LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] https connections

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] https connections
From: Dan Yocum <yocum@xxxxxxxx>
Date: Thu, 25 Oct 2007 14:42:08 -0500
I'm an idiot.  ;-)

More below...

Joseph Mack NA3T wrote:
> On Thu, 25 Oct 2007, Dan Yocum wrote:
> 
>> I've configured 3 VirtualHosts directives in the apache (v2.2.4) conf
>> file to use the appropriate cert/key pairs depending on what IP the
>> request comes in on (I've tried this by hostname, too - still no luck).
>> This same configuration file *is* working on a non-HA system
>> (fermigrid2.fnal.gov) - I've simply copied the conf files over and
>> changed the paths for the SSLCertificateFile and SSLCertificateKeyFile
>> variables.
> 
> We need to get this written up for the HOWTO (whatever 
> "this" turns out to be). I expect you're running into the 
> problem of https being name based rather than IP based, ie 
> when you come in on VIP1, the machine has to be hostname_1 
> and when you come in on VIP2, the machine has to be 
> hostname_2. However I don't know how you do this.

Indeed.  I'll be happy to write it up when I get it all straightened out
in my notes.

More below (I promise).

> 
> Can you get a single (non-lvs) server to serve up two https 
> sites? Can you get your lvs setup to balance https with only 
> one VIP?

Yep.  That one is running on https://gums-fg5x2.fnal.gov:8443.

> 
> Someone else is going to have to take it from here.
> 
>> One potential clue (or red herring), if I enable the following iptables
>> rules I *can* connect to the web server, but it always gets redirected
>> to the primary IP
> 
> it's a red herring. see the HOWTO for "transparent proxy"

Yep.

OK, here's where I messed up:

voms.opensciencegrid.org, voms.fnal.gov are already up and running on
the non-HA, non-LVS'd server fermigrid2.fnal.gov.  Stupid me put this in
my http-ssl.conf file:

<VirtualHost voms.opensciencegrid.org:8443>

and

<VirtualHost voms.fnal.gov:8443>

Duh.  Those hostname/IPs are not on this machine (I was getting ahead of 
myself).  I'm using voms-fg5x1 and saz-fg5x3 as my test hostname/IPs.

So, I put the test IPs in the VirtualHost directives and added 
appropriate 'Listen' lines for each server (i.e., 'Listen 
131.225.107.112', etc.) and everything is working as it is supposed to.

Thanks to Graeme for the 'Listen' tip.

I'll write up a how-to setup LVS-DR + https in the next couple of days 
and send it to the list for review.

On to stress testing...

Thanks,
Dan


-- 
Dan Yocum
Fermilab  630.840.6509
yocum@xxxxxxxx, http://fermigrid.fnal.gov
Fermilab.  Just zeros and ones.



<Prev in Thread] Current Thread [Next in Thread>