[lvs-users] Multiple HTTPS (per real-server) on LVS-DR does not work

Michael Moody michael at gsc.cc
Sat Oct 27 00:33:23 BST 2007 

For those of you who may have a similar problem, here is the solution:

(192.168.1.20 and 192.168.1.23 are https1 and https2 repectively on 
server1, 192.168.1.54 and 192.168.1.24 are https1 and https2 repectively 
on server2) 10.0.0.20 is the vip for https1, 10.0.0.24 is the vip for 
https2.

First thing, I set up my apache to have dual vhosts, like this, both on 
the vip and rip:

------------Vhost for https1 site one on server 1--------------
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  60
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Listen 192.168.1.20:443
Listen 10.0.0.20:443

NameVirtualHost 192.168.1.20:443

<VirtualHost 192.168.1.20:443>
ServerAdmin me at somewhere.com
DocumentRoot /var/www/https1
ServerName https1.site.com
SSLCertificateKeyFile /etc/apache2/ssl/https1.site.com.key
SSLCertificateFile /etc/apache2/ssl/https1.site.com.crt
SSLEngine on

    <Directory "/var/www/https1">
           Options FollowSymlinks Multiviews
           Order allow,deny
           Allow from all
    </Directory>
ErrorDocument 404 http://www.site.com/error.html
</VirtualHost>

NameVirtualHost 10.0.0.20:443

<VirtualHost 10.0.0.20:443>
ServerAdmin me at somewhere.com
DocumentRoot /var/www/https1
ServerName https1.site.com
SSLCertificateKeyFile /etc/apache2/ssl/https1.site.com.key
SSLCertificateFile /etc/apache2/ssl/https1.site.com.crt
SSLEngine on

    <Directory "/var/www/https1">
           Options FollowSymlinks Multiviews
           Order allow,deny
           Allow from all
    </Directory>
ErrorDocument 404 http://www.site.com/error.html
</VirtualHost>

------------Vhost for https2 site one on server 1--------------
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  60
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Listen 192.168.1.23:443
Listen 10.0.0.24:443

NameVirtualHost 192.168.1.23:443

<VirtualHost 192.168.1.23:443>
ServerAdmin me at somewhere.com
DocumentRoot /var/www/https2
ServerName https2.site.com
SSLCertificateKeyFile /etc/apache2/ssl/https2.site.com.key
SSLCertificateFile /etc/apache2/ssl/https2.site.com.crt
SSLEngine on

    <Directory "/var/www/https2">
           Options FollowSymlinks Multiviews
           Order allow,deny
           Allow from all
    </Directory>
ErrorDocument 404 http://www.site.com/error.html
</VirtualHost>

NameVirtualHost 10.0.0.24:443

<VirtualHost 10.0.0.24:443>
ServerAdmin me at somewhere.com
DocumentRoot /var/www/https2
ServerName https1.site.com
SSLCertificateKeyFile /etc/apache2/ssl/https2.site.com.key
SSLCertificateFile /etc/apache2/ssl/https2.site.com.crt
SSLEngine on

    <Directory "/var/www/https2">
           Options FollowSymlinks Multiviews
           Order allow,deny
           Allow from all
    </Directory>
ErrorDocument 404 http://www.site.com/error.html
</VirtualHost>

Or course, these vhosts are similar on server2, with the ip's changed.

This configuration enables apache to both listen and answer on both the 
rip and vip, and then the loadbalancer ldirectord.cf

virtual=10.0.0.20:443 #https1
        real=192.168.1.54:443 gate 1 #server2
        real=192.168.1.20:443 gate 1 #server1
        service=https
        scheduler=wlc
        persistent=300
        #netmask=255.255.255.255
        protocol=tcp

virtual=10.0.0.24:443 #https2
        real=192.168.1.24:443 gate 1 #server2
        real=192.168.1.23:443 gate 1 #server1
        service=https
        scheduler=wlc
        persistent=60
        #netmask=255.255.255.255
        protocol=tcp


Hope this helps anyone else who runs into this.

Michael M. wrote:
> I thought that was the case, however, apache doesn't seem to support binding
> a vhost to multiple ip's, unless perhaps I was to create multiple vhosts? I
> might try that. If I bind it to 10.0.0.x, then apache won't answer on the
> 192.168.1.x address that the load balancer is looking for. Recommendations?
>
> Thanks,
> Michael
>
> -----Original Message-----
> From: Joseph Mack NA3T [mailto:jmack at wm7d.net] 
> Sent: Wednesday, October 17, 2007 12:34 PM
> To: LinuxVirtualServer.org users mailing list.
> Subject: Re: [lvs-users] Multiple HTTPS (per real-server) on LVS-DR does not
> work
>
> On Wed, 17 Oct 2007, Michael Moody wrote:
>
>   
>> If I bind the ssl in apache vhosts to an ip, like this <virtualhost
>> 192.168.1.23:443>, then for whatever reason, apache refuses to work with
>> the load balancer,
>>     
>
>
> apache has to bind to the VIP (in your case 10.x.x.x)
>
> Joe
>
>   

-- 

Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Direct: (650) 265-4154
Web: http://www.GlobalSystemsConsulting.com

Engineering Support: support at gsc.cc
Billing Support: billing at gsc.cc
Customer Support Portal:  http://my.gsc.cc


NOTICE - This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy or take any action in reliance on it. If you have received this message in error, please immediately notify Global Systems Consulting, its subsidiaries or associates. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the view of Global Systems Consulting, its subsidiaries and associates.

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list