The core of this solution is the configuration of the lb and the vhost setting on your server. The server reads the HTTP Host header and base on it decide what site the user try to access.
Problem
How to configure servers and load balancer to host 2 ssl sites on a single public IP.
Analisis and example configuration
- Example F5 configuration
We have to import the certificate and key to F5 and create client site ssl profile.
Example wild cart certificate:
# openssl x509 -in /var/tmp/wildcard.rado.net.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 04:9c:4a:4b:11:11:bc Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=111111 Validity Not Before: Nov 21 11:57:16 2012 GMT Not After : Nov 20 09:31:37 2013 GMT Subject: O=*.rado.net, OU=Domain Control Validated, CN=*.rado.net ....
SSL profile:
# tmsh list ltm profile client-ssl wildcard-client-ssl-profile ltm profile client-ssl wildcard-client-ssl-profile { cert wildcard-rado.net.crt chain CA.crt defaults-from clientssl key wildcard-rado.net.key }
Virtual server to terminate and load balance the traffic:
# tmsh list ltm virtual VS-1.1.1.1-443 ltm virtual VS-1.1.1.1-443 { destination 192.168.99.68:https ip-protocol tcp mask 255.255.255.255a pool POOL-192.168.99.68-80 profiles { http { } tcp { } wildcard-client-ssl-profile { context clientside } } }
Servers where the traffic is going to be load balanced:
# tmsh list ltm pool POOL-192.168.99.68-80 ltm pool POOL-192.168.99.68-80 { load-balancing-mode least-connections-member members { 10.177.1.1:http { session monitor-enabled } 10.177.1.2:http { session monitor-enabled } } monitor http }
- Apache configuration on one of the servers
# cat vhost1.conf <VirtualHost *:80> ServerName vhost1.rado.net DocumentRoot /var/www/vhost1 </VirtualHost> # cat vhost2.conf <VirtualHost *:80> ServerName vhost2.rado.net DocumentRoot /var/www/vhost2 </VirtualHost> # cat /var/www/vhost1/index.html <html><body><h1>It works!</h1> <p> This is VHOST 1 </p> </body></html> # a2ensite vhost1.conf # a2ensite vhost2.conf # service apache2 reload
A quick local test on the server will confirm if the config is correct.
# curl -v -H "Host: vhost1.rado.net" http://5.1.1.1 * About to connect() to 5.1.1.1 port 80 (#0) * Trying 5.1.1.1... connected > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Accept: */* > Host: vhost1.rado.net > < HTTP/1.1 200 OK < Date: Sat, 30 Mar 2013 23:42:20 GMT < Server: Apache/2.2.22 (Ubuntu) < Last-Modified: Sat, 30 Mar 2013 23:19:21 GMT < ETag: "b46bb-47-4d92c9e17f040" < Accept-Ranges: bytes < Content-Length: 71 < Vary: Accept-Encoding < Content-Type: text/html < <html><body><h1>It works!</h1> <p> This is VHOST 1 </p> </body></html> * Connection #0 to host 5.79.21.166 left intact * Closing connection #0