The trouble with trying to run multiple certificates off one server process is that the certificate is exchanged before the HTTP session starts, therefore it is not possible to see the host header first. So, SSL is primarily an IP-based protocol. One way round this may be if you have an IP block, you may be able to listen on more than one IP address, although I do not know whether the current AOLserver implementation can do this? In my prototype environment I'm running two AOLserver processes for two different IP addresses on the same machine. One IP for www and one for secure. The main trouble with SSL server farms is session management. Once you establish a session with one server, you want to keep all connections from the client's IP coming to that same server, thus preserving the client session. If the client were to connect to another server, you would have to generate another SSL session, thus wasting CPU time thus making your server farm less effective. So, any SSL server farm must have some kind of persistent connection option. Can nsvhr do this? I must admit, I have not acquainted myself with nsvhr, but instead I use Linux Virtual Server (http://linuxvirtualserver.org) which has already been proven with SSL server farms. This runs on my Linux firewall box and directs connections to my AOLserver boxes. These in turn connect to the object servers, database and application servers. SSL connections are set to be persistent, so that once a client connection is established, further connections from that client will be directed to the same SSL server. The LVS runs within the kernel so takes up little space. The LVS manager, which monitors server loads and server response (so it can stop sending requests to a server which has crashed or which has been taken offline for maintenance), runs in userspace but also takes up very little resources. I'm happy with the set-up as it is, as extra SSL servers can be added and all I have to do is add their local IP to the LVS manager, and it fits in seamlessly with the firewall. It is also efficient in keeping local network traffic down, as the packet destination is examined by the firewall and LVS machine and then forwarded only once. Of course, people who aren't running Linux won't have this option, but it is still worth looking at a cheap pentium box running Linux, as the combination of firewall and virtual server can fill a 10Mbit connection, so very little hardware resources are needed! Regards, Jason %Date: Thu, 2 Aug 2001 11:31:55 -0700 %From: Jerry Asher <[EMAIL PROTECTED]> %Subject: Re: nsvhr % %At 08:05 AM 8/2/01, you wrote: %>Does anyone know the status of nsvhr? It does not appear in the current %>release and the code on sourceforge appears to be about 6 months old. %> %>I was thinking about using it to build an SSL proxy. That way I could have a %>set of servers to handle SSL connections and load balance the requests back %>to a set of servers not running SSL. That way I can have one SSL client %>session talking to multiple servers on the server side. %> %>Has anyone tried this or have any other suggestions? % % %nsvhr pretty much works out of the box these days. If you don't want to %use my patches, do incorporate Dossy's latest fix sometime before you go %into production. (not needed for prototyping and testing.) % %Most people want to use nsvhr and offer separate server certificates. No %one knows how that might be done. But offering all users the same %certificate and jtus load balancing, well, that should work. So off the %top of my head, I would think that what you want to do might be a possible %todo with no modifications (and would be a very cool thing to try). % %An AOLserver using nsvhr typically gets its incoming connections from %another driver (nssock, right), and just deals with the proxying of it. It %copies the data from the backend and sends it back to the client using the %conn's driver, so I would think it should work just fine when the incoming %connection is nsopenssl or nsssl. % %Let me know how it works (or doesn't work....) % %Jerry -- Choose a Free Mobile or Free Rental and get Free Connection, No Credit Check! with Free Smartbox, Free Calls, International Roaming, No Minimum Contract!!! For information and to order click over to http://www.iwantafreemobile.co.uk
