[CLUE-Tech] apache + ssl + web server cluster + one domain name= nightmare

[Mike Staver]

> > Cluster cats seems to be a dumb load balancer because it doesn't keep
> > the name www.  It auto points you to www1, www2, or www3.  This is
> > stupid I know, but apparently that's just the way it works.  Therefore,
> > I need 3 certs, one for all three names.  Then the fun part.... if you
> > type in https://www.globaltaxnetwork.com, apache gets confused because
> > it's expecting a cert file for www while cluster cats is redirecting via
> > ip address - so apache just sees somebody coming in on the ip, so it
> > defaults to the www1, www2, or www3 cert.
> 
> Now wait, is cc changing the IP address, the server name (in the http header), or
> both?  The Cisco I used only changed the IP.  We only had one virtual host section,
> like this:

Yes, CC is changing the address for me.  I have absolutely no control
whether this happens or not, it sucks :(  Therefore, I *have* to have
certs for each domain name... www1, www2, and www3.  If the user enters
the site via http, I use some code:

<cfif session.start_ssl eq 1>
        <!--- If we came to this page via http --->
        <CFIF CGI.SERVER_PORT EQ 80>
            <!--- Rebuild the URL --->
            <CFSET cURL="https://" & CGI.SERVER_NAME & CGI.SCRIPT_NAME>
            <!--- and call the page again using httpS --->
            <CFLOCATION URL="#cURL#">
        </CFIF>
</cfif>

This just sends the user to an ssl page on the local server, let's just
say that it's www2, and makes the login secure.  Since CC flips the user
over to the address, and doesn't keep them at www, I have no choice but
to set up virtual hosts so that I have a www2 and www cert on one box. 
Granted, I've never been able to get CC to allow me to use the www cert
:) 

> > Problem is, I need these boxes to share their cold fusion session variables, making
> > cluster cats the only real
> > option I think.
> 
> Well, I don't know.  Our Cisco maintained sessions at the IP level - if a packet came
> in and went to server A, all future packets from the same place would go to server A
> until there was enough inactivity to remove the entry.  We had a tomcat (Java) servlet
> engine behind that - it kept track of sessions using cookies.  The web servers didn't
> share session variables.  So the Cisco had to keep the sessions from switching between
> servers.  It did, but it didn't know anything more than the IP stuff.

Yeah, unfortunately, we're talking about cold fusion specific variables
here.  Like in my above code, the session.ssl variable I created.  I
just set it to 1 or 0 depending on the server I'm working on (test or
production).  Cluster cats somehow keeps track of all these variables in
case one box dies on me.  

> Can you try simplifying your config?  If you aren't using these servers for other
> (virtual) web sites, maybe you can get them to work by not telling them any more than
> they need to know.

Yeah, I swear that they are set up for one purpose only - to run
www.globaltaxnetwork.com.  cluster cats uses so much ram, I couldn't
allow them to do anything else efficiently :)  The only virtual hosts it
has are for port 80, 443, and the 443 problem - so I have a total of 3
hosts, the minimum number I must have.

-- 

                                -Mike Staver
                                 staver at fimble.com
                                 mstaver at globaltaxnetwork.com
                                 http://www.fimble.com/staver