Kenton Smith wrote:
>
> Do I terminate the SSL traffic at the LB or the real server?
> How do I handle the certs? If the traffic is terminated at the real
> server do I need a certificate for each real server? Can I use a
> name-based cert using the domain name that goes with the virtual IP on
> the LB, thus only requiring one certificate?
(caveat: I haven't done SSL with LVS).
Some rules about LVS:
o each realserver thinks it is being connected directly by the client.
o each client thinks it is directly connected to a single box (the realserver).
o Neither the client or the realserver knows the director exists.
So....
Setup each realserver as if the client was directly connecting to it.
Put the name based cert on it (and for all realservers) and
let the realserver handle the SSL de/encoding.
Joe
--
Joseph Mack PhD, High Performance Computing & Scientific Visualization
SAIC, Supporting the EPA Research Triangle Park, NC 919-541-0007
Federal Contact - John B. Smith 919-541-1087 - smith.johnb@xxxxxxx
|