Multiple _identical_ servers with different server names

I have a client who wants to host multiple mirrors of the same SSL
website that point to the same data; is there any way to do this without
consuming additional IPs? Could I have the other names accept on :443
in HTTP mode and redirect??

Thanks for any help.

--
Michael T. Babcock
C.T.O., FibreSpeed Ltd.
http://www.fibrespeed.net/~mbabcock


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Multiple _identical_ servers with different server names

You mean you have one IP address and one FQDN but many physical machines?

Then you need a load-balancer. That is, the LB carries the external IP address so all packets are routed initially to it. Then it re-routes the packets to one of the internal servers according to various rules (e.g. randomly, round-robin, based on IP range etc.).

There are several complications in an SSL environment:

- the LB can't look inside the packets to see any HTTP attributes (such as Host header). It can only work with the IP and port (this is why name-based virtual hosting doesn't work with SSL).
- SSL servers usually keep-alive the session so that the session key does not have to be renegotiated for every transaction. Obviously, if you have more than one server, the LB has to make sure that each client always gets the same server on subsequent requests.

>-----Original Message-----
>From: Michael T. Babcock [mailto:mbabcock@fibrespeed.net]
>Sent: Donnerstag, 3. Oktober 2002 00:03
>To: modssl-users@modssl.org
>Subject: Multiple _identical_ servers with different server names
>
>
>I have a client who wants to host multiple mirrors of the same SSL
>website that point to the same data; is there any way to do
>this without
>consuming additional IPs? Could I have the other names accept on :443
>in HTTP mode and redirect??
>
>Thanks for any help.
>
>--
>Michael T. Babcock
>C.T.O., FibreSpeed Ltd.
>http://www.fibrespeed.net/~mbabcock
>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Multiple _identical_ servers with different server names

Hi there,

On Thursday 03 Oct 2002 4:18 am, Boyle Owen wrote:
> You mean you have one IP address and one FQDN but many physical machines?
>
> Then you need a load-balancer. That is, the LB carries the external IP
> address so all packets are routed initially to it. Then it re-routes the
> packets to one of the internal servers according to various rules (e.g.
> randomly, round-robin, based on IP range etc.).
>
> There are several complications in an SSL environment:
>
> - the LB can't look inside the packets to see any HTTP attributes (such as
> Host header). It can only work with the IP and port (this is why name-based
> virtual hosting doesn't work with SSL). - SSL servers usually keep-alive
> the session so that the session key does not have to be renegotiated for
> every transaction. Obviously, if you have more than one server, the LB has
> to make sure that each client always gets the same server on subsequent
> requests.

Or you use any non-SSL-sensitive load-balancing you like (eg. regular NAT
load-balancing in your gateway) and replace the SSL session cache with;
http://www.distcache.org/

:-) Yes, such a shameless plug. However, on that subject I expect to be
updating the httpd integration soon for the latest apache2 (currently the
patching is only known to work "out-of-the-box" with 2.0.39 but may well work
fine with later versions). I've had distcache working with apache
1.3.*-mod_ssl but the problem is producing a patchkit against mod_ssl which
is itself, essentially, a patch kit. If there are actually people who will
clearly state an interest in having this, it might stimulate me to work on
the apache 1.3.* integration more. :-)

Cheers,
Geoff


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org