I'm an idiot. ;-)
Joseph Mack NA3T wrote:
> On Thu, 25 Oct 2007, Dan Yocum wrote:
>> I've configured 3 VirtualHosts directives in the apache (v2.2.4) conf
>> file to use the appropriate cert/key pairs depending on what IP the
>> request comes in on (I've tried this by hostname, too - still no luck).
>> This same configuration file *is* working on a non-HA system
>> (fermigrid2.fnal.gov) - I've simply copied the conf files over and
>> changed the paths for the SSLCertificateFile and SSLCertificateKeyFile
> We need to get this written up for the HOWTO (whatever
> "this" turns out to be). I expect you're running into the
> problem of https being name based rather than IP based, ie
> when you come in on VIP1, the machine has to be hostname_1
> and when you come in on VIP2, the machine has to be
> hostname_2. However I don't know how you do this.
Indeed. I'll be happy to write it up when I get it all straightened out
in my notes.
More below (I promise).
> Can you get a single (non-lvs) server to serve up two https
> sites? Can you get your lvs setup to balance https with only
> one VIP?
Yep. That one is running on https://gums-fg5x2.fnal.gov:8443.
> Someone else is going to have to take it from here.
>> One potential clue (or red herring), if I enable the following iptables
>> rules I *can* connect to the web server, but it always gets redirected
>> to the primary IP
> it's a red herring. see the HOWTO for "transparent proxy"
OK, here's where I messed up:
voms.opensciencegrid.org, voms.fnal.gov are already up and running on
the non-HA, non-LVS'd server fermigrid2.fnal.gov. Stupid me put this in
my http-ssl.conf file:
Duh. Those hostname/IPs are not on this machine (I was getting ahead of
myself). I'm using voms-fg5x1 and saz-fg5x3 as my test hostname/IPs.
So, I put the test IPs in the VirtualHost directives and added
appropriate 'Listen' lines for each server (i.e., 'Listen
220.127.116.11', etc.) and everything is working as it is supposed to.
Thanks to Graeme for the 'Listen' tip.
I'll write up a how-to setup LVS-DR + https in the next couple of days
and send it to the list for review.
On to stress testing...
Fermilab. Just zeros and ones.