Re: [lvs-users] 443 traffic woes., but port 80 fine.

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: [lvs-users] 443 traffic woes., but port 80 fine.
From:	Graeme Fowler <graeme@xxxxxxxxxxx>
Date:	Mon, 14 Sep 2009 19:28:13 +0100

On Mon, 2009-09-14 at 19:52 +0200, Brent Clark wrote:
> As said port 80 is working, and so if I understand this document correctly. I 
> am to setup my LVS, and then bind apache's https vhost ip to that of my VIP.

For a -DR ("gate") setup, yes.

> If thats the case, then perfect, cause I see that working. But now for my 
> next question, how do I get loadbalancing working. I.e. Send / forward https 
> requests / connections to another machine.

Well... if you have port 80 working, then you also have a recipe for
port 443. At the TCP level there is nothing to distinguish the two -
they're simply a TCP service.

However, at the application level they are entirely different beasts.

The simplest approach (with one director; we can touch on failover/HA
later), which you can customise to your local variants:

Director has address 1.2.3.4/24 for "management" on eth0
Director has address 5.6.7.1/24 for the VIP on eth0

Realserver has address 1.2.3.10/24 for "management" on eth0
Realserver has address 5.6.7.1/32 for the VIP on lo
Realserver has Apache bound to 1.2.3.10 ports 80, 443 for healthchecks
Realserver has Apache bound to 5.6.7.1 port 80, 443 for client service
Realserver has appropriate sysctls to manage the ARP problem

Director is then configured to load balance (yes, in this example only
to one server!):

virtual=5.6.7.1:80
        real=1.2.3.10:80 gate
        service=http
        virtualhost=your.host.name
        request="index.html"
        receive="OK"
        scheduler=rr
        protocol=tcp
        checktype=negotiate

virtual=5.6.7.1:443
        real=1.2.3.10:443 gate
        service=https
        virtualhost=your.host.name
        request="index.html"
        receive="OK"
        scheduler=rr
        protocol=tcp
        checktype=negotiate

That's about as basic as I can make it (and should work). Note however
the use of the "virtualhost" directive to make sure you request
explicitly a test page from a specific vhost rather than the default
(which could change in some circumstances).

Also note, and I apologise if this is teaching you to suck eggs, but
without an expensive multi-domain("SAN", Subject Alternate Name)
certificate you may only have a single SSL vhost bound to a single IP.

Graeme

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] 443 traffic woes., but port 80 fine., Brent Clark Re: [lvs-users] 443 traffic woes., but port 80 fine., Joseph Mack NA3T Re: [lvs-users] 443 traffic woes., but port 80 fine., Brent Clark Re: [lvs-users] 443 traffic woes., but port 80 fine., Graeme Fowler <= Re: [lvs-users] 443 traffic woes., but port 80 fine., Brent Clark Re: [lvs-users] 443 traffic woes., but port 80 fine., Joseph Mack NA3T Re: [lvs-users] 443 traffic woes., but port 80 fine., Brent Clark

Previous by Date:	Re: [lvs-users] 443 traffic woes., but port 80 fine., Brent Clark
Next by Date:	Re: [lvs-users] ldirectord takes long time to add real servers, Simon Horman
Previous by Thread:	Re: [lvs-users] 443 traffic woes., but port 80 fine., Brent Clark
Next by Thread:	Re: [lvs-users] 443 traffic woes., but port 80 fine., Brent Clark
Indexes:	[Date] [Thread] [Top] [All Lists]