Matus UHLAR - fantomas wrote:
On 10/27/07, Hans <hans@xxxxxxxxxx> wrote:In last week our customer requested to put new ssl cert for him with his own IP. I created VIP and forwarded to ports:80 and 443. But I have problem with configuration. Before few words about my future conf, during next few weeks I will install Load Balancing enviroment with 2 identical active/active webservers which conf created is automatically from mysql database. Both machine will be behind NAT and need to use only public IP's is configuration for virtual hosts. I cannot use for virtualhost eg. 192.168.2.10,192.168.2.11(because for vhost generated will be only public IP 65.65.65.65).There's no problem with load-balancing if you configure it properly. We are running many vhosts (some SSL'ed, but wildcarded on the same IP/port with the same cert) behind loadbalancer. Our balancer does DNAT, so the servers don't know that it's there, they seeconnections coming to them.The problem is, that if you want to have multiple SSL vhosts (with multiple certs), you have to configure each of them on servers and balancer (but you can do e.g. multiple ports with different certs on hosts, and the same port on multiple IPs on balancer).So back to my question. I wanted change confiuguration from *:80 (*:443) to public 65.65.65.65:80 (65.65.65.65:443). But when I tried access websites it always directed me to default website. I tried <127.0.0.1:80 65.65.65.65:80> the same effect. On the end I tried <192.168.2.10:80 65.65.65.65.80> (the same for 443) and it works correctly (I mean I can access to each vhost) except that my customer doesn't get his own ssl cert but shared between rest from default domain (I guess it takes cert from first virtual domain). How can I force Apache to use only public IP's (without LAN IP) behind NAT and it correctly find virtual hosts ?This highly depends on balancer behaviour. If it uses DNAT, behave like there was no balancer there. On 29.10.07 23:11, Krist van Besien wrote:- You can't do name virtual hosts with SSL.only with wildcard certificates (which works only if there are multiple vhosts in the same domain).- You can't configure a virtual host with an IP that the machine doesn't own. So if your public IP is 65.65.65.65, and this is ip is allocatied to a loadbalancer (or any other device that does NAT) than this is of no concern to your webserver. So if 65.65.65.65 gets loadbalanced between 192.168.2.10 and 192.168.2.11 than on both hosts you will need something like: NameVirtualHost *:80 <VirtualHost *:80> ServerName Myfirstcustomer.com #rest of config here .... </VirtualHost> <VirtualHost *:80> ServerName Mysecondcustomer.com # rest of config here .... </VirtualHost> But you can't do this with SSL servers. There you will need a separate public IP for each SSL site.Actually, he can balance the same SSL virtual host on two machined. But if he wants two SSL virtual hosts, he needs 2 IPs or two ports (each of them must be balanced separately)
Thanks.So in your config you have only <Public_IP:80 (443)> or <Private_IP:80(443) Public_ip:80(443)>.
Regards, Hans --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|