LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] Keepalived - HTTPS Issue with multiple HTTPS virtual ser

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [lvs-users] Keepalived - HTTPS Issue with multiple HTTPS virtual server blocks
From: eneal@xxxxxxxxxxxxxxxxx
Date: Thu, 29 May 2008 20:30:41 -0400
Quoting Amos Shapira <amos.shapira@xxxxxxxxx>:

> On Fri, May 30, 2008 at 1:40 AM, <eneal@xxxxxxxxxxxxxxxxx> wrote:
>>
>> This does not appear to be a problem for http, but just recently
>> I added two SSL applications - unique virtual server IP's but the same
>> real servers
>> and I saw some interesting issues
>
> I'm not an expert on keepalived but I know that there are limitations
> in regards of support for multiple virtual HTTPS servers on the same
> port and IP address.
> The problem is that HTTPS requires the server to know which server
> certificate to use before it can see the first request from the client
> which can tell it which virtual server it should "pretend" to be.

Yes I'm aware of those problems. But I'm not encountering those issues.
What I'm seeing is that my http wont work, but https will work. Besides,
the only thing not unique is the real server ip and port. The VIP is  
unique here and that's all that should count for the direct routing  
method (someone correct me if i'm wrong). As I mentioned, I also tried  
this with using a unique port number on the real server (e.g. 444)  
instead of 443 just to see. The issue still manifested itself...
>
> The solution is called "Server Name Indication" aka "SNI"
> (http://en.wikipedia.org/wiki/Server_Name_Indication). There is an
> implementation for Apache with gnutls and the latest generation of
> browsers support it (IE 7, Firefox 2, Opera 8) but I can't give you a
> pointer about IIS solutions and the lack of support of SNI in IE 6
> might generally make this a non-solution for a while yet.

Thanks on the SNI pointer. Was not aware of this...


> Hope this helps,
>
> --Amos
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>



--------------------------------------------------------------------------------

This email and any files transmitted with it are confidential and are  
intended solely for the use of the individual or entity to whom they  
are addressed. This communication may contain material protected by  
the attorney-client privilege. If you are not the intended recipient,  
be advised that any use, dissemination, forwarding, printing or  
copying is strictly prohibited. If you have received this email in  
error, please contact the sender and delete all copies.





<Prev in Thread] Current Thread [Next in Thread>