[lvs-users] Multiple domains with SSL inside a 2 machine cluster

Graeme Fowler graeme at graemef.net
Tue Aug 7 10:06:37 BST 2007


On Tue, 2007-08-07 at 10:24 +0200, Ullrich Pfefferlein wrote:
> Can you give me little more information on this please? I have
> configured my NIC with ifconfig to setup more ips. But what do you
> mean with VIPs on the real servers? Should i setup extra services on
> the apache machines (behind the load balancer?)

Back to basics before anyone gets confused (and it'll answer your
questions, too):

Using SSL on a webserver offers an intractable problem with regards
using HTTP/1.1 - it simply won't work as expected.
The problem is this:
* The client connects to port 443 and makes an SSL session start request
* The server must, at this point, know which certificate to use and
responds accordingly - BEFORE the client has sent any request headers.
* The client validates the certificate details against the hostname part
of the URI
* If the FQDN in the cert matches the hostname in the URI, everything is
rosy and you get on with your session. If not, the client throws a
warning to the browser operator and they get confused (or just hit
"yes", "accept" or whatever).

This means that *every* virtual host you are providing a secure site via
an SSL certificate to *must* bind to its' own IP address. If you're
using Apache, you'd therefore have multiple "Listen 1.2.3.4:443"
directives and ensure that the given <VirtualHost> block for a specific
ServerName only binds to one IP/port pair.

So both statements regarding hostnames and IP addresses are correct,
except that the IP address is actually independent of the certificate
FQDN (and the same cert can be used by multiple IP addresses, or even
machines, if license terms are not breached).

So, to using LVS (or any other form of load balancing):

This means there must be multiple VIPs on the client-facing side of the
cluster, and either:

For TUN and DR, every realserver handling these sites must be configured
to listen to all the appropriate VIPs on their loopback interface, or

For NAT, every realserver must have Apache bound to multiple internal
(ie. intra-cluster only) IP addresses and the LVS must be configured to
forward to those IP addresses.

Imagine you have a ten-server cluster with a single director, serving 1
SSL site - you need 1 client-facing VIP, and either 10 instances of
those VIPs on every realserver (for TUN or DR) or 1 internal IP address
*per realserver* in the cluster (that's 10 addresses total).

Now stretch this a bit: ten realservers, serving 100 SSL sites. That's
ten realservers with 100 VIPs (TUN or DR), or ten realservers with 100
internal IP addresses (NAT) - yes, that's 1000 internal IP addresses.

Pretty soon this becomes completely unmanageable.

There's an alternative, much tidier approach for NAT which only requires
one IP per machine - use multiple TCP ports instead of multiple
addresses. You can have vhost1 bound to port 443, vhost2 to port 444 and
so on (obviously you need to choose this range carefully). You can then
configure VIP1:443 to use RS1:444, RS2:444, RS3:444 and so on.

As to how you configure Apache to do this, I've dropped some hints
already; your distro's docs and very definitely http://httpd.apache.org/
will provide the detail.

Graeme





More information about the lvs-users mailing list