You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Krist van Besien <kr...@gmail.com> on 2009/09/08 07:27:20 UTC
Re: [users@httpd] Question about CSR and load balancing to Apache
servers.
On Mon, Sep 7, 2009 at 9:41 PM, Ali Jawad<al...@gmail.com> wrote:
> Hi
> I got the following network setup
>
> |---Server A
> Internet --load balancer---Server B
> |---Server C
>
> The load balancer will send the requests in round robin fashion, and
> the traffic will be secured using HTTPS. All servers will host one
> site using Apache2 with the same FQDN for all servers.
>
> Having said that, should I generate ONLY one CSR on Server A, and
> distribute the private key and result certificate to Apache servers on
> server B and C, or should I generate three CSR, one per server and use
> the resultant certificates each on it's respective Apache servers.
The normal practice in such a setup would be to terminate SSL on the
loadbalancer. That would solve a lot of your problems.
But you could indeed install the same Certificate/Key pair on each server.
>
> My concern is that if different CSR will be using on the servers , and
> the browser creates the HTTPS session with server A, and then using
> the load balancer request B goes to server B, and server B uses a
> certificate generated using another CSR and private key, the HTTPS
> session will break.
You shouldn't worry about that. HTTPS (and HTTPS) don't have sessions.
Every request is atomic.
> One other thing to note is that I do not have access to the load
> balancer ,and since this is a hardware based load balancer it will
> probably intercept the traffic before sending it to one of the
> servers. Isn't this going to break the SSL session between the browser
> and the Apache server.
What do you mean with "intercept"? I suppose this is just a hardware
loadbalancer that works on the TCP layer. In this case it wouldn't
care about what protocol is carried. It will just forward a request
for a connection to one host, and if it's configured properly will
keep all TCP/IP packets going to the correct hosts till one of the
parties initiates a termination fo the TCP connection.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org