|
A few weeks ago I said I write up how to configure Apache+SSL so it
could be used with LVS-DR. Those instructions are attached.
Please review them, make comments and suggestions and hopefully Joe can
get them into the not-so-mini-LVS-HOWTO.
Cheers,
Dan
Dan Yocum wrote:
I'm an idiot. ;-)
More below...
Joseph Mack NA3T wrote:
On Thu, 25 Oct 2007, Dan Yocum wrote:
I've configured 3 VirtualHosts directives in the apache (v2.2.4) conf
file to use the appropriate cert/key pairs depending on what IP the
request comes in on (I've tried this by hostname, too - still no luck).
This same configuration file *is* working on a non-HA system
(fermigrid2.fnal.gov) - I've simply copied the conf files over and
changed the paths for the SSLCertificateFile and SSLCertificateKeyFile
variables.
We need to get this written up for the HOWTO (whatever "this" turns
out to be). I expect you're running into the problem of https being
name based rather than IP based, ie when you come in on VIP1, the
machine has to be hostname_1 and when you come in on VIP2, the machine
has to be hostname_2. However I don't know how you do this.
Indeed. I'll be happy to write it up when I get it all straightened out
in my notes.
More below (I promise).
Can you get a single (non-lvs) server to serve up two https sites? Can
you get your lvs setup to balance https with only one VIP?
Yep. That one is running on https://gums-fg5x2.fnal.gov:8443.
Someone else is going to have to take it from here.
One potential clue (or red herring), if I enable the following iptables
rules I *can* connect to the web server, but it always gets redirected
to the primary IP
it's a red herring. see the HOWTO for "transparent proxy"
Yep.
OK, here's where I messed up:
voms.opensciencegrid.org, voms.fnal.gov are already up and running on
the non-HA, non-LVS'd server fermigrid2.fnal.gov. Stupid me put this in
my http-ssl.conf file:
<VirtualHost voms.opensciencegrid.org:8443>
and
<VirtualHost voms.fnal.gov:8443>
Duh. Those hostname/IPs are not on this machine (I was getting ahead of
myself). I'm using voms-fg5x1 and saz-fg5x3 as my test hostname/IPs.
So, I put the test IPs in the VirtualHost directives and added
appropriate 'Listen' lines for each server (i.e., 'Listen
131.225.107.112', etc.) and everything is working as it is supposed to.
Thanks to Graeme for the 'Listen' tip.
I'll write up a how-to setup LVS-DR + https in the next couple of days
and send it to the list for review.
On to stress testing...
Thanks,
Dan
--
Dan Yocum
Fermilab 630.840.6509
yocum@xxxxxxxx, http://fermigrid.fnal.gov
Fermilab. Just zeros and ones.
Using LVS-DR to Load Balance Between SSL Enable Web Servers.
As stated in the mod_ssl FAQ
(http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47) the "SSL protocol layer
stays below the HTTP protocol layer and encapsulates HTTP. When an SSL
connection is established Apache/mod_ssl has to negotiate the SSL protocol
parameters with the client. For this mod_ssl has to consult the configuration
of the virtual server (for instance it has to look for the cipher suite, the
server certificate, etc.). But in order to dispatch to the correct virtual
server Apache has to know the Host HTTP header field. For this the HTTP request
header has to be read. This cannot be done before the SSL handshake is
finished. But the information is already needed at the SSL handshake phase."
So, yes, you need separate IPs to use SSL and Apache.
Conventions in This Guide
Real Server #1 Hostname: real-ssl-server-01.example.com
Real Server #1 IP: 102.102.102.1
Real Server #2 Hostname: real-ssl-server-01.example.com
Real Server #2 IP: 102.102.102.2
VirtualServer #1 Hostname: virtual-ssl-server-01.example.com
VirtualServer #1 IP: 102.102.102.101
VirtualServer #1 Hostname: virtual-ssl-server-02.example.com
VirtualServer #1 IP: 102.102.102.102
Text indented one tab is text to insert into various configuration files.
Step #1
Generate x509 http host cert and keys for each VirtualServer you're going to be
runinng and put them in /etc/httpd/conf/ssl.crt and /etc/httpd/conf/ssl.key on
each real server. Use your favorite Certificate Authority to accomplish this:
Verisign, Thawte, DOEGrids, et al.
Step #2
Edit /etc/httpd/conf.d/ssl.conf and add the following bits (note the real
server you'll be editing):
On real-ssl-server-01.example.com add:
Listen 102.102.102.1:443
On real-ssl-server-02.example.com add:
Listen 102.102.102.2:443
On both real servers add:
Listen 102.102.102.101:443
Listen 102.102.102.102:443
Add the following VirtualHost directives:
On real-ssl-server-01.example.com add:
<VirtualHost 102.102.102.1:443>
On real-ssl-server-02.example.com add:
<VirtualHost 102.102.102.2:443>
Then append the following to the end of the ssl.conf file:
###########################################
# <VirtualHost virtual-ssl-server-01.example.com:443>
<VirtualHost 102.102.102.101:443>
DocumentRoot "/var/www/html"
ServerName virtual-ssl-server-01.example.com:443
ServerAdmin root@xxxxxxxxxxxxxxx
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile
/etc/httpd/conf/ssl.crt/virtual-ssl-server-01-cert.pem
SSLCertificateKeyFile
/etc/httpd/conf/ssl.key/virtual-ssl-server-01-key.pem
SSLCACertificatePath /etc/httpd/conf/ssl.crt
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +OptRenegotiate +ExportCertData +StdEnvVars
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
# <VirtualHost virtual-ssl-server-02.example.com:443>
<VirtualHost 102.102.102.102:443>
DocumentRoot "/var/www/html"
ServerName virtual-ssl-server-02.example.com:443
ServerAdmin root@xxxxxxxxxxxxxxx
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile
/etc/httpd/conf/ssl.crt/virtual-ssl-server-02-cert.pem
SSLCertificateKeyFile
/etc/httpd/conf/ssl.key/virtual-ssl-server-02-key.pem
SSLCACertificatePath /etc/httpd/conf/ssl.crt
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +OptRenegotiate +ExportCertData +StdEnvVars
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
###########################################
Step #3
Add the following to /etc/sysctl.conf to solve the arp problem:
###########################################
# Enable configuration of arp_ignore option
net.ipv4.conf.all.arp_ignore = 1
# When an arp request is received on eth0, only respond if that address
is
# configured on eth0. In particular, do not respond if the address is
# configured on lo
net.ipv4.conf.eth0.arp_ignore = 1
# Ditto for eth1, add for all ARPing interfaces
net.ipv4.conf.eth1.arp_ignore = 1
# Enable configuration of arp_announce option
net.ipv4.conf.all.arp_announce = 2
# When making an ARP request sent through eth0 Always use an address
that
# is configured on eth0 as the source address of the ARP request. If
this
# is not set, and packets are being sent out eth0 for an address that
is on
# lo, and an arp request is required, then the address on lo will be
used.
# As the source IP address of arp requests is entered into the ARP
cache on
# the destination, it has the effect of announcing this address. This
is
# not desirable in this case as adresses on lo on the real-servers
should
# be announced only by the linux-director.
net.ipv4.conf.eth0.arp_announce = 2
# Ditto for eth1, add for all ARPing interfaces
net.ipv4.conf.eth1.arp_announce = 2
###########################################
And load the settings:
/sbin/sysctl -p
Step #4
Create the following files with the following contents:
/etc/sysconfig/network-scripts/ifcfg-lo:101
###########################################
DEVICE=lo:101
IPADDR=102.102.102.101
NETMASK=255.255.255.255
NETWORK=102.102.102.0
BROADCAST=102.102.102.255
ONBOOT=yes
NAME=loopback
###########################################
/etc/sysconfig/network-scripts/ifcfg-lo:102
###########################################
DEVICE=lo:102
IPADDR=102.102.102.102
NETMASK=255.255.255.255
NETWORK=102.102.102.0
BROADCAST=102.102.102.255
ONBOOT=yes
NAME=loopback
###########################################
Bring up the interfaces:
ifup lo:101
ifup lo:102
Bring up apache on each real server:
/sbin/service apache start
Configure the LVS director like normal for each SSL Apache server running on
each IP interface.
|
