|
> > The client
> > browser/application will only access URLs with the VIPs hostname, but
the
> > actual traffic will come from the real servers - according to verisign
> > (http://www.verisign.com/rsc/wp/certshare/index.html), a load balancing
setup
> > requires seperate certificates for each real server (www1., www2, ....)
but
> > what about a certificate for the director (www.).
> The director is just a router. It doesn't have anything listening
> on port 443. It doesn't need a certificate.
> Neither the client nor the real-servers can tell that the directory
exists.
> The client thinks it is directly connected to the real-server.
Verisign is probably talking about a specific type of load balancing which
uses HTTP redirects to redirect you to another server (or something like
that). You only need a certificate for the name that the web browser
accesses the site. If the site is only going to be accessed through
www.foobar.com then you'll only need a cert for www.foobar.com.
With the load balancing that LVS gives you, you don't have to worry about
it. LVS adds a layer of abstraction which makes these things very nice.
Trust me -- I am load balancing more than a few sites as we speak. :)
> Now if you have lots of https sites needing certificates, then
> a thread on this list recently has described how to get around needing
> large numbers of certificates. I don't understand how it works. Someone
> has asked for example config files, but I haven't seen them yet.
I'm fairly sure that that particular thread was dealing with someone's
incorrect belief that an administrator needed a certificate for each and
every real server in order to conduct secure traffic. He was saying that LVS
doesn't support SSL termination like F5's Big/IP does... HOWEVER, he was
mistaken in that LVS does not require an administrator to purchase multiple
certificates for EACH real server. That administrator simply needs to
purchase one certificate per site which needs to be secured.
There's no way to get around it -- if you have MULTIPLE HTTPS sites you're
going to need a certificate for EACH one. Otherwise the end-user's browser
will pop up an error message saying that an invalid certificate was given to
it -- a certificate for another website. The name of the website in the cert
has to match the name of the website in the URL exactly or the end-user's
web browser is going to get an error. Because of this you'll need a cert for
each and every HTTPS site. This isn't anything special, however. This
doesn't only apply to load balancing; it applies to all secure traffic on
web servers load balanced or not.
All the best --
Ted
|
