Here are the <hickups> in the plan so far...see below.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of elephantwalker
Sent: Monday, June 25, 2001 1:29 AM
To: Orion-Interest
Subject: RE: clustering + ssl together
Greg,
I am doing this now, so I will get back to the list when I am finished. This
is my working plan:
1. there are two loadbalancers instances, one for http and one for https.
These can be on the same machine or seperate machines.
<hickup>
At one level this works, but you have to set the minimumIsland/maximumIsland
so that each respective loadbalancer picks up either the https island or the
http island. However, https connections do not work. It could be because of
this blurb in the load-balancer.xml description:
secure - Whether or not to use SSL. The default is false. SSL is only used
when using session (not IP)
based balancing and the backend and the site is using SSL. If you specify
the balancer to use SSL then
the backend servers will not (the balancer converts to HTTP, ie contains
the SSL layer). Note that this
puts the strain of decoding the SSL on the balancer.
I'm sorry, but does this say that we have the option of NOT using SSL for
the balancer, but using it for the backend? Or if we use SSL for the
balancer, SSL isn't used on the backend (and thus we have to strip all of
the SSL configuration from the backend)?
</hickup>
2. the ports for your web-sites can be different from your loadbalancer(s)
port. This allows you to have the loadbalancer and an orion instance on the
same machine, for example. Or the ports can be the same, in which case the
loadbalancer(s) has to be on a different machine.
<hickup>
Since web-sites are load-balanced (not applications), its important that
each *web-site.xml which you use have its own island. This is done by
setting the cluster-island attribute in the web-site tag. See above for
reference to min/max island ids for the loadbalancer. The port bit seems to
work. That is, the http web-site had a port of 10180, and the http
loadbalancer listened on port 80. This was no problem. So if you want to
have the loadbalancer and web-site on the same ip address, you will need to
set the website port to something else so they don't conflict.
</hickup>
3. the same rules apply for the loadbalancer as orion for unix machines. You
need to use some port forwarding, like ipchains, if you want to run the
loadbalancer on a user account which is not the superuser. This applies also
for the ssl port. (skip 3 if you are using m$ or don't care)
4. the ssl setup in the load-balancer.xml (see the ssl-config tag in the
load-balancer.xml documentation) is the same as the secure-web-site.xml, but
you will have to set the secure flag in the load-balancer tag. Obviously,
this means you will need a keystore for the loadbalancer, and a keystore for
the backend for total secure communication. I believe that the communication
to the backend is transparant to the user, so you can self certify that
connection, irregardless of what those guys at verisign say.
5. you can skip all of this and use apache for ssl (interesting, but slow).
This is what oracle advises, because they can't figure out orion, or they
have so much invested in the "apache/oracle" solution.
<hickup>
This option is looking better and better.
</hickup>
I'm testing this now, as soon as I get through the hickups, I will let the
list know.
regards,
the elephantwalker
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Greg Matthews
Sent: Sunday, June 24, 2001 3:02 PM
To: Orion-Interest
Subject: clustering + ssl together
dear all,
there has been a recent post on this but no solution posted.
i've got some more info on the problem.
can the developers of orion or anyone else let me know
if anyone has successfully set up an ssl orion cluster?
i can:
- set up clustering
- set up ssl
...but not both together.
some clues.
1. on orionserver.com there is doco for load-balancer.xml that
suggests loadbalancer.jar can be given SSL keystore information.
does this mean that a clustered SSL setup requires loadbalancer
to share the same keystore as each box in the cluster?
2. how do you set the web-site.xml for a clustered secure app.
you can't have both the loadbalancer + your secure app
both running on port 443 on the same box, so what do you
do?
i) run loadbalancer on another port?
ii) run your app on another port?
- the orion doco says that when your app needs to
be made secure you should add a secure="true"
attribute to the web-site element of the web-site.xml
plus remove the port attribute.
if someone has made this work i'd be grateful for any information,
or if you couldn't be bothered explaining how to do it, just maybe
forward me your server.xml, loadbalancer.xml, web-site.xml and
i'll work it out from that.
thanks.
greg.
