On Wed, Oct 15, 2003 at 11:16:44AM -0600, Kenton Smith wrote:
> Do I terminate the SSL traffic at the LB or the real server?
You can, perhaps using something like squid as a reverse
proxy. But then the Linux Director has to do a _lot_ of work.
You probably want to get an hardware crypto card if
you are going down that road and have a reasonable ammount of traffic.
> How do I handle the certs? If the traffic is terminated at the real
> server do I need a certificate for each real server?
You shold use the same certificate on each of the real servers.
That way end-users will always see the same certificate
for a given virtual service.
> Can I use a
> name-based cert using the domain name that goes with the virtual IP on
> the LB, thus only requiring one certificate?
I am not sure that I follow this. The name in the certificate
needs to match the name that your end-users are connecting to.
So if you have www.a.com, www.b.com and www.c.com then they
can't use the same certificate. Though the certificates can
have wildcarsd, so you could use the same certificate for
www1.a.com, www2.a.com and www3.a.com.
On a related note. You have to have a different IP address or
use a different port for each different certificate. There is
no way to use name based virtual services with certificates
as SSL has no facility for virtal hosting and thus there
is no way for the ssl server to select beetween different
certificates on the same IP/Port.
--
Horms
|