Re: Setting up a load balancer with https and a valid certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I started to read on the reverse proxy. It seems to be exactly what I want but I still haven't found the right config.

If I just replace ProxyPass by ProxyPassReverse, I do not reach the member servers behind.  But thanks for the article, I will check around page 38.

On Tue, Mar 17, 2020 at 10:19 PM Jonathon Koyle <litereader@xxxxxxxxx> wrote:
Sorry, I misread the end of your message.  One feature that could accomplish what you are looking for is reverse proxy.  Try using ProxyPassReverse instead of ProxyPass.  There may be other settings to address, but I have never used the landing
Load balancing.  One of the contributors mentions it in a PDF available at http://www.jimjag.com/presos/AC-US-08/ACUS08-AdvancedLoadBalancing-Apache2.2.pdf it's around page 38.

On Tue, Mar 17, 2020, 8:04 PM Jonathon Koyle <litereader@xxxxxxxxx> wrote:
This is actually part of the ssl certificate.  The certificate has a field to identify the host and have to match the hostname in the URL the Common Name CN.  There is also an optional list Subject Alternative Name SAN that can be specified if you want one cert to match against various url hostnames.

If you want to have SSL using the IP address, your certificate must be issued with the IP as the CN or in the SAN.

On Tue, Mar 17, 2020, 7:33 PM Gilbert Soucy <gsoucy@xxxxxxxxx> wrote:
Hello,

I am not an expert, so I apologize if my question is unclear.

I have a problem with setting up a load balancer that supports ssl with a valid certificate.

It works ok when I refer to the balancer members by a valid DNS name.
However, if I just put the IP address of the balancer members, I get 

        ERROR: certificate common name '*.mydomain.com' doesn't match requested host name '52.26.53.37'.

I am following the load balancer sample config found here:

that I adapted to ssl, here is my ssl.conf :

<VirtualHost *:443>
     SSLEngine On
     SSLCertificateFile /etc/pki/tls/certs/wildcard.mydomain.com.crt
     SSLCertificateKeyFile /etc/pki/tls/private/wildcard.mydomain.com.key
     SSLCACertificateFile /etc/pki/tls/certs/wildcard.mydomain.com.chain.crt

     ErrorLog /var/www/mydomain.com/logs/error.log
     CustomLog /var/www/mydomain.com/logs/access.log combined

     ProxyRequests off
     <Proxy balancer://cluster>

       # Using valid DNS names for the members works well
       BalancerMember https://ws1.mydomain.com/
       BalancerMember https://ws2.mydomain.com/

       # Using the IP address of the members returns the certificate error given above
       #BalancerMember http://52.73.75.46/
       #BalancerMember http://52.26.53.37/

       ProxySet lbmethod=byrequests
     </Proxy>

     <Location /balancer-manager>
        SetHandler balancer-manager
     </Location>

     # ProxyPreserveHost On
     ProxyPass /balancer-manager !
     ProxyPass / balancer://cluster/

</VirtualHost>

I would like to be able to use only the IP addresses so that I can add a variable number of BalancerMember that I could start dynamically on a cloud setup.
Using a DNS entry for each BalancerMember makes everything more complicated.

Is there a way to configure httpd so that only the load balancer servers needs to have a valid certificate and a DNS name ?
All the balancerMembers behind the load balancer would exist only with their IP address.

Thank you 

Gilbert
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux