You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by patrick kuah <pa...@msn.com> on 2003/10/09 05:52:10 UTC
[users@httpd] ssl cert for multiple server
Hi guys,
Sorry ... I posted this previously under another thread
I have two web servers load balance each other, can i use the same ssl Cert
on both server ? because I'm only load balancing one url only.
Is there any issue between the client and server for ssl session if i'm
using the same cert for load balancing ??? My load balancing is using round
robin manner.
Thanks for all the help :)
patrick
_________________________________________________________________
Get 10mb of inbox space with MSN Hotmail Extra Storage
http://join.msn.com/?pgmarket=en-sg
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl cert for multiple server
Posted by Geoff Thorpe <ge...@geoffthorpe.net>.
Hi,
On October 8, 2003 11:52 pm, patrick kuah wrote:
> I have two web servers load balance each other, can i use the same ssl
> Cert on both server ? because I'm only load balancing one url only. Is
> there any issue between the client and server for ssl session if i'm
> using the same cert for load balancing ??? My load balancing is using
> round robin manner.
You can use the same certificate and key on multiple web servers, but that
won't solve the issue of SSL/TLS session caching and resumes. You either
need to perform some kind of "SSL-sticky" load-balancing (ensuring that
session resume requests from clients are routed to the same server each
time) or share the session cache between the web-servers so that you can
resume sessions from whichever server you route to. The latter approach
is IMHO better because (a) sticky load-balancing is a point of failure,
(b) load-balancing shouldn't balance according to SSL semantics, it
should balance according to ... um ... load, and (c) this works better if
one of your web-servers goes down temporarily. If you already have some
load-balancing scheme in place, you probably have no choice but to try
and share the cache between servers anyway or put up with failed resumes
(and thus higher handshaking overhead).
Mark and I did a paper on this quite a while ago, and some of the details
may be a little dated now, but it might be useful to you;
http://www.geoffthorpe.net/apcon2000/
As for the distributed session caching muted in that paper, it has since
been coded and is at;
http://www.distcache.org/
Cheers,
Geoff
--
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl cert for multiple server
Posted by Aaron Morris <aa...@mindspring.com>.
Robert Andersson wrote:
> patrick kuah wrote:
>
>>I have two web servers load balance each other, can i use the same ssl
>>Cert on both server ? because I'm only load balancing one url only.
>>Is there any issue between the client and server for ssl session if i'm
>>using the same cert for load balancing ??? My load balancing is using
>>round robin manner.
>
>
> I'm no expert on either SSL nor load balancing, but I can image the
> combination to be tricky. Otherwise, HTTP is a sessionless protocol, so one
> request can go to one server, and the next to another. But, with SSL all
> communication, after the SSL session is setup, must be to the same server.
Load balancing HTTPS requests can be tricky if:
A) You are using different certificates for each web server
or
B) You are using SSL session IDs for session management
About using one certificate on multiple web servers: IANAL, but the
language is usually a little confusing on this. I can tell you that the
CA will want you to buy a certificate for each server. If you have to,
I would buy the number of certificates you need and use the same
certificate on each server.
--
Aaron W Morris <aa...@mindspring.com> (decep)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl cert for multiple server
Posted by Robert Andersson <ro...@profundis.nu>.
patrick kuah wrote:
> I have two web servers load balance each other, can i use the same ssl
> Cert on both server ? because I'm only load balancing one url only.
> Is there any issue between the client and server for ssl session if i'm
> using the same cert for load balancing ??? My load balancing is using
> round robin manner.
I'm no expert on either SSL nor load balancing, but I can image the
combination to be tricky. Otherwise, HTTP is a sessionless protocol, so one
request can go to one server, and the next to another. But, with SSL all
communication, after the SSL session is setup, must be to the same server.
If you mean DNS round robin, where your DNS server resolve your hostname to
one of the server every second time, and vice versa, then it will probably
work most of the time, because the client cache the IP. I'm not too sure
about this though.
A alternate solution, if you are having problems, is to have a common entry
point, say http://secure.domain.tld/ that randomly redirects to
https://secure1.domain.tld/ and https://secure2.domain.tld/, which resolves
to a specific box. Assuming your certificate is for "domain.tld", this would
be essentially the same as the DNS round robin solution.
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org