Hi all,
I'm trying to get multiple https servers on the same physical realserver
to work, but I'm having no luck. Here's the setup.
I'm using piranha from RHELv5.
DIP 131.225.107.36 fermigrid5.fnal.gov
RIP 131.225.107.102 fg5x1.fnal.gov
VIP1 131.225.107.112 voms-fg5x1.fnal.gov
VIP2 131.225.107.114 saz-fg5x3.fnal.gov
The VIPs are up on the director and on the realserver (and non-arping on
lo:112 and lo:114, respectively).
I can connect to the other services that are being load balanced on
these realservers with these VIPs with no problems.
I've disabled the firewall (iptables).
I've generated cert/key pairs for fg5x1.fnal.gov, voms-fg5x1.fnal.gov,
and saz-fg5x3.fnal.gov.
I've configured 3 VirtualHosts directives in the apache (v2.2.4) conf
file to use the appropriate cert/key pairs depending on what IP the
request comes in on (I've tried this by hostname, too - still no luck).
This same configuration file *is* working on a non-HA system
(fermigrid2.fnal.gov) - I've simply copied the conf files over and
changed the paths for the SSLCertificateFile and SSLCertificateKeyFile
variables.
So, what happens? If I point a browser at
https://voms-fg5x1.fnal.gov:8443 and https://saz-fg5x3.fnal.gov:8443 I
get a "Data Transfer Interrupted" message (go ahead and try it if you like).
One potential clue (or red herring), if I enable the following iptables
rules I *can* connect to the web server, but it always gets redirected
to the primary IP of the device (fg5x1.fnal.gov, as is it should) which
is using the fg5x1.fnal.gov cert/key pair and that's certainly not what
I want when people connect to voms-fg5x1.fnal.gov and saz-fg6x3.fnal.gov:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# For VOMS Admin services
-A PREROUTING -d 131.225.107.112 -p tcp --dport 8443 -j REDIRECT
-A PREROUTING -d 131.225.107.114 -p tcp --dport 8443 -j REDIRECT
COMMIT
Any ideas?
Thanks,
Dan
--
Dan Yocum
Fermilab 630.840.6509
yocum@xxxxxxxx, http://fermigrid.fnal.gov
Fermilab. Just zeros and ones.
|