Greg,
I just logged this as bug 525. The ssl loadbalancer just won't accept
connections with https://, but will accept connections with http://. Basic
problem with the code. Its not us. Karl and Magnus need to fix this.
regards,
the elephantwalker
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of elephantwalker
Sent: Tuesday, June 26, 2001 9:59 PM
To: Orion-Interest
Subject: RE: clustering + ssl together
Greg,
I just tried something which ALMOST worked. I tried the secure loadbalancer
instance like this in the browser:
http://localhost:443/mysecuresite/login.
The secure loadbalancer showed a session id, and forwarded the request to
the secure island! Of course the site didn't do anything, since it was
looking for a handshake. It looks like the loadbalancer is just not doing
its bit...it is refusing all connections which are secure.
regards,
the elephantwalker
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Greg Matthews
Sent: Tuesday, June 26, 2001 3:00 PM
To: Orion-Interest
Subject: Re: clustering + ssl together
ew,
i was trying to run a single secure load balancer
with it's own load-balancer.xml.
loadbalancer did register the 2 orions i'd set up to appear
in the cluster, but after being able to see them appear on
the loadbalancer screen, i was still unable to access my
web app. the browser just sat there with the little IE
symbol spinning, but no joy.
all orions and the loadbalancer had their own keystore
setup using a test certificate generated from thawte.com
loadbalancer => secure and on port 443 (on box1)
orion1 => secure and on port 443 (on box2)
orion2 => secure and on port 8080 (on box1) !! but only in some experiments.
i also tried various other configurations of the loadbalancer
and cluster machines having secure on/off, etc. and
swapping the port numbers around, e.g. when loadbalancer
and orion2 were both running, they were both secure="true"
but obviously only one can run on port 443 at one time, so
i made orion2 run on port 8080 while secure="true" was set.
i also had a look at apache for how to setup SSL but it looks
like you've got to compile the mod in yourself for win32 so
i've given that a miss for the moment.
greg.
----- Original Message -----
From: "elephantwalker" <[EMAIL PROTECTED]>
To: "Orion-Interest" <[EMAIL PROTECTED]>
Sent: Wednesday, June 27, 2001 2:48 AM
Subject: RE: clustering + ssl together
> Here are the <hickups> in the plan so far...see below.
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of elephantwalker
> Sent: Monday, June 25, 2001 1:29 AM
> To: Orion-Interest
> Subject: RE: clustering + ssl together
>
>
> Greg,
>
> I am doing this now, so I will get back to the list when I am finished.
This
> is my working plan:
>
> 1. there are two loadbalancers instances, one for http and one for https.
> These can be on the same machine or seperate machines.
>
> <hickup>
>
> At one level this works, but you have to set the
minimumIsland/maximumIsland
> so that each respective loadbalancer picks up either the https island or
the
> http island. However, https connections do not work. It could be because
of
> this blurb in the load-balancer.xml description:
>
> secure - Whether or not to use SSL. The default is false. SSL is only used
> when using session (not IP)
> based balancing and the backend and the site is using SSL. If you
specify
> the balancer to use SSL then
> the backend servers will not (the balancer converts to HTTP, ie
contains
> the SSL layer). Note that this
> puts the strain of decoding the SSL on the balancer.
>
> I'm sorry, but does this say that we have the option of NOT using SSL for
> the balancer, but using it for the backend? Or if we use SSL for the
> balancer, SSL isn't used on the backend (and thus we have to strip all of
> the SSL configuration from the backend)?
>
> </hickup>
>
>
> 2. the ports for your web-sites can be different from your loadbalancer(s)
> port. This allows you to have the loadbalancer and an orion instance on
the
> same machine, for example. Or the ports can be the same, in which case the
> loadbalancer(s) has to be on a different machine.
>
> <hickup>
>
> Since web-sites are load-balanced (not applications), its important that
> each *web-site.xml which you use have its own island. This is done by
> setting the cluster-island attribute in the web-site tag. See above for
> reference to min/max island ids for the loadbalancer. The port bit seems
to
> work. That is, the http web-site had a port of 10180, and the http
> loadbalancer listened on port 80. This was no problem. So if you want to
> have the loadbalancer and web-site on the same ip address, you will need
to
> set the website port to something else so they don't conflict.
>
> </hickup>
> 3. the same rules apply for the loadbalancer as orion for unix machines.
You
> need to use some port forwarding, like ipchains, if you want to run the
> loadbalancer on a user account which is not the superuser. This applies
also
> for the ssl port. (skip 3 if you are using m$ or don't care)
> 4. the ssl setup in the load-balancer.xml (see the ssl-config tag in the
> load-balancer.xml documentation) is the same as the secure-web-site.xml,
but
> you will have to set the secure flag in the load-balancer tag. Obviously,
> this means you will need a keystore for the loadbalancer, and a keystore
for
> the backend for total secure communication. I believe that the
communication
> to the backend is transparant to the user, so you can self certify that
> connection, irregardless of what those guys at verisign say.
> 5. you can skip all of this and use apache for ssl (interesting, but
slow).
> This is what oracle advises, because they can't figure out orion, or they
> have so much invested in the "apache/oracle" solution.
>
> <hickup>
>
> This option is looking better and better.
>
> </hickup>
>
> I'm testing this now, as soon as I get through the hickups, I will let the
> list know.
>
> regards,
>
> the elephantwalker
>
>
>
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Greg Matthews
> Sent: Sunday, June 24, 2001 3:02 PM
> To: Orion-Interest
> Subject: clustering + ssl together
>
>
>
> dear all,
>
> there has been a recent post on this but no solution posted.
> i've got some more info on the problem.
>
> can the developers of orion or anyone else let me know
> if anyone has successfully set up an ssl orion cluster?
>
> i can:
> - set up clustering
> - set up ssl
>
> ...but not both together.
>
> some clues.
>
> 1. on orionserver.com there is doco for load-balancer.xml that
> suggests loadbalancer.jar can be given SSL keystore information.
> does this mean that a clustered SSL setup requires loadbalancer
> to share the same keystore as each box in the cluster?
>
> 2. how do you set the web-site.xml for a clustered secure app.
>
> you can't have both the loadbalancer + your secure app
> both running on port 443 on the same box, so what do you
> do?
> i) run loadbalancer on another port?
> ii) run your app on another port?
> - the orion doco says that when your app needs to
> be made secure you should add a secure="true"
> attribute to the web-site element of the web-site.xml
> plus remove the port attribute.
>
> if someone has made this work i'd be grateful for any information,
> or if you couldn't be bothered explaining how to do it, just maybe
> forward me your server.xml, loadbalancer.xml, web-site.xml and
> i'll work it out from that.
>
> thanks.
> greg.
>
>
>
