[CLUE-Tech] apache + ssl + web server cluster + one domain name=
nightmare
Dave Anselmi
anselmi at americanisp.net
Mon Nov 26 16:38:50 MST 2001
Mike Staver wrote:
> I totally agree, I've spend over $3500 on this, and they told me that's
> how I had to do it. I thought there was a way to buy one cert, and have
> all 3 servers using it, but they said no. Obviously, they wanted to
> squeeze my company for all we're worth, so ofcourse they would tell me
> that. There *should* be a free system, or cheaper. Like you said, they
> have a monopoly, it's not cool. Yeah, I've got the round robin working
> fine in bind, and the load balancing working great with cold fusion
> server 5.0, no problems there. It's just my apache config that's not
> working correctly. However, I DID get it to work by assiging the www2
> cert file under the <IfDefine HAVE_SSL> part. Then, I stuck the generic
> www cert virtual host down below. Don't ask my why this works, and it
> didn't work my other way, but I'm just happy it's working now!
Well, I'm glad you got it working. But I did something like this with only one
cert. We had 2 apache servers behind a Cisco Local Director (round robin load
balancer). We put our www cert on both web servers - as long as the clients ask
for www.* and the server cert is for www.*, no one's the wiser. I don't
remember now how much apache config hacking I did, but it was my first time to
set up SSL so it couldn't have been too hard.
Now getting it to work through a vpn that bypassed the load balancer, that I
didn't mess with (it only affected employees, not customers).
If you want me to dig up some config examples, let me know.
BTW, Verisign isn't quite a monopoly. The Department of Defense runs their own
cert hierarchy. You could sign your own certs. That would mean a warning
message in your customers' browsers, but if you made a prominent link they could
use to install your root cert, shouldn't be a problem. If your customers care
so much that you are who you say (most just ignore warnings, I think) you could
send them a nice marketing letter about how much you care about their security
and sorry for the inconvenience but the world is a better place thanks to their
cooperation...
Dave
More information about the clue-tech
mailing list