[CLUE-Tech] apache + ssl + web server cluster + one domain name= nightmare

Mike Staver staver at fimble.com
Mon Nov 26 16:50:45 MST 2001 

Yeah, it turns out I didn't get it working :(  For load balancing, I'm
using cluster cats.  Now, I know it has something to do with cluster
cats because I *should* be able to use just one cert, but try this.  Go
to:

http://www.globaltaxnetwork.com

Cluster cats seems to be a dumb load balancer because it doesn't keep
the name www.  It auto points you to www1, www2, or www3.  This is
stupid I know, but apparently that's just the way it works.  Therefore,
I need 3 certs, one for all three names.  Then the fun part.... if you
type in https://www.globaltaxnetwork.com, apache gets confused because
it's expecting a cert file for www while cluster cats is redirecting via
ip address - so apache just sees somebody coming in on the ip, so it
defaults to the www1, www2, or www3 cert.  The browser is still
expecting www, so you get the warning.  So, I just tried setting the
default to www and the name specific cert to the numbered names.  Still
no go.  So, rather than using cluster cats, I'm about ready to use some
other kind of load balancer.  Problem is, I need these boxes to share
their cold fusion session variables, making cluster cats the only real
option I think.  And yes, I did sign temp certs for myself, but our
customers not being very websavvy, just your average joe blow trying to
get their taxes prepared, became confused.  They kept emailing and
calling us telling us our website isn't secure, not taking the time to
read the warning.  Which is still what's happening if somebody tries the
url https://www.globaltaxnetwork.com.  So, this is more of a pr thing
for us, rather than functional.  

Dave Anselmi wrote:
> 
> Mike Staver wrote:
> 
> > I totally agree, I've spend over $3500 on this, and they told me that's
> > how I had to do it.  I thought there was a way to buy one cert, and have
> > all 3 servers using it, but they said no.  Obviously, they wanted to
> > squeeze my company for all we're worth, so ofcourse they would tell me
> > that.  There *should* be a free system, or cheaper.  Like you said, they
> > have a monopoly, it's not cool.  Yeah, I've got the round robin working
> > fine in bind, and the load balancing working great with cold fusion
> > server 5.0, no problems there.  It's just my apache config that's not
> > working correctly. However, I DID get it to work by assiging the www2
> > cert file under the <IfDefine HAVE_SSL> part.  Then, I stuck the generic
> > www cert virtual host down below.  Don't ask my why this works, and it
> > didn't work my other way, but I'm just happy it's working now!
> 
> Well, I'm glad you got it working.  But I did something like this with only one
> cert.  We had 2 apache servers behind a Cisco Local Director (round robin load
> balancer).  We put our www cert on both web servers - as long as the clients ask
> for www.* and the server cert is for www.*, no one's the wiser.  I don't
> remember now how much apache config hacking I did, but it was my first time to
> set up SSL so it couldn't have been too hard.
> 
> Now getting it to work through a vpn that bypassed the load balancer, that I
> didn't mess with (it only affected employees, not customers).
> 
> If you want me to dig up some config examples, let me know.
> 
> BTW, Verisign isn't quite a monopoly.  The Department of Defense runs their own
> cert hierarchy.  You could sign your own certs.  That would mean a warning
> message in your customers' browsers, but if you made a prominent link they could
> use to install your root cert, shouldn't be a problem.  If your customers care
> so much that you are who you say (most just ignore warnings, I think) you could
> send them a nice marketing letter about how much you care about their security
> and sorry for the inconvenience but the world is a better place thanks to their
> cooperation...
> 
> Dave
> 
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech

-- 

                                -Mike Staver
                                 staver at fimble.com
                                 mstaver at globaltaxnetwork.com
                                 http://www.fimble.com/staver

More information about the clue-tech mailing list