LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

[lvs-users] https connections

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: [lvs-users] https connections
From: Dan Yocum <yocum@xxxxxxxx>
Date: Thu, 25 Oct 2007 12:06:13 -0500
Hi all,

I'm trying to get multiple https servers on the same physical realserver 
to work, but I'm having no luck.  Here's the setup.

I'm using piranha from RHELv5.

DIP     131.225.107.36          fermigrid5.fnal.gov
RIP     131.225.107.102         fg5x1.fnal.gov
VIP1    131.225.107.112         voms-fg5x1.fnal.gov
VIP2    131.225.107.114         saz-fg5x3.fnal.gov

The VIPs are up on the director and on the realserver (and non-arping on
lo:112 and lo:114, respectively).

I can connect to the other services that are being load balanced on 
these realservers with these VIPs with no problems.

I've disabled the firewall (iptables).

I've generated cert/key pairs for fg5x1.fnal.gov, voms-fg5x1.fnal.gov,
and saz-fg5x3.fnal.gov.

I've configured 3 VirtualHosts directives in the apache (v2.2.4) conf
file to use the appropriate cert/key pairs depending on what IP the
request comes in on (I've tried this by hostname, too - still no luck). 
This same configuration file *is* working on a non-HA system
(fermigrid2.fnal.gov) - I've simply copied the conf files over and
changed the paths for the SSLCertificateFile and SSLCertificateKeyFile
variables.

So, what happens?  If I point a browser at
https://voms-fg5x1.fnal.gov:8443 and https://saz-fg5x3.fnal.gov:8443 I
get a "Data Transfer Interrupted" message (go ahead and try it if you like).

One potential clue (or red herring), if I enable the following iptables 
rules I *can* connect to the web server, but it always gets redirected 
to the primary IP of the device (fg5x1.fnal.gov, as is it should) which 
is using the fg5x1.fnal.gov cert/key pair and that's certainly not what 
I want when people connect to voms-fg5x1.fnal.gov and saz-fg6x3.fnal.gov:


*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# For VOMS Admin services
-A PREROUTING -d 131.225.107.112 -p tcp --dport 8443 -j REDIRECT
-A PREROUTING -d 131.225.107.114 -p tcp --dport 8443 -j REDIRECT
COMMIT


Any ideas?

Thanks,
Dan



-- 
Dan Yocum
Fermilab  630.840.6509
yocum@xxxxxxxx, http://fermigrid.fnal.gov
Fermilab.  Just zeros and ones.



<Prev in Thread] Current Thread [Next in Thread>