[CLUE-Tech] apache + ssl + web server cluster + one domain name= nightmare

Dave Anselmi anselmi at americanisp.net
Tue Nov 27 10:39:25 MST 2001 

Mike Staver wrote:

> Yes, CC is changing the address for me.  I have absolutely no control
> whether this happens or not, it sucks :(  Therefore, I *have* to have
> certs for each domain name... www1, www2, and www3.  If the user enters
> the site via http, I use some code:

Hmm...  Apache doesn't care what server you ask for.  If you point dns so that www, xxx, and
yyy go to the same IP, apache will answer the same way to all of them (or different if you
do virtual hosts).  The only problem will be if the server name has an underscore in it -
then apache complains.

I'm curious how the url is changed.  I seem to get the cert before it changes, and I don't
get any warnings about being redirected to a different site.  If apache is involved in the
change, it might be possible to adjust it.

I assume that CC is running on the apache boxes, not a separate load balancer.  Does it run
on all 3 web servers?  Does CC have sticky sessions?  That's what Cisco called it when they
would switch a client to the same server for some period of time.  You can use that to get
around needing to share session variables (though there is a downside in reliability).

How does CC share the session variables?  Is there some server to server channel?

> <cfif session.start_ssl eq 1>
>         <!--- If we came to this page via http --->
>         <CFIF CGI.SERVER_PORT EQ 80>
>             <!--- Rebuild the URL --->
>             <CFSET cURL="https://" & CGI.SERVER_NAME & CGI.SCRIPT_NAME>
>             <!--- and call the page again using httpS --->
>             <CFLOCATION URL="#cURL#">
>         </CFIF>
> </cfif>
>
> This just sends the user to an ssl page on the local server, let's just
> say that it's www2, and makes the login secure.  Since CC flips the user
> over to the address, and doesn't keep them at www, I have no choice but
> to set up virtual hosts so that I have a www2 and www cert on one box.
> Granted, I've never been able to get CC to allow me to use the www cert
> :)

Doesn't this solve your problem?  If the user comes in to port 80, and you redirect them to
www2 port 443, then they get the cert that matches the name, right?  Likewise, if they come
to port 443 originally, can't you check if they asked for www and redirect them to www2?
Maybe redirecting causes a similar warning.

Dave

More information about the clue-tech mailing list