You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ali Jawad <al...@gmail.com> on 2009/09/07 21:41:04 UTC
[users@httpd] Question about CSR and load balancing to Apache servers.
Hi
I got the following network setup
|---Server A
Internet --load balancer---Server B
|---Server C
The load balancer will send the requests in round robin fashion, and
the traffic will be secured using HTTPS. All servers will host one
site using Apache2 with the same FQDN for all servers.
Having said that, should I generate ONLY one CSR on Server A, and
distribute the private key and result certificate to Apache servers on
server B and C, or should I generate three CSR, one per server and use
the resultant certificates each on it's respective Apache servers.
My concern is that if different CSR will be using on the servers , and
the browser creates the HTTPS session with server A, and then using
the load balancer request B goes to server B, and server B uses a
certificate generated using another CSR and private key, the HTTPS
session will break.
One other thing to note is that I do not have access to the load
balancer ,and since this is a hardware based load balancer it will
probably intercept the traffic before sending it to one of the
servers. Isn't this going to break the SSL session between the browser
and the Apache server.
Regards
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question about CSR and load balancing to Apache
servers.
Posted by Krist van Besien <kr...@gmail.com>.
On Mon, Sep 7, 2009 at 9:41 PM, Ali Jawad<al...@gmail.com> wrote:
> Hi
> I got the following network setup
>
> |---Server A
> Internet --load balancer---Server B
> |---Server C
>
> The load balancer will send the requests in round robin fashion, and
> the traffic will be secured using HTTPS. All servers will host one
> site using Apache2 with the same FQDN for all servers.
>
> Having said that, should I generate ONLY one CSR on Server A, and
> distribute the private key and result certificate to Apache servers on
> server B and C, or should I generate three CSR, one per server and use
> the resultant certificates each on it's respective Apache servers.
The normal practice in such a setup would be to terminate SSL on the
loadbalancer. That would solve a lot of your problems.
But you could indeed install the same Certificate/Key pair on each server.
>
> My concern is that if different CSR will be using on the servers , and
> the browser creates the HTTPS session with server A, and then using
> the load balancer request B goes to server B, and server B uses a
> certificate generated using another CSR and private key, the HTTPS
> session will break.
You shouldn't worry about that. HTTPS (and HTTPS) don't have sessions.
Every request is atomic.
> One other thing to note is that I do not have access to the load
> balancer ,and since this is a hardware based load balancer it will
> probably intercept the traffic before sending it to one of the
> servers. Isn't this going to break the SSL session between the browser
> and the Apache server.
What do you mean with "intercept"? I suppose this is just a hardware
loadbalancer that works on the TCP layer. In this case it wouldn't
care about what protocol is carried. It will just forward a request
for a connection to one host, and if it's configured properly will
keep all TCP/IP packets going to the correct hosts till one of the
parties initiates a termination fo the TCP connection.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org