On Tue, 2007-10-16 at 17:48 -0700, Michael Moody wrote:
> I have LVS-DR on gentoo 2006.1, kernel 2.6.20.
OK...
> I am running multiple ssl vhosts (ip-based) on each realserver.
OK... remember however that although you bind a given SSL virtual host
to a single IP address, the certificate is in the *name* of the site,
not the IP.
> However, if I go to the vip, via https://10.0.0.20, I get an ssl error.
This is to be expected. It is a well-known catch-22 using SSL for web
hosting - the TLS/SSL session is established over the IP connection
*before* the HTTP application layer comes into play.
During the TLS negotiation, the server sends back the public part of the
certificate; this contains a "Subject" attribute something like this:
Subject: C=GB, ST=Leicestershire, L=Loughborough, O=Graeme Fowler,
OU=linuxvirtualserver.org, CN=www.linuxvirtualserver.org
The CN attribute in that line is what the browser then compares against
the virtual host being requested - if they don't match, it throws an
error.
Only when the TLS session is established can the client say:
GET / HTTP/1.1
Host: 10.0.0.20
(which is what the browser says when using the URI you gave as an
example).
> What it appears like to me is that since apache is listening on
> 192.168.1.24, it can't respond to requests from the load balancer since
> it's not also listening on the vip. Is there a way to make it listen on
> the vip as well? What am I doing wrong?
Don't connect to the VIP by IP address using SSL. If you must, your
browser will not be able to validate the certificate and will throw an
error.
As an interesting exercise, try connecting to the realserver's IP
address from a machine local to it; you'll get the same problem.
Aside from the validation problem, is anything else the matter?
Graeme
|