comments intertwined:
On Fri, Jan 25, 2002 at 02:41:46PM +0100, Thierry Coopman wrote: > Hi, > > I'm trying to do this. The main problem is HTTPS session IDs I guess. This > makes load-balancing a bit more complicated since you need to forward every > request to the same server that has the sessionID. This is doable with Linux > LVS, your firewall or with HW load-balancing kit. works just fine: LVS, foundry serverirons, cisco directors, bigIP, , others I'm sure... > Now, what ahppens on a failure? > - The server(s) that still exist can take over the ip address of the failing > server > - The LoadBalancing system detects it and doesn't use the machine any more. indeed. > On the SSL side, since the server that fails over doesn't have the SSL > session, the browser connecting to it fails to communicate. no, the key gets renegociated > I'm not sure if it is safe to use the same cert for every machine, or that > it is a requirement to have the same cert on every machine. it depends. I've got a couple fo clusters of machines. Where state on teh server side (app server) doesn't matter, IIRC you can use the same SSL cert signed, as the machine doesn't really matter. However, I think that you may get bouncing SSL sessions between servers. Where you need state you'll want different certs for each machine. > Verisign requires you to ask for a different certificate for every server > (with a different OU) in a cluster. (I think this is just a commercial > reason, not a technical reason, but I'm not sure) nah, they just want more of your money, and then when you have a problem, they'll make you pay to ignore you (IMHO) > It is possible to sync the session cache over different hosts with things > like Splash <http://anoncvs.aldigital.co.uk/splash/> but I haven't found an > implementation with mod_ssl (only Apache-SSL) hrm... dunno. > I would be gratefull if someone has a clean solution or if there is someone > with experience on trying to accomplish this. another caveat that i've found to be problematic is when going from http to https (or the other way round) you can lose state as you go from one machien to the other. The load balancers do a pretty good job of the work, however, we've definitely seen jumpage from aol and webtv clients, as well as IIRC earthlink and mindspring==- where the routing is complex, and there can be multiple public IPs that a single session proxy can come from. I've seen requests from different IPs coming in with the same cookie or session IDs. it's an imperfect solution, and we're still working on ours. One thing i've thought of doing has been to setup a linux-vs cluster for the straight port-forwarding, then use apache/mod_ssl to handle the ssl negotiations, and pass it on to the real app server with mod_proxy. glen -- Glen S Mehn Lead Systems Administrator SquareTrade, Inc [EMAIL PROTECTED] Building Trust in Transactions (sm) ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
