On Mon, Sep 7, 2009 at 9:41 PM, Ali Jawad<alijawad1@xxxxxxxxx> wrote: > Hi > I got the following network setup > > |---Server A > Internet --load balancer---Server B > |---Server C > > The load balancer will send the requests in round robin fashion, and > the traffic will be secured using HTTPS. All servers will host one > site using Apache2 with the same FQDN for all servers. > > Having said that, should I generate ONLY one CSR on Server A, and > distribute the private key and result certificate to Apache servers on > server B and C, or should I generate three CSR, one per server and use > the resultant certificates each on it's respective Apache servers. The normal practice in such a setup would be to terminate SSL on the loadbalancer. That would solve a lot of your problems. But you could indeed install the same Certificate/Key pair on each server. > > My concern is that if different CSR will be using on the servers , and > the browser creates the HTTPS session with server A, and then using > the load balancer request B goes to server B, and server B uses a > certificate generated using another CSR and private key, the HTTPS > session will break. You shouldn't worry about that. HTTPS (and HTTPS) don't have sessions. Every request is atomic. > One other thing to note is that I do not have access to the load > balancer ,and since this is a hardware based load balancer it will > probably intercept the traffic before sending it to one of the > servers. Isn't this going to break the SSL session between the browser > and the Apache server. What do you mean with "intercept"? I suppose this is just a hardware loadbalancer that works on the TCP layer. In this case it wouldn't care about what protocol is carried. It will just forward a request for a connection to one host, and if it's configured properly will keep all TCP/IP packets going to the correct hosts till one of the parties initiates a termination fo the TCP connection. Krist -- krist.vanbesien@xxxxxxxxx krist@xxxxxxxxxxxxx Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|