[lvs-users] https connections

Dan Yocum yocum at fnal.gov
Thu Dec 6 22:10:42 GMT 2007 

A few weeks ago I said I write up how to configure Apache+SSL so it 
could be used with LVS-DR.  Those instructions are attached.

Please review them, make comments and suggestions and hopefully Joe can 
get them into the not-so-mini-LVS-HOWTO.

Cheers,
Dan


Dan Yocum wrote:
> I'm an idiot.  ;-)
> 
> More below...
> 
> Joseph Mack NA3T wrote:
>> On Thu, 25 Oct 2007, Dan Yocum wrote:
>>
>>> I've configured 3 VirtualHosts directives in the apache (v2.2.4) conf
>>> file to use the appropriate cert/key pairs depending on what IP the
>>> request comes in on (I've tried this by hostname, too - still no luck).
>>> This same configuration file *is* working on a non-HA system
>>> (fermigrid2.fnal.gov) - I've simply copied the conf files over and
>>> changed the paths for the SSLCertificateFile and SSLCertificateKeyFile
>>> variables.
>>
>> We need to get this written up for the HOWTO (whatever "this" turns 
>> out to be). I expect you're running into the problem of https being 
>> name based rather than IP based, ie when you come in on VIP1, the 
>> machine has to be hostname_1 and when you come in on VIP2, the machine 
>> has to be hostname_2. However I don't know how you do this.
> 
> Indeed.  I'll be happy to write it up when I get it all straightened out
> in my notes.
> 
> More below (I promise).
> 
>>
>> Can you get a single (non-lvs) server to serve up two https sites? Can 
>> you get your lvs setup to balance https with only one VIP?
> 
> Yep.  That one is running on https://gums-fg5x2.fnal.gov:8443.
> 
>>
>> Someone else is going to have to take it from here.
>>
>>> One potential clue (or red herring), if I enable the following iptables
>>> rules I *can* connect to the web server, but it always gets redirected
>>> to the primary IP
>>
>> it's a red herring. see the HOWTO for "transparent proxy"
> 
> Yep.
> 
> OK, here's where I messed up:
> 
> voms.opensciencegrid.org, voms.fnal.gov are already up and running on
> the non-HA, non-LVS'd server fermigrid2.fnal.gov.  Stupid me put this in
> my http-ssl.conf file:
> 
> <VirtualHost voms.opensciencegrid.org:8443>
> 
> and
> 
> <VirtualHost voms.fnal.gov:8443>
> 
> Duh.  Those hostname/IPs are not on this machine (I was getting ahead of 
> myself).  I'm using voms-fg5x1 and saz-fg5x3 as my test hostname/IPs.
> 
> So, I put the test IPs in the VirtualHost directives and added 
> appropriate 'Listen' lines for each server (i.e., 'Listen 
> 131.225.107.112', etc.) and everything is working as it is supposed to.
> 
> Thanks to Graeme for the 'Listen' tip.
> 
> I'll write up a how-to setup LVS-DR + https in the next couple of days 
> and send it to the list for review.
> 
> On to stress testing...
> 
> Thanks,
> Dan
> 
> 

-- 
Dan Yocum
Fermilab  630.840.6509
yocum at fnal.gov, http://fermigrid.fnal.gov
Fermilab.  Just zeros and ones.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: lvs-dr-multiple-ssl-web-servers.txt
Url: http://lists.graemef.net/pipermail/lvs-users/attachments/20071206/b51d69df/attachment.txt

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list