPS for all external communication.

Network Security

  • Restrict access to Load Balancer ports using firewalls or security groups.
  • Only allow trusted sources (clients, internal services) to connect.
  • Protect dashboard and monitoring endpoints with authentication and/or IP allowlists.

Checklist for Production

  • Use HTTPS via a reverse proxy
  • Set strong, unique LB_AUTH_KEY and AUTH_KEY
  • Monitor logs, dashboard, and health endpoints
  • Restrict network access
  • Regularly update dependencies and images

Tip: For cloud deployments, use managed SSL, secrets managers, and autoscaling as provided by your platform.