SSLMutex file(s) with IP-Virtuals
am 30.12.2003 13:18:38 von Tom Walsh
Hello All,
We have put together a virtual IP based apache+mod_ssl server. This is
the first time I have done this type of thing as we were running a name
based virtual server up to this point. I have a few questions,
obviously. ;-) I stacked three IP addresses up on the ethernet using
ifconfig:
ifconfig eth0:1 64.x.x.100 netmask 255.255.255.0
ifconfig eth0:2 64.x.x.101 netmask 255.255.255.0
I created three apache servers, each binds to it's individual IP address
via the Listen directive within apache, e.g.:
NameVirtuals: Listen 64.x.x.99:80
Secure0: Listen 64.x.x.100:443
Secure1: Listen 64.x.x.101:443
A netstat verifies that this binding is as expected and the individual
apache servers (and children) are listening where they should be.
The named virtuals is using vhosts/Vhost.conf to specifiy the various
virtual domains that are available via port 80 of the 64.x.x.99 server.
I presume that we can only listen on port 80 of that IP and that an
attempt to also listen on port 443 will result in a nasty failure? Yes,
we did try to listen on both port 80 and port 443 with a single server,
heh, I don't take anybodies word for it if they say "it cannot be done",
but such information is not ignored out of hand. ;-) heh
Anyhow, everything seems to be working fine. Each server has its own
unique user + group defined: apache, apache_s1, and apache_s2. What I
was confused about was the shared (?) files used for ssl housekeeping,
these are:
ssl_mutex
ssl_scache
From the apache documentation, which is extremely terse regarding IP
virtuals(!), it seems to suggest that the semaphore signaling would be
used as an interprocess communication sync method between modules /
functions of the particular server. The impression that I got from the
docs was that a mutex file would need to be defined for each server
running modssl? I defined them as such:
Secure0: SSLMutex file:/var/cache/apache2-mod_ssl/ssl_mutex0
Secure1: SSLMutex file:/var/cache/apache2-mod_ssl/ssl_mutex1
This way I can avoid collisions between the two independant apache
servers running modssl and avoid mutex problems? My understanding is
that each server would have a copy of libc (whatever) and semaphores
would be peculiar to the loaded modssl & apache runtimes, therefore,
reusing the ssl_mutex file would result in very bad things happening? I
did the same for the ssl_scache files, defined unique files for them as
well.
Yes, we also segragated the error_log, httpd-pid, etc., files as well.
The cert is shared (defined) as being common to the two secure services
(servers), we have no need for a seperate cert as yet, this is still a
test server.
TIA,
TomW
--
Tom Walsh - WN3L - Embedded Systems Consultant
http://openhardware.net, http://cyberiansoftware.com
"Windows? No thanks, I have work to do..."
----------------------------------------------------
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: SSLMutex file(s) with IP-Virtuals
am 30.12.2003 21:11:00 von Tom Walsh
This is a multi-part message in MIME format.
--------------030502000905090706000002
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Marco A. Zamora Cunningham wrote:
>> Secure0: SSLMutex file:/var/cache/apache2-mod_ssl/ssl_mutex0
>> Secure1: SSLMutex file:/var/cache/apache2-mod_ssl/ssl_mutex1
>>This way I can avoid collisions between the two independant apache
>>servers running modssl and avoid mutex problems? My understanding is
>>
>>
>
>Off the top of my head, I'd say this won't work: the mutexes are for the SSL
>cache updates, so: since all virtual servers are really running in the same
>pool of Apache httpd processes, they all need access to the same mutexes.
>Furthermore, maybe some of the the modssl functions/libraries assume that
>all modssl processes use the same shared memory/files/whatever.
>
>So, in order to check if your setup works, I'd first set up each virtual
>server as an actual server (each IP with its own set of httpd processes and
>independent configs using -D switches and ifdefs), and then I'd try
>segregating the mutexes, and until that is done, I'd run an SSL connection
>
>
Perhaps you missed this? I did setup each IP with it's own httpd
server, here is the 'pstree -cp':
|-httpd2(3397)-+-advxsplitlogfil(3404)
| |-httpd2(3405)
| |-httpd2(3406)
| |-httpd2(3407)
| |-httpd2(3408)
| |-httpd2(3409)
| `-httpd2(3450)
|-httpd2(3415)-+-advxsplitlogfil(3422)
| |-httpd2(3423)
| |-httpd2(3424)
| |-httpd2(3425)
| |-httpd2(3426)
| `-httpd2(3427)
|-httpd2(3433)-+-advxsplitlogfil(3440)
| |-httpd2(3441)
| |-httpd2(3442)
| |-httpd2(3443)
| |-httpd2(3444)
| `-httpd2(3445)
And from 'netstat -apn' snippet:
tcp 0 0 64.179.36.99:80 0.0.0.0:*
LISTEN 3397/httpd2
tcp 0 0 64.179.36.101:443 0.0.0.0:*
LISTEN 3433/httpd2
tcp 0 0 64.179.36.100:443 0.0.0.0:*
LISTEN 3415/httpd2
The goal was to stack three ip addresses into one box, then attach an
httpd server to each of the ip's. One name based http server and two IP
based https servers. This we have, only I wonder if the SSLMutex
designation should point to unique filenames or must it be a file that
is common to all three httpd servers?
Regards,
TomW
--
Tom Walsh - WN3L - Embedded Systems Consultant
http://openhardware.net, http://cyberiansoftware.com
"Windows? No thanks, I have work to do..."
----------------------------------------------------
--------------030502000905090706000002
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Marco A. Zamora Cunningham wrote:
cite="midC4ED6CCA3ED0D311AB9300B0D0AA84B303488390@pernt02.cb banorte.com.mx">
Secure0: SSLMutex
Secure1: SSLMutex
This way I can avoid collisions between the two independant apache
servers running modssl and avoid mutex problems? My understanding is
Off the top of my head, I'd say this won't work: the mutexes are for the SSL
cache updates, so: since all virtual servers are really running in the same
pool of Apache httpd processes, they all need access to the same mutexes.
Furthermore, maybe some of the the modssl functions/libraries assume that
all modssl processes use the same shared memory/files/whatever.
So, in order to check if your setup works, I'd first set up each virtual
server as an actual server (each IP with its own set of httpd processes and
independent configs using -D switches and ifdefs), and then I'd try
segregating the mutexes, and until that is done, I'd run an SSL connection
Perhaps you missed this? I did setup each IP with it's own httpd
server, here is the 'pstree -cp':
|-httpd2(3397)-+-advxsplitlogfil(3404)
| |-httpd2(3405)
| |-httpd2(3406)
| |-httpd2(3407)
| |-httpd2(3408)
| |-httpd2(3409)
| `-httpd2(3450)
|-httpd2(3415)-+-advxsplitlogfil(3422)
| |-httpd2(3423)
| |-httpd2(3424)
| |-httpd2(3425)
| |-httpd2(3426)
| `-httpd2(3427)
|-httpd2(3433)-+-advxsplitlogfil(3440)
| |-httpd2(3441)
| |-httpd2(3442)
| |-httpd2(3443)
| |-httpd2(3444)
| `-httpd2(3445)
And from 'netstat -apn' snippet:
tcp 0 0 64.179.36.99:80 0.0.0.0:*
LISTEN 3397/httpd2
tcp 0 0 64.179.36.101:443 0.0.0.0:*
LISTEN 3433/httpd2
tcp 0 0 64.179.36.100:443 0.0.0.0:*
LISTEN 3415/httpd2
The goal was to stack three ip addresses into one box, then attach an
httpd server to each of the ip's. One name based http server and two
IP based https servers. This we have, only I wonder if the SSLMutex
designation should point to unique filenames or must it be a file that
is common to all three httpd servers?
Regards,
TomW
--
Tom Walsh - WN3L - Embedded Systems Consultant
"Windows? No thanks, I have work to do..."
----------------------------------------------------
--------------030502000905090706000002--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org