load balancing ssl that terminates on servers

Carlos A. Silva · ‎06-06-2005

hi,

right now i have a very simple clear-text http + https setup. initially, my load-balancer was terminating SSL, but because of the way our application works, we moved away from that and installed an SSL-server on the servers themselves which we know works fine when we access the servers directly.

on the css i have a very simple ssl-balance rule:

content srv.443

add service srv1.ssl

add service srv2.ssl

advanced-balance sticky-srcip

protocol tcp

port 443

url "/*"

vip address 10.72.39.17

active

service srv1.ssl

ip address 10.72.39.71

protocol tcp

keepalive port 51001

port 51001

active

service srv2.ssl

ip address 10.72.39.72

protocol tcp

port 51001

keepalive port 51001

active

the problem i'm seeing right now is that even though i deleted all config regarding ssl-termination on the css, every time i hit the 'ssl-vip' i still get the locally generated certificate instead of the valid one i get when hitting the web-servers directly.

it's weird that the css keeps trying to use its own certificate, when all related config has been deleted.

now i have a question, i assumed that there was no problem if one tries to load-balance ssl-traffic when the traffic is terminated on the servers themselves. now i'm not so sure, so an initial question is: can this be done?

regards,

c.

Gilles Dufour · ‎06-07-2005

yes, SSL can be terminated on the servers and loadbalancer by the CSS.

You should remove the "url" from your config because the traffic is now encrypted and the CSS can't see the url.

If the config is what you indicated, there is no way the CSS can send its own certificate.

Absolutely no way :-)

Are you sure your server is sending the correct certificate ?

Gilles.