|
There are more than one way to handle SSL traffic. This is how I do it
I have 2 working machines (aka real servers) running Linux/Apache/SSL
I have 1 /24 subnet (256 IP addresses) assigned to SSL serving
I register 1 SSL certificate per SSL domain I host ( www.abc.com,
www.def.com ,www,ghi.com)
I assign each domain to an IP address from the SSL pool using DNS
(www.abc.com IN A 159.250.20.1, www.def.com IN A 159.250.20.2)
I use LVS-DR to load balance the connections to the 2 real servers.
I setup the real servers to handle every IP in the SSL pool.
In short, SSL certificates are branded with the domain name. The SSL
protocol establishes security before any HTTP requests. The client web
browser checks the domain it went to (location bar) wit the domain in
the certificate. If the domains do not match the web browser complains
to the user. SSL is still established. Due to this processes you
must us separate IP address for each SSL certificate so Apache will
know what SSL cert to use when establishing the connection.
I use a hybrid LVS-NAT/LVS-DR setup with fwmarks and some static routes
to handle my SSL traffic. Check a couple months back in the logs where
I detail how I do it.
My real servers are not on the Internet. Only traffic in the SSL Pool
going to port 80 & 443 are routed to the real servers. Each real
server has a copy of all SSL certs (shared drive). If I need SSL
decryption hardware I would place it in the real servers. Persistence
is set on the LVS box for the connections. Port 80 &443 are bound
together for persistence.
Hope this helps. If you want some config code snippets let me know.
-Matt
--
Matthew S. Crocker
Crocker Communications, Inc.
Vice President
PO BOX 710
Greenfield, MA 01302
P: 413-746-2760
F: 413-746-3704
W: http://www.crocker.com
E: matthew@xxxxxxxxxxx
|
