Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. mod_backhand>
  3. users
About Apache-SSL configuration
hhoshi at flight
Sep 13, 2004, 5:20 AM
Post #1 of 2 (7462 views)
Permalink
Hi All,

I try to construct the https loadbalancing
using Apache/1.3.26 Ben-SSL/1.48 (Unix) mod_backhand/1.2.1.

-----------------------------------------
Figure 1:
Client ------> Server1 -----> Server2
https(443) https(443)
-----------------------------------------

At first, I tried to configure like Figure1.
but I failed because of following errors

http error log:
[Fri Sep 10 21:30:12 2004] [error] SSL_accept failed
[Fri Sep 10 21:30:12 2004] [error] error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request


Then I attempted to Figure 2.
-----------------------------------------
Figure 2:
Client ------> Server1 -----> Server2
https(443) http(8081)
-----------------------------------------

To achieve Figure2,I configured backhand module
as follows and tested.
The test results looked fine.

But I still can't figure out the typical configuration
of backhand module in case of using https.

It is grateful if anyone explain the typical configuration.
Is following configuration correct for https settings?

@@@@@@ httpsd.conf of Server 1 @@@@@
Listen 443
Listen 8081
:
:
<Directory "/opt/FLIGHTssl/httpsd/htdocs">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
Backhand byRandom
Backhand byAge
Backhand byLoad
</Directory>
:
:
<IfModule mod_backhand.c>
UnixSocketDir /opt/FLIGHTssl/httpsd/backhand
MulticastStats 192.168.aaa.255:4446
AcceptStats 192.168.aaa.0/24
<Location "/LoadBalanceMonitor/">
SetHandler backhand-handler
</Location>
</IfModule>
:
:
<IfModule mod_alias.c>
ScriptAlias /cgi-bin/ "/opt/FLIGHTssl/httpsd/cgi-bin/"
<Directory "/opt/FLIGHTssl/httpsd/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
Backhand byRandom
Backhand byAge
Backhand byLoad
</Directory>
</IfModule>
:
:
<VirtualHost _default_:8081>
SSLDisable
</VirtualHost>
<VirtualHost _default_:443>
SSLCACertificatePath /opt/FLIGHTssl/httpsd/ssl
SSLCACertificateFile /opt/FLIGHTssl/httpsd/ssl/server.cert
SSLCertificateFile /opt/FLIGHTssl/httpsd/ssl/server.cert
SSLCertificateKeyFile /opt/FLIGHTssl/httpsd/ssl/secret-key.pem
SSLVerifyClient 0
SSLVerifyDepth 10
SSLFakeBasicAuth
DocumentRoot /opt/FLIGHTssl/httpsd/htdocs
</VirtualHost>
@@@@@@ end httpsd.conf of Server 1 @@@@@


@@@@@ httpsd.conf of Server2 @@@@@
Listen 443
Listen 8081
:
:
<Directory "/opt/FLIGHTssl/httpsd/htdocs">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
:
:
<IfModule mod_backhand.c>
UnixSocketDir /opt/FLIGHTssl/httpsd/backhand
MulticastStats 192.168.aaa.255:4446
AcceptStats 192.168.aaa.0/24
<Location "/LoadBalanceMonitor/">
SetHandler backhand-handler
</Location>
</IfModule>
:
:
<IfModule mod_alias.c>
ScriptAlias /cgi-bin/ "/opt/FLIGHTssl/httpsd/cgi-bin/"
<Directory "/opt/FLIGHTssl/httpsd/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
</IfModule>
:
:
<VirtualHost _default_:8081>
SSLDisable
</VirtualHost>
<VirtualHost _default_:443>
SSLCACertificatePath /opt/FLIGHTssl/httpsd/ssl
SSLCACertificateFile /opt/FLIGHTssl/httpsd/ssl/server.cert
SSLCertificateFile /opt/FLIGHTssl/httpsd/ssl/server.cert
SSLCertificateKeyFile /opt/FLIGHTssl/httpsd/ssl/secret-key.pem
SSLVerifyClient 0
SSLVerifyDepth 10
SSLFakeBasicAuth
DocumentRoot /opt/FLIGHTssl/httpsd/htdocs
</VirtualHost>
@@@@@ end httpsd.conf of Server2 @@@@@


Kind Regards.

------------------------
Hajime Hoshi System Consultant
FLIGHT System Consulting Inc. ( mailto: hhoshi@flight.co.jp )



_______________________________________________
backhand-users mailing list
backhand-users@lists.backhand.org
http://lists.backhand.org/mailman/listinfo/backhand-users
Re: About Apache-SSL configuration [ In reply to ]
jesus at omniti
Sep 13, 2004, 6:18 AM
Post #2 of 2 (6987 views)
Permalink
Hajime Hoshi wrote:

>Hi All,
>
>I try to construct the https loadbalancing
>using Apache/1.3.26 Ben-SSL/1.48 (Unix) mod_backhand/1.2.1.
>
>-----------------------------------------
>Figure 1:
> Client ------> Server1 -----> Server2
> https(443) https(443)
>-----------------------------------------
>
>At first, I tried to configure like Figure1.
>but I failed because of following errors
>
>http error log:
>[Fri Sep 10 21:30:12 2004] [error] SSL_accept failed
>[Fri Sep 10 21:30:12 2004] [error] error:1407609C:SSL
>routines:SSL23_GET_CLIENT_HELLO:http request
>
>
>Then I attempted to Figure 2.
>-----------------------------------------
>Figure 2:
> Client ------> Server1 -----> Server2
> https(443) http(8081)
>
>
Figure 1 isn't supported in the public mod_backhand.

We did implement this for a client, and I believe they are in the
process of deciding whether to push the implementation changes back into
the community.

Figure 2 is the typical approach (as it is much much cheaper). As you
own both endpoints, securing communication betweent the two servers
would be better done using IPsec.

Check the /backhand/ page to make sure that the servers believe they are
advertising the correct ports (IP:8081), If they are not, then flip the
Listen lines or explicitly provide the IP:port explicitly using the 3
arg version of MulticastStats.

Also, make sure you can get to http://ip:8081/ using your browser.

--
// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// Postal Engine -- http://www.postalengine.com/
// Ecelerity: fastest MTA on Earth


_______________________________________________
backhand-users mailing list
backhand-users@lists.backhand.org
http://lists.backhand.org/mailman/listinfo/backhand-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal