|
At 11:53 AM 9/7/00 -0400, Ted Pavlic wrote:
>> > The client
>> > browser/application will only access URLs with the VIPs hostname, but
>the
>> > actual traffic will come from the real servers - according to verisign
>> > (http://www.verisign.com/rsc/wp/certshare/index.html), a load balancing
>setup
>> > requires seperate certificates for each real server (www1., www2, ....)
>but
>> > what about a certificate for the director (www.).
>> The director is just a router. It doesn't have anything listening
>> on port 443. It doesn't need a certificate.
>> Neither the client nor the real-servers can tell that the directory
>exists.
>> The client thinks it is directly connected to the real-server.
>
>Verisign is probably talking about a specific type of load balancing which
>uses HTTP redirects to redirect you to another server (or something like
>that). You only need a certificate for the name that the web browser
>accesses the site. If the site is only going to be accessed through
>www.foobar.com then you'll only need a cert for www.foobar.com.
>
>With the load balancing that LVS gives you, you don't have to worry about
>it. LVS adds a layer of abstraction which makes these things very nice.
>
>Trust me -- I am load balancing more than a few sites as we speak. :)
>
>> Now if you have lots of https sites needing certificates, then
>> a thread on this list recently has described how to get around needing
>> large numbers of certificates. I don't understand how it works. Someone
>> has asked for example config files, but I haven't seen them yet.
>
>I'm fairly sure that that particular thread was dealing with someone's
>incorrect belief that an administrator needed a certificate for each and
>every real server in order to conduct secure traffic. He was saying that LVS
>doesn't support SSL termination like F5's Big/IP does... HOWEVER, he was
>mistaken in that LVS does not require an administrator to purchase multiple
>certificates for EACH real server. That administrator simply needs to
>purchase one certificate per site which needs to be secured.
I was the one saying that LVS does not support SSL termination,
which I do not think SSL termination would gain anything, but
I thought I said that there is only one cert required for each
site's VIP. NOT for each real server. The SSL works in this
way:
client asking for a secure page,
server send its public key over to client,
client verify that public key with its SSL root,
if the SSL root expired or not exist, give a warning,
if the SSL root okay do a reverse lookup on the
IP address that SSL states to see if it matches the
server IP address (VIP address in this case),
if it matches, it will be happy :) communicate with server
using this public key encryption;
if it does not match, compliant.
LVS works prefectly when load balancing several
SSL servers, because the server's real IP address
is no part of this validation process, only the VIP is
being checked against the DNS entry.
Wayne
>There's no way to get around it -- if you have MULTIPLE HTTPS sites you're
>going to need a certificate for EACH one. Otherwise the end-user's browser
>will pop up an error message saying that an invalid certificate was given to
>it -- a certificate for another website. The name of the website in the cert
>has to match the name of the website in the URL exactly or the end-user's
>web browser is going to get an error. Because of this you'll need a cert for
>each and every HTTPS site. This isn't anything special, however. This
>doesn't only apply to load balancing; it applies to all secure traffic on
>web servers load balanced or not.
>
>All the best --
>Ted
>
>
|
