Hi there, On Thursday 03 Oct 2002 4:18 am, Boyle Owen wrote: > You mean you have one IP address and one FQDN but many physical machines? > > Then you need a load-balancer. That is, the LB carries the external IP > address so all packets are routed initially to it. Then it re-routes the > packets to one of the internal servers according to various rules (e.g. > randomly, round-robin, based on IP range etc.). > > There are several complications in an SSL environment: > > - the LB can't look inside the packets to see any HTTP attributes (such as > Host header). It can only work with the IP and port (this is why name-based > virtual hosting doesn't work with SSL). - SSL servers usually keep-alive > the session so that the session key does not have to be renegotiated for > every transaction. Obviously, if you have more than one server, the LB has > to make sure that each client always gets the same server on subsequent > requests.
Or you use any non-SSL-sensitive load-balancing you like (eg. regular NAT load-balancing in your gateway) and replace the SSL session cache with; http://www.distcache.org/ :-) Yes, such a shameless plug. However, on that subject I expect to be updating the httpd integration soon for the latest apache2 (currently the patching is only known to work "out-of-the-box" with 2.0.39 but may well work fine with later versions). I've had distcache working with apache 1.3.*-mod_ssl but the problem is producing a patchkit against mod_ssl which is itself, essentially, a patch kit. If there are actually people who will clearly state an interest in having this, it might stimulate me to work on the apache 1.3.* integration more. :-) Cheers, Geoff ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
