[CLUE-Tech] apache + ssl + web server cluster + one domain name= nightmare

Mon Nov 26 17:54:25 MST 2001

Mike Staver wrote:

> Yeah, it turns out I didn't get it working :(  For load balancing, I'm
> using cluster cats.  Now, I know it has something to do with cluster
> cats because I *should* be able to use just one cert, but try this.  Go
> to:

Yes, I see what you mean.

> Cluster cats seems to be a dumb load balancer because it doesn't keep
> the name www.  It auto points you to www1, www2, or www3.  This is
> stupid I know, but apparently that's just the way it works.  Therefore,
> I need 3 certs, one for all three names.  Then the fun part.... if you
> type in https://www.globaltaxnetwork.com, apache gets confused because
> it's expecting a cert file for www while cluster cats is redirecting via
> ip address - so apache just sees somebody coming in on the ip, so it
> defaults to the www1, www2, or www3 cert.

Now wait, is cc changing the IP address, the server name (in the http header), or
both?  The Cisco I used only changed the IP.  We only had one virtual host section,
like this:

<VirtualHost _default_:443>

This is where most of the SSL stuff went.  We also only put one cert on the machine,
so it couldn't get confused.  I think each web server knew its own name - they didn't
care if they got requests for a different server name.  I could be wrong, and we
weren't doing anything fancy - just one apache to answer on ports 80 and 443.  Now our
machines did have more than one IP (and sometimes more than one nic), so we had to
tell apache it could only listen to one IP (using the bind and listen directives).

> Problem is, I need these boxes to share their cold fusion session variables, making
> cluster cats the only real
> option I think.

Well, I don't know.  Our Cisco maintained sessions at the IP level - if a packet came
in and went to server A, all future packets from the same place would go to server A
until there was enough inactivity to remove the entry.  We had a tomcat (Java) servlet
engine behind that - it kept track of sessions using cookies.  The web servers didn't
share session variables.  So the Cisco had to keep the sessions from switching between
servers.  It did, but it didn't know anything more than the IP stuff.

I'm pretty sure that you could use something like Cisco's Local Director.  But that's
pretty expensive.  I just looked at the Linux Adv Routing HOWTO - seems that you could
do a lot with a Linux box, though I didn't see anything about maintaining sessions
like the Cisco did.

I also heard that apache could do some load balancing by itself.  Never tried it, so I
don't know whether it would do what you want or not.

Can you try simplifying your config?  If you aren't using these servers for other
(virtual) web sites, maybe you can get them to work by not telling them any more than
they need to know.

Dave