LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] Keepalived - HTTPS Issue with multiple HTTPS virtual ser

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] Keepalived - HTTPS Issue with multiple HTTPS virtual server blocks
From: "Amos Shapira" <amos.shapira@xxxxxxxxx>
Date: Fri, 30 May 2008 09:10:49 +1000
On Fri, May 30, 2008 at 1:40 AM, <eneal@xxxxxxxxxxxxxxxxx> wrote:
>
> This does not appear to be a problem for http, but just recently
> I added two SSL applications - unique virtual server IP's but the same
> real servers
> and I saw some interesting issues

I'm not an expert on keepalived but I know that there are limitations
in regards of support for multiple virtual HTTPS servers on the same
port and IP address.
The problem is that HTTPS requires the server to know which server
certificate to use before it can see the first request from the client
which can tell it which virtual server it should "pretend" to be.

The solution is called "Server Name Indication" aka "SNI"
(http://en.wikipedia.org/wiki/Server_Name_Indication). There is an
implementation for Apache with gnutls and the latest generation of
browsers support it (IE 7, Firefox 2, Opera 8) but I can't give you a
pointer about IIS solutions and the lack of support of SNI in IE 6
might generally make this a non-solution for a while yet.

Hope this helps,

--Amos


<Prev in Thread] Current Thread [Next in Thread>