You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Gilbert Soucy <gs...@36pix.com> on 2020/03/18 01:32:56 UTC
[users@httpd] Setting up a load balancer with https and a valid certificate
Hello,
I am not an expert, so I apologize if my question is unclear.
I have a problem with setting up a load balancer that supports ssl with a
valid certificate.
It works ok when I refer to the balancer members by a valid DNS name.
However, if I just put the IP address of the balancer members, I get
ERROR: certificate common name '*.mydomain.com' doesn't match
requested host name '52.26.53.37'.
I am following the load balancer sample config found here:
https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html
that I adapted to ssl, here is my ssl.conf :
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/wildcard.mydomain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.mydomain.com.key
SSLCACertificateFile /etc/pki/tls/certs/wildcard.mydomain.com.chain.crt
ErrorLog /var/www/mydomain.com/logs/error.log
CustomLog /var/www/mydomain.com/logs/access.log combined
ProxyRequests off
<Proxy balancer://cluster>
# Using valid DNS names for the members works well
BalancerMember https://ws1.mydomain.com/
BalancerMember https://ws2.mydomain.com/
# Using the IP address of the members returns the certificate error
given above
#BalancerMember http://52.73.75.46/
#BalancerMember http://52.26.53.37/
ProxySet lbmethod=byrequests
</Proxy>
<Location /balancer-manager>
SetHandler balancer-manager
</Location>
# ProxyPreserveHost On
ProxyPass /balancer-manager !
ProxyPass / balancer://cluster/
</VirtualHost>
I would like to be able to use only the IP addresses so that I can add a
variable number of BalancerMember that I could start dynamically on a cloud
setup.
Using a DNS entry for each BalancerMember makes everything more complicated.
Is there a way to configure httpd so that only the load balancer servers
needs to have a valid certificate and a DNS name ?
All the balancerMembers behind the load balancer would exist only with
their IP address.
Thank you
Gilbert
Re: [users@httpd] Setting up a load balancer with https and a valid certificate
Posted by Gilbert Soucy <gs...@36pix.com>.
I started to read on the reverse proxy. It seems to be exactly what I want
but I still haven't found the right config.
If I just replace ProxyPass by ProxyPassReverse, I do not reach the member
servers behind. But thanks for the article, I will check around page 38.
On Tue, Mar 17, 2020 at 10:19 PM Jonathon Koyle <li...@gmail.com>
wrote:
> Sorry, I misread the end of your message. One feature that could
> accomplish what you are looking for is reverse proxy. Try using
> ProxyPassReverse instead of ProxyPass. There may be other settings to
> address, but I have never used the landing
> Load balancing. One of the contributors mentions it in a PDF available at
> http://www.jimjag.com/presos/AC-US-08/ACUS08-AdvancedLoadBalancing-Apache2.2.pdf
> it's around page 38.
>
> On Tue, Mar 17, 2020, 8:04 PM Jonathon Koyle <li...@gmail.com> wrote:
>
>> This is actually part of the ssl certificate. The certificate has a
>> field to identify the host and have to match the hostname in the URL the
>> Common Name CN. There is also an optional list Subject Alternative Name
>> SAN that can be specified if you want one cert to match against various url
>> hostnames.
>>
>> If you want to have SSL using the IP address, your certificate must be
>> issued with the IP as the CN or in the SAN.
>>
>> On Tue, Mar 17, 2020, 7:33 PM Gilbert Soucy <gs...@36pix.com> wrote:
>>
>>> Hello,
>>>
>>> I am not an expert, so I apologize if my question is unclear.
>>>
>>> I have a problem with setting up a load balancer that supports ssl with
>>> a valid certificate.
>>>
>>> It works ok when I refer to the balancer members by a valid DNS name.
>>> However, if I just put the IP address of the balancer members, I get
>>>
>>> ERROR: certificate common name '*.mydomain.com' doesn't match
>>> requested host name '52.26.53.37'.
>>>
>>> I am following the load balancer sample config found here:
>>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html
>>>
>>> that I adapted to ssl, here is my ssl.conf :
>>>
>>> <VirtualHost *:443>
>>> SSLEngine On
>>> SSLCertificateFile /etc/pki/tls/certs/wildcard.mydomain.com.crt
>>> SSLCertificateKeyFile /etc/pki/tls/private/wildcard.mydomain.com.key
>>> SSLCACertificateFile
>>> /etc/pki/tls/certs/wildcard.mydomain.com.chain.crt
>>>
>>> ErrorLog /var/www/mydomain.com/logs/error.log
>>> CustomLog /var/www/mydomain.com/logs/access.log combined
>>>
>>> ProxyRequests off
>>> <Proxy balancer://cluster>
>>>
>>>
>>> # Using valid DNS names for the members works well
>>>
>>> BalancerMember https://ws1.mydomain.com/
>>> BalancerMember https://ws2.mydomain.com/
>>>
>>> # Using the IP address of the members returns the certificate
>>> error given above
>>>
>>> #BalancerMember http://52.73.75.46/
>>> #BalancerMember http://52.26.53.37/
>>>
>>> ProxySet lbmethod=byrequests
>>> </Proxy>
>>>
>>> <Location /balancer-manager>
>>> SetHandler balancer-manager
>>> </Location>
>>>
>>> # ProxyPreserveHost On
>>> ProxyPass /balancer-manager !
>>> ProxyPass / balancer://cluster/
>>>
>>> </VirtualHost>
>>>
>>> I would like to be able to use only the IP addresses so that I can add a
>>> variable number of BalancerMember that I could start dynamically on a cloud
>>> setup.
>>> Using a DNS entry for each BalancerMember makes everything more
>>> complicated.
>>>
>>> Is there a way to configure httpd so that only the load balancer servers
>>> needs to have a valid certificate and a DNS name ?
>>> All the balancerMembers behind the load balancer would exist only with
>>> their IP address.
>>>
>>> Thank you
>>>
>>> Gilbert
>>>
>>
Re: [users@httpd] Setting up a load balancer with https and a valid certificate
Posted by Jonathon Koyle <li...@gmail.com>.
Sorry, I misread the end of your message. One feature that could
accomplish what you are looking for is reverse proxy. Try using
ProxyPassReverse instead of ProxyPass. There may be other settings to
address, but I have never used the landing
Load balancing. One of the contributors mentions it in a PDF available at
http://www.jimjag.com/presos/AC-US-08/ACUS08-AdvancedLoadBalancing-Apache2.2.pdf
it's around page 38.
On Tue, Mar 17, 2020, 8:04 PM Jonathon Koyle <li...@gmail.com> wrote:
> This is actually part of the ssl certificate. The certificate has a field
> to identify the host and have to match the hostname in the URL the Common
> Name CN. There is also an optional list Subject Alternative Name SAN that
> can be specified if you want one cert to match against various url
> hostnames.
>
> If you want to have SSL using the IP address, your certificate must be
> issued with the IP as the CN or in the SAN.
>
> On Tue, Mar 17, 2020, 7:33 PM Gilbert Soucy <gs...@36pix.com> wrote:
>
>> Hello,
>>
>> I am not an expert, so I apologize if my question is unclear.
>>
>> I have a problem with setting up a load balancer that supports ssl with a
>> valid certificate.
>>
>> It works ok when I refer to the balancer members by a valid DNS name.
>> However, if I just put the IP address of the balancer members, I get
>>
>> ERROR: certificate common name '*.mydomain.com' doesn't match
>> requested host name '52.26.53.37'.
>>
>> I am following the load balancer sample config found here:
>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html
>>
>> that I adapted to ssl, here is my ssl.conf :
>>
>> <VirtualHost *:443>
>> SSLEngine On
>> SSLCertificateFile /etc/pki/tls/certs/wildcard.mydomain.com.crt
>> SSLCertificateKeyFile /etc/pki/tls/private/wildcard.mydomain.com.key
>> SSLCACertificateFile
>> /etc/pki/tls/certs/wildcard.mydomain.com.chain.crt
>>
>> ErrorLog /var/www/mydomain.com/logs/error.log
>> CustomLog /var/www/mydomain.com/logs/access.log combined
>>
>> ProxyRequests off
>> <Proxy balancer://cluster>
>>
>>
>> # Using valid DNS names for the members works well
>>
>> BalancerMember https://ws1.mydomain.com/
>> BalancerMember https://ws2.mydomain.com/
>>
>> # Using the IP address of the members returns the certificate
>> error given above
>>
>> #BalancerMember http://52.73.75.46/
>> #BalancerMember http://52.26.53.37/
>>
>> ProxySet lbmethod=byrequests
>> </Proxy>
>>
>> <Location /balancer-manager>
>> SetHandler balancer-manager
>> </Location>
>>
>> # ProxyPreserveHost On
>> ProxyPass /balancer-manager !
>> ProxyPass / balancer://cluster/
>>
>> </VirtualHost>
>>
>> I would like to be able to use only the IP addresses so that I can add a
>> variable number of BalancerMember that I could start dynamically on a cloud
>> setup.
>> Using a DNS entry for each BalancerMember makes everything more
>> complicated.
>>
>> Is there a way to configure httpd so that only the load balancer servers
>> needs to have a valid certificate and a DNS name ?
>> All the balancerMembers behind the load balancer would exist only with
>> their IP address.
>>
>> Thank you
>>
>> Gilbert
>>
>
Re: [users@httpd] Setting up a load balancer with https and a valid certificate
Posted by Jonathon Koyle <li...@gmail.com>.
This is actually part of the ssl certificate. The certificate has a field
to identify the host and have to match the hostname in the URL the Common
Name CN. There is also an optional list Subject Alternative Name SAN that
can be specified if you want one cert to match against various url
hostnames.
If you want to have SSL using the IP address, your certificate must be
issued with the IP as the CN or in the SAN.
On Tue, Mar 17, 2020, 7:33 PM Gilbert Soucy <gs...@36pix.com> wrote:
> Hello,
>
> I am not an expert, so I apologize if my question is unclear.
>
> I have a problem with setting up a load balancer that supports ssl with a
> valid certificate.
>
> It works ok when I refer to the balancer members by a valid DNS name.
> However, if I just put the IP address of the balancer members, I get
>
> ERROR: certificate common name '*.mydomain.com' doesn't match
> requested host name '52.26.53.37'.
>
> I am following the load balancer sample config found here:
> https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html
>
> that I adapted to ssl, here is my ssl.conf :
>
> <VirtualHost *:443>
> SSLEngine On
> SSLCertificateFile /etc/pki/tls/certs/wildcard.mydomain.com.crt
> SSLCertificateKeyFile /etc/pki/tls/private/wildcard.mydomain.com.key
> SSLCACertificateFile
> /etc/pki/tls/certs/wildcard.mydomain.com.chain.crt
>
> ErrorLog /var/www/mydomain.com/logs/error.log
> CustomLog /var/www/mydomain.com/logs/access.log combined
>
> ProxyRequests off
> <Proxy balancer://cluster>
>
>
> # Using valid DNS names for the members works well
>
> BalancerMember https://ws1.mydomain.com/
> BalancerMember https://ws2.mydomain.com/
>
> # Using the IP address of the members returns the certificate error
> given above
>
> #BalancerMember http://52.73.75.46/
> #BalancerMember http://52.26.53.37/
>
> ProxySet lbmethod=byrequests
> </Proxy>
>
> <Location /balancer-manager>
> SetHandler balancer-manager
> </Location>
>
> # ProxyPreserveHost On
> ProxyPass /balancer-manager !
> ProxyPass / balancer://cluster/
>
> </VirtualHost>
>
> I would like to be able to use only the IP addresses so that I can add a
> variable number of BalancerMember that I could start dynamically on a cloud
> setup.
> Using a DNS entry for each BalancerMember makes everything more
> complicated.
>
> Is there a way to configure httpd so that only the load balancer servers
> needs to have a valid certificate and a DNS name ?
> All the balancerMembers behind the load balancer would exist only with
> their IP address.
>
> Thank you
>
> Gilbert
>
Re: [users@httpd] Setting up a load balancer with https and a valid certificate
Posted by Gilbert Soucy <gs...@36pix.com>.
As soon as I add
ProxyPreserveHost On
I get too many redirections.
On Tue, Mar 17, 2020 at 10:11 PM <di...@tuxweb.it> wrote:
> Already tried with those? :
>
> SSLProxyEngine On
> SSLProxyCheckPeerName Off
> SSLProxyCheckPeerExpire Off
> SSLProxyCipherSuite All
> SSLProxyProtocol all -SSLv3
> SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+EXP
> SSLProxyVerify none
> ProxyPreserveHost On
>
> This way your reverse proxy will not check worker certificates.
>
>
> 18 marzo 2020 02:33, "Gilbert Soucy" <gsoucy@36pix.com
> <gsoucy@36pix.com?to=%22Gilbert%20Soucy%22%20%3Cgsoucy@36pix.com%3E>>
> wrote:
>
> Hello,
> I am not an expert, so I apologize if my question is unclear.
> I have a problem with setting up a load balancer that supports ssl with a
> valid certificate.
> It works ok when I refer to the balancer members by a valid DNS name.
> However, if I just put the IP address of the balancer members, I get
> ERROR: certificate common name '*.mydomain.com' doesn't match requested
> host name '52.26.53.37'.
> I am following the load balancer sample config found here:
> https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html
> that I adapted to ssl, here is my ssl.conf :
>
> <VirtualHost *:443>
> SSLEngine On
> SSLCertificateFile /etc/pki/tls/certs/wildcard.mydomain.com.crt
> SSLCertificateKeyFile /etc/pki/tls/private/wildcard.mydomain.com.key
> SSLCACertificateFile /etc/pki/tls/certs/wildcard.mydomain.com.chain.crt
> ErrorLog /var/www/mydomain.com/logs/error.log
> CustomLog /var/www/mydomain.com/logs/access.log combined
> ProxyRequests off
> <Proxy balancer://cluster>
>
> # Using valid DNS names for the members works well
>
> BalancerMember https://ws1.mydomain.com/
> BalancerMember https://ws2.mydomain.com/
>
> # Using the IP address of the members returns the certificate error given
> above
>
> #BalancerMember http://52.73.75.46/
> #BalancerMember http://52.26.53.37/
> ProxySet lbmethod=byrequests
> </Proxy>
> <Location /balancer-manager>
> SetHandler balancer-manager
> </Location>
> # ProxyPreserveHost On
> ProxyPass /balancer-manager !
> ProxyPass / balancer://cluster/
> </VirtualHost>
>
> I would like to be able to use only the IP addresses so that I can add a
> variable number of BalancerMember that I could start dynamically on a cloud
> setup.
> Using a DNS entry for each BalancerMember makes everything more
> complicated.
> Is there a way to configure httpd so that only the load balancer servers
> needs to have a valid certificate and a DNS name ?
> All the balancerMembers behind the load balancer would exist only with
> their IP address.
> Thank you
> Gilbert
>
>
>
>
Re: [users@httpd] Setting up a load balancer with https and a
valid certificate
Posted by di...@tuxweb.it.
Already tried with those? :
SSLProxyEngine On
SSLProxyCheckPeerName Off
SSLProxyCheckPeerExpire Off
SSLProxyCipherSuite All
SSLProxyProtocol all -SSLv3
SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+EXP
SSLProxyVerify none
ProxyPreserveHost On
This way your reverse proxy will not check worker certificates.
18 marzo 2020 02:33, "Gilbert Soucy" <gsoucy@36pix.com (mailto:gsoucy@36pix.com?to=%22Gilbert%20Soucy%22%20<gs...@36pix.com>)> wrote:
Hello,
I am not an expert, so I apologize if my question is unclear.
I have a problem with setting up a load balancer that supports ssl with a valid certificate.
It works ok when I refer to the balancer members by a valid DNS name.
However, if I just put the IP address of the balancer members, I get
ERROR: certificate common name '*.mydomain.com (http://mydomain.com)' doesn't match requested host name '52.26.53.37'.
I am following the load balancer sample config found here:
https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html (https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html)
that I adapted to ssl, here is my ssl.conf :
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/wildcard.mydomain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.mydomain.com.key
SSLCACertificateFile /etc/pki/tls/certs/wildcard.mydomain.com.chain.crt
ErrorLog /var/www/mydomain.com/logs/error.log (http://mydomain.com/logs/error.log)
CustomLog /var/www/mydomain.com/logs/access.log (http://mydomain.com/logs/access.log) combined
ProxyRequests off
<Proxy balancer://cluster>
# Using valid DNS names for the members works well
BalancerMember https://ws1.mydomain.com/ (https://ws1.mydomain.com/)
BalancerMember https://ws2.mydomain.com/ (https://ws2.mydomain.com/)
# Using the IP address of the members returns the certificate error given above
#BalancerMember http://52.73.75.46/ (http://52.73.75.46/)
#BalancerMember http://52.26.53.37/ (http://52.26.53.37/)
ProxySet lbmethod=byrequests
</Proxy>
<Location /balancer-manager>
SetHandler balancer-manager
</Location>
# ProxyPreserveHost On
ProxyPass /balancer-manager !
ProxyPass / balancer://cluster/
</VirtualHost>
I would like to be able to use only the IP addresses so that I can add a variable number of BalancerMember that I could start dynamically on a cloud setup.
Using a DNS entry for each BalancerMember makes everything more complicated.
Is there a way to configure httpd so that only the load balancer servers needs to have a valid certificate and a DNS name ?
All the balancerMembers behind the load balancer would exist only with their IP address.
Thank you
Gilbert