Re: [lvs-users] Multiple HTTPS (per real-server) on LVS-DR does not work

[Michael Moody <michael@xxxxxx>]

For those of you who may have a similar problem, here is the solution:

(192.168.1.20 and 192.168.1.23 are https1 and https2 repectively on 
server1, 192.168.1.54 and 192.168.1.24 are https1 and https2 repectively 
on server2) 10.0.0.20 is the vip for https1, 10.0.0.24 is the vip for 
https2.

First thing, I set up my apache to have dual vhosts, like this, both on 
the vip and rip:

------------Vhost for https1 site one on server 1--------------
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  60
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Listen 192.168.1.20:443
Listen 10.0.0.20:443

NameVirtualHost 192.168.1.20:443

<VirtualHost 192.168.1.20:443>
ServerAdmin me@xxxxxxxxxxxxx
DocumentRoot /var/www/https1
ServerName https1.site.com
SSLCertificateKeyFile /etc/apache2/ssl/https1.site.com.key
SSLCertificateFile /etc/apache2/ssl/https1.site.com.crt
SSLEngine on

    <Directory "/var/www/https1">
           Options FollowSymlinks Multiviews
           Order allow,deny
           Allow from all
    </Directory>
ErrorDocument 404 http://www.site.com/error.html
</VirtualHost>

NameVirtualHost 10.0.0.20:443

<VirtualHost 10.0.0.20:443>
ServerAdmin me@xxxxxxxxxxxxx
DocumentRoot /var/www/https1
ServerName https1.site.com
SSLCertificateKeyFile /etc/apache2/ssl/https1.site.com.key
SSLCertificateFile /etc/apache2/ssl/https1.site.com.crt
SSLEngine on

    <Directory "/var/www/https1">
           Options FollowSymlinks Multiviews
           Order allow,deny
           Allow from all
    </Directory>
ErrorDocument 404 http://www.site.com/error.html
</VirtualHost>

------------Vhost for https2 site one on server 1--------------
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  60
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Listen 192.168.1.23:443
Listen 10.0.0.24:443

NameVirtualHost 192.168.1.23:443

<VirtualHost 192.168.1.23:443>
ServerAdmin me@xxxxxxxxxxxxx
DocumentRoot /var/www/https2
ServerName https2.site.com
SSLCertificateKeyFile /etc/apache2/ssl/https2.site.com.key
SSLCertificateFile /etc/apache2/ssl/https2.site.com.crt
SSLEngine on

    <Directory "/var/www/https2">
           Options FollowSymlinks Multiviews
           Order allow,deny
           Allow from all
    </Directory>
ErrorDocument 404 http://www.site.com/error.html
</VirtualHost>

NameVirtualHost 10.0.0.24:443

<VirtualHost 10.0.0.24:443>
ServerAdmin me@xxxxxxxxxxxxx
DocumentRoot /var/www/https2
ServerName https1.site.com
SSLCertificateKeyFile /etc/apache2/ssl/https2.site.com.key
SSLCertificateFile /etc/apache2/ssl/https2.site.com.crt
SSLEngine on

    <Directory "/var/www/https2">
           Options FollowSymlinks Multiviews
           Order allow,deny
           Allow from all
    </Directory>
ErrorDocument 404 http://www.site.com/error.html
</VirtualHost>

Or course, these vhosts are similar on server2, with the ip's changed.

This configuration enables apache to both listen and answer on both the 
rip and vip, and then the loadbalancer ldirectord.cf

virtual=10.0.0.20:443 #https1
        real=192.168.1.54:443 gate 1 #server2
        real=192.168.1.20:443 gate 1 #server1
        service=https
        scheduler=wlc
        persistent=300
        #netmask=255.255.255.255
        protocol=tcp

virtual=10.0.0.24:443 #https2
        real=192.168.1.24:443 gate 1 #server2
        real=192.168.1.23:443 gate 1 #server1
        service=https
        scheduler=wlc
        persistent=60
        #netmask=255.255.255.255
        protocol=tcp


Hope this helps anyone else who runs into this.

Michael M. wrote:
> I thought that was the case, however, apache doesn't seem to support binding
> a vhost to multiple ip's, unless perhaps I was to create multiple vhosts? I
> might try that. If I bind it to 10.0.0.x, then apache won't answer on the
> 192.168.1.x address that the load balancer is looking for. Recommendations?
>
> Thanks,
> Michael
>
> -----Original Message-----
> From: Joseph Mack NA3T [mailto:jmack@xxxxxxxx] 
> Sent: Wednesday, October 17, 2007 12:34 PM
> To: LinuxVirtualServer.org users mailing list.
> Subject: Re: [lvs-users] Multiple HTTPS (per real-server) on LVS-DR does not
> work
>
> On Wed, 17 Oct 2007, Michael Moody wrote:
>
>   
>> If I bind the ssl in apache vhosts to an ip, like this <virtualhost
>> 192.168.1.23:443>, then for whatever reason, apache refuses to work with
>> the load balancer,
>>     
>
>
> apache has to bind to the VIP (in your case 10.x.x.x)
>
> Joe
>
>   

-- 

Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Direct: (650) 265-4154
Web: http://www.GlobalSystemsConsulting.com

Engineering Support: support@xxxxxx
Billing Support: billing@xxxxxx
Customer Support Portal:  http://my.gsc.cc


NOTICE - This message contains privileged and confidential information intended 
only for the use of the addressee named above. If you are not the intended 
recipient of this message, you are hereby notified that you must not 
disseminate, copy or take any action in reliance on it. If you have received 
this message in error, please immediately notify Global Systems Consulting, its 
subsidiaries or associates. Any views expressed in this message are those of 
the individual sender, except where the sender specifically states them to be 
the view of Global Systems Consulting, its subsidiaries and associates.