I'm trying to get multiple https servers on the same physical realserver
to work, but I'm having no luck. Here's the setup.
I'm using piranha from RHELv5.
DIP 22.214.171.124 fermigrid5.fnal.gov
RIP 126.96.36.199 fg5x1.fnal.gov
VIP1 188.8.131.52 voms-fg5x1.fnal.gov
VIP2 184.108.40.206 saz-fg5x3.fnal.gov
The VIPs are up on the director and on the realserver (and non-arping on
lo:112 and lo:114, respectively).
I can connect to the other services that are being load balanced on
these realservers with these VIPs with no problems.
I've disabled the firewall (iptables).
I've generated cert/key pairs for fg5x1.fnal.gov, voms-fg5x1.fnal.gov,
I've configured 3 VirtualHosts directives in the apache (v2.2.4) conf
file to use the appropriate cert/key pairs depending on what IP the
request comes in on (I've tried this by hostname, too - still no luck).
This same configuration file *is* working on a non-HA system
(fermigrid2.fnal.gov) - I've simply copied the conf files over and
changed the paths for the SSLCertificateFile and SSLCertificateKeyFile
So, what happens? If I point a browser at
https://voms-fg5x1.fnal.gov:8443 and https://saz-fg5x3.fnal.gov:8443 I
get a "Data Transfer Interrupted" message (go ahead and try it if you like).
One potential clue (or red herring), if I enable the following iptables
rules I *can* connect to the web server, but it always gets redirected
to the primary IP of the device (fg5x1.fnal.gov, as is it should) which
is using the fg5x1.fnal.gov cert/key pair and that's certainly not what
I want when people connect to voms-fg5x1.fnal.gov and saz-fg6x3.fnal.gov:
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# For VOMS Admin services
-A PREROUTING -d 220.127.116.11 -p tcp --dport 8443 -j REDIRECT
-A PREROUTING -d 18.104.22.168 -p tcp --dport 8443 -j REDIRECT
Fermilab. Just zeros and ones.