LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: LVS-DR and https

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: LVS-DR and https
From: "James Bourne" <james@xxxxxxxxxxxxxx>
Date: Wed, 30 Jul 2003 10:11:20 +1000
It is possible. I made sure that the SSL certificate was available to each
real server/virtual host via an NFS mount. I use a single centralised
httpd.conf file across all real servers. For example:

<VirtualHost <VIP>:443>
        SSLEngine               On
        ServerName              servername:443

        DocumentRoot            "/net/content/httpd/vhostname"
        ServerAdmin             email@xxxxxxxxxx
        ErrorLog                /net/logs/httpd/vhostname/ssl_error_log
        TransferLog             /net/logs/httpd/vhostname/ssl_access_log
        CustomLog               /net/logs/httpd/vhostname/ssl_request_log "%t
%h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
        SSLCertificateFile      /net/conf/httpd/certs/vhostname.crt
        SSLCertificateKeyFile   /net/conf/httpd/certs/vhostname.key
        SSLCipherSuite         
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

        <Directory />
                Options         None
                AllowOverride   None
                Order           Allow,Deny
                Allow from      a.b.c.d/255.255.255.0 a.b.c.d/255.255.255.0
        </Directory>

</VirtualHost>

/net/logs, /net/conf and /net/content are all NFS mount points.

The downside is that unless you have real signed certificates from Thawte etc.
your browser may want to confirm the legitimacy of the certificate presented
each time it hits a new real server. This depends on the load balancing method
used.

Hence why the use of persistence is good with https.

j.

On Tue, 29 Jul 2003 14:46:08 -0700, William Francis wrote
> Is it possible to use LVS-DR with https without persistence? The
> documentation seems somewhat unclear on this point and from speaking
> with people I've heard arguments for either case.
> 
> My application uses https sparingly - basically just a login page.
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-
> users@xxxxxxxxxxxxxxxxxxxxxx Send requests to
lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users




<Prev in Thread] Current Thread [Next in Thread>