On Fri, Jan 25, 2002 at 02:41:46PM +0100, Thierry Coopman wrote: > Hi, > > I'm trying to do this. The main problem is HTTPS session IDs I guess. This > makes load-balancing a bit more complicated since you need to forward every > request to the same server that has the sessionID. This is doable with Linux > LVS, your firewall or with HW load-balancing kit. > Well, RR DNS would also be an option as a low cost solution. Either way you should be more or less ok, because most load balancers will direct one client to the same server as long as that server is up. Anyway, most browsers will end an SSL session after a couple of minutes (MSIE)
> Now, what ahppens on a failure? > - The server(s) that still exist can take over the ip address of the failing > server > - The LoadBalancing system detects it and doesn't use the machine any more. > > On the SSL side, since the server that fails over doesn't have the SSL > session, the browser connecting to it fails to communicate. > That shouldn't be the case - if the session is either unavailable or has expired on the server side, then the server and client will just negotiate a new session. > I'm not sure if it is safe to use the same cert for every machine, or that > it is a requirement to have the same cert on every machine. > The only way it would be unsafe is because it is on more servers. > Verisign requires you to ask for a different certificate for every server > (with a different OU) in a cluster. (I think this is just a commercial > reason, not a technical reason, but I'm not sure) > Not technical reason whatsoever. > It is possible to sync the session cache over different hosts with things > like Splash <http://anoncvs.aldigital.co.uk/splash/> but I haven't found an > implementation with mod_ssl (only Apache-SSL) > IIRC mod_ssl has vendor hooks for the session cache, which should make reusing Splash fairly simple (I haven't looked at Splash for a long time) > I would be gratefull if someone has a clean solution or if there is someone > with experience on trying to accomplish this. > I'm not really convinced that it is worth the extra effort. vh Mads Toftum -- With a rubber duck, one's never alone. -- "The Hitchhiker's Guide to the Galaxy" ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
