[lvs-users] Multiple domains with SSL inside a 2 machine cluster

Graeme Fowler graeme at graemef.net
Tue Aug 7 12:58:40 BST 2007


On Tue, 2007-08-07 at 04:45 -0700, Joseph Mack NA3T wrote:
> o This solves the problem of purchasing 100's of public IPs

Correct. It also solves having to manage many thousands of IP
allocations within your own, private NAT network.

> o does not change the number of lines for ipvsadm

Correct. Although if you get a (some) reverse proxy(ies) to sit
logically between the load balancer(s) and the realservers, you can get
them to do the SSL crypt/decrypt and then pass the requests to the
realservers locally. This keeps the realservers doing what they do best,
serving web pages, and means you can take (for example) the SSL part
"out of the loop" without turning off all of the plain old HTTP sites at
the same time. And it can dramatically reduce the number of entries for
ipvsadm; however you may need to reinvent the wheel a little to get
persistence working (for example) from the proxy to the realserver.

> o does not change the number of certificates (the number of 
> hostnames x the number of realservers).

Correct. For the interested reader, having a certificate for the same
FQDN on more than one server is likely to be a breach of the T&Cs you
acknowledged with the CA/CSA when you bought the cert. You need 1 cert
for 10 machines? Pay us 10 times the cost of one, please. (Many
providers now make this a reducing charge, but it's still expensive). 

> correct?

Correct :)

Graeme





More information about the lvs-users mailing list