Re: Setting up a load balancer with https and a valid certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



As soon as I add

     ProxyPreserveHost On 

I get too many redirections. 

On Tue, Mar 17, 2020 at 10:11 PM <dino@xxxxxxxxx> wrote:
Already tried with those? :

SSLProxyEngine On
SSLProxyCheckPeerName Off
SSLProxyCheckPeerExpire Off
SSLProxyCipherSuite All
SSLProxyProtocol all -SSLv3
SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+EXP
SSLProxyVerify none
ProxyPreserveHost On

This way your reverse proxy will not check worker certificates.


18 marzo 2020 02:33, "Gilbert Soucy" <gsoucy@xxxxxxxxx> wrote:
Hello,
I am not an expert, so I apologize if my question is unclear.
I have a problem with setting up a load balancer that supports ssl with a valid certificate.
It works ok when I refer to the balancer members by a valid DNS name.
However, if I just put the IP address of the balancer members, I get
ERROR: certificate common name '*.mydomain.com' doesn't match requested host name '52.26.53.37'.
I am following the load balancer sample config found here:
that I adapted to ssl, here is my ssl.conf :
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/wildcard.mydomain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.mydomain.com.key
SSLCACertificateFile /etc/pki/tls/certs/wildcard.mydomain.com.chain.crt
ErrorLog /var/www/mydomain.com/logs/error.log
CustomLog /var/www/mydomain.com/logs/access.log combined
ProxyRequests off
<Proxy balancer://cluster>
# Using valid DNS names for the members works well
# Using the IP address of the members returns the certificate error given above
#BalancerMember http://52.73.75.46/
#BalancerMember http://52.26.53.37/
ProxySet lbmethod=byrequests
</Proxy>
<Location /balancer-manager>
SetHandler balancer-manager
</Location>
# ProxyPreserveHost On
ProxyPass /balancer-manager !
ProxyPass / balancer://cluster/
</VirtualHost>
I would like to be able to use only the IP addresses so that I can add a variable number of BalancerMember that I could start dynamically on a cloud setup.
Using a DNS entry for each BalancerMember makes everything more complicated.
Is there a way to configure httpd so that only the load balancer servers needs to have a valid certificate and a DNS name ?
All the balancerMembers behind the load balancer would exist only with their IP address.
Thank you
Gilbert



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux