This is actually part of the ssl certificate. The certificate has a field to identify the host and have to match the hostname in the URL the Common Name CN. There is also an optional list Subject Alternative Name SAN that can be specified if you want one cert to match against various url hostnames.
If you want to have SSL using the IP address, your certificate must be issued with the IP as the CN or in the SAN. On Tue, Mar 17, 2020, 7:33 PM Gilbert Soucy <gso...@36pix.com> wrote: > Hello, > > I am not an expert, so I apologize if my question is unclear. > > I have a problem with setting up a load balancer that supports ssl with a > valid certificate. > > It works ok when I refer to the balancer members by a valid DNS name. > However, if I just put the IP address of the balancer members, I get > > ERROR: certificate common name '*.mydomain.com' doesn't match > requested host name '52.26.53.37'. > > I am following the load balancer sample config found here: > https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html > > that I adapted to ssl, here is my ssl.conf : > > <VirtualHost *:443> > SSLEngine On > SSLCertificateFile /etc/pki/tls/certs/wildcard.mydomain.com.crt > SSLCertificateKeyFile /etc/pki/tls/private/wildcard.mydomain.com.key > SSLCACertificateFile > /etc/pki/tls/certs/wildcard.mydomain.com.chain.crt > > ErrorLog /var/www/mydomain.com/logs/error.log > CustomLog /var/www/mydomain.com/logs/access.log combined > > ProxyRequests off > <Proxy balancer://cluster> > > > # Using valid DNS names for the members works well > > BalancerMember https://ws1.mydomain.com/ > BalancerMember https://ws2.mydomain.com/ > > # Using the IP address of the members returns the certificate error > given above > > #BalancerMember http://52.73.75.46/ > #BalancerMember http://52.26.53.37/ > > ProxySet lbmethod=byrequests > </Proxy> > > <Location /balancer-manager> > SetHandler balancer-manager > </Location> > > # ProxyPreserveHost On > ProxyPass /balancer-manager ! > ProxyPass / balancer://cluster/ > > </VirtualHost> > > I would like to be able to use only the IP addresses so that I can add a > variable number of BalancerMember that I could start dynamically on a cloud > setup. > Using a DNS entry for each BalancerMember makes everything more > complicated. > > Is there a way to configure httpd so that only the load balancer servers > needs to have a valid certificate and a DNS name ? > All the balancerMembers behind the load balancer would exist only with > their IP address. > > Thank you > > Gilbert >
