httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matus UHLAR - fantomas <uh...@fantomas.sk>
Subject Re: [users@httpd] problem with NAT, Public IP's and SSL cert
Date Wed, 31 Oct 2007 10:31:26 GMT
> On 10/27/07, Hans <hans@ezpear.com> wrote:
> > In last week our customer requested to put new ssl cert for him with his
> > own IP. I created VIP and forwarded to ports:80 and 443.
> > But I have problem with configuration.
> >
> > Before few words about my future conf, during next few weeks I will
> > install Load Balancing enviroment with 2 identical active/active
> > webservers which conf created is automatically from mysql database. Both
> > machine will be behind NAT and need to use only public IP's is
> > configuration for virtual hosts. I cannot use for virtualhost eg.
> > 192.168.2.10,192.168.2.11(because for vhost generated will be only
> > public IP 65.65.65.65).

There's no problem with load-balancing if you configure it properly. We are
running many vhosts (some SSL'ed, but wildcarded on the same IP/port with
the same cert) behind loadbalancer.

Our balancer does DNAT, so the servers don't know that it's there, they see
connections coming to them. 

The problem is, that if you want to have multiple SSL vhosts (with multiple
certs), you have to configure each of them on servers and balancer
(but you can do e.g. multiple ports with different certs on hosts, and the
same port on multiple IPs on balancer).

> > So back to my question. I wanted change confiuguration from *:80 (*:443)
> > to public 65.65.65.65:80 (65.65.65.65:443). But when I tried access
> > websites it always directed me to default website. I tried <127.0.0.1:80
> > 65.65.65.65:80> the same effect.
> > On the end I tried <192.168.2.10:80 65.65.65.65.80> (the same for 443)
> > and it works correctly (I mean I can access to each vhost) except that
> > my customer doesn't get his own ssl cert but shared between rest from
> > default domain (I guess it takes cert from first virtual domain).
> > How can I force Apache to use only public IP's (without LAN IP) behind
> > NAT and it correctly find virtual hosts ?

This highly depends on balancer behaviour. If it uses DNAT, behave like
there was no balancer there.

On 29.10.07 23:11, Krist van Besien wrote:
> - You can't do name virtual hosts with SSL.

only with wildcard certificates (which works only if there are multiple
vhosts in the same domain).

> - You can't configure a virtual host with an IP that the machine doesn't own.
> 
> So if your public IP is 65.65.65.65, and this is ip is allocatied to a
> loadbalancer (or any other device that does NAT) than this is of no
> concern to your webserver.
> 
> So if 65.65.65.65 gets loadbalanced between 192.168.2.10 and
> 192.168.2.11 than on both hosts you will need something like:
> 
> NameVirtualHost *:80
> <VirtualHost *:80>
> ServerName Myfirstcustomer.com
> #rest of config here
> ....
> </VirtualHost>
> <VirtualHost *:80>
> ServerName Mysecondcustomer.com
> # rest of config here
> ....
> </VirtualHost>
> 
> But you can't do this with SSL servers. There you will need a separate
> public IP for each SSL site.

Actually, he can balance the same SSL virtual host on two machined. But if
he wants two SSL virtual hosts, he needs 2 IPs or two ports (each of them
must be balanced separately)

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message