Search This Blog

Saturday, March 30, 2013

How to host 2 ssl sites on a single public IP on F5 load balancer

As the pool of free IPv4 is getting lower it is important to efficiently mange our existing assigned public IPs. One thing that can be used is to use SSL offloading and hosting multiple HTTPS sites on single public IP using wild cart certificates.

The core of this solution is the configuration of the lb and the vhost setting on your server. The server reads the HTTP Host header and base on it decide what site the user try to access.

Problem

How to configure servers and load balancer to host 2 ssl sites on a single public IP.

Analisis and example configuration
  • Example F5 configuration
For SSL to work we need a wild card certificate.
We have to import the certificate and key to F5 and create client site ssl profile.

Example wild cart certificate:
 
# openssl x509 -in /var/tmp/wildcard.rado.net.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:9c:4a:4b:11:11:bc
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=111111
        Validity
            Not Before: Nov 21 11:57:16 2012 GMT
            Not After : Nov 20 09:31:37 2013 GMT
        Subject: O=*.rado.net, OU=Domain Control Validated, CN=*.rado.net
        ....

SSL profile:
 
# tmsh list ltm profile client-ssl  wildcard-client-ssl-profile
ltm profile client-ssl wildcard-client-ssl-profile {
    cert wildcard-rado.net.crt
    chain CA.crt
    defaults-from clientssl
    key wildcard-rado.net.key
}

Virtual server to terminate and load balance the traffic:
 
# tmsh list ltm virtual VS-1.1.1.1-443
ltm virtual VS-1.1.1.1-443 {
    destination 192.168.99.68:https
    ip-protocol tcp
    mask 255.255.255.255a
    pool POOL-192.168.99.68-80
    profiles {
        http { }
        tcp { }
        wildcard-client-ssl-profile {
            context clientside
        }
    }
}

Servers where the traffic is going to be load balanced:
 
# tmsh list ltm pool POOL-192.168.99.68-80
ltm pool POOL-192.168.99.68-80 {
    load-balancing-mode least-connections-member
    members {
        10.177.1.1:http {
            session monitor-enabled
        }
        10.177.1.2:http {
            session monitor-enabled
        }
    }
    monitor http
}
  • Apache configuration on one of the servers

    This is a simple example configuration for the http server.
     
# cat vhost1.conf
<VirtualHost *:80>
        ServerName vhost1.rado.net
        DocumentRoot /var/www/vhost1
</VirtualHost>

# cat vhost2.conf
<VirtualHost *:80>
        ServerName vhost2.rado.net
        DocumentRoot /var/www/vhost2
</VirtualHost>

# cat /var/www/vhost1/index.html
<html><body><h1>It works!</h1>
<p>
This is VHOST 1
</p>
</body></html>

# a2ensite vhost1.conf 
# a2ensite vhost2.conf 

# service apache2 reload

    A quick local test on the server will confirm if the config is correct. 
     
# curl -v -H "Host: vhost1.rado.net" http://5.1.1.1
* About to connect() to 5.1.1.1 port 80 (#0)
*   Trying 5.1.1.1... connected
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Accept: */*
> Host: vhost1.rado.net
>
< HTTP/1.1 200 OK
< Date: Sat, 30 Mar 2013 23:42:20 GMT
< Server: Apache/2.2.22 (Ubuntu)
< Last-Modified: Sat, 30 Mar 2013 23:19:21 GMT
< ETag: "b46bb-47-4d92c9e17f040"
< Accept-Ranges: bytes
< Content-Length: 71
< Vary: Accept-Encoding
< Content-Type: text/html
<
<html><body><h1>It works!</h1>
<p>
This is VHOST 1
</p>
</body></html>
* Connection #0 to host 5.79.21.166 left intact
* Closing connection #0

Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)