Solved: Saving Public IP Address - CSS

b.petronio · ‎10-08-2008

Hello all,

I'm leading with a problem relating the nÂº of public services my client is offering.

Before me, they was applying one public ip address for each web-server, and therefor "nating" for the CSS Vip Address.

This was turned around by in the http mode, but when they need ssl termination on CSS, i still have this problem.

The configurtion for the HTTP mode is like this:

tst.example.com and dsv.example.com = 10.1.1.139

******** OWNER EXAMPLE ********

content HTTP-tst.example.com

redundancy-l4-stateless

advanced-balance arrowpoint-cookie

arrowpoint-cookie browser-expire

balance weightedrr

vip address 10.1.1.139

protocol tcp

port 80

url "//tst.example.com/*"

add service server1-8888

active

content HTTP-dsv.example.com

redundancy-l4-stateless

advanced-balance arrowpoint-cookie

arrowpoint-cookie browser-expire

balance weightedrr

vip address 10.1.1.139

protocol tcp

port 80

url "//dsv.example.com/*"

add service server1-7777

active

******** SERVICES ********

service server1-7777

ip address a.b.c.d

port 7777

keepalive type http

keepalive uri "/"

keepalive port 7777

active

service server1-8888

ip address a.b.c.d

port 8888

keepalive type http

keepalive uri "/"

keepalive port 8888

active

************* SSL ****************

content SSL-*.example.comp

add service MODSSL

application ssl

protocol tcp

port 443

url "/*"

redundancy-l4-stateless

vip address 10.1.1.139

advanced-balance ssl

active

service MODSSL

slot 2

type ssl-accel

keepalive type none

add ssl-proxy-list ssl1

active

ssl-server 110

ssl-server 110 vip address 10.1.1.139

ssl-server 110 rsacert tstcert

ssl-server 110 rsakey tstkey

ssl-server 110 cipher rsa-export-with-rc4-40-md5 10.1.1.139 80

******************************************

This works fine for HTTP, but when i tried to put HTTPs, i putted 1 content to match the VIP Address and the 443 PORT, to one proxy server only, cause i dont found a way of filtering a "url" for the same VIP Address.

The issue is that, when a client is hitting the dsv.example.com, the certificate is saying, tst.example.com or vice-versa.

Is there a way to solve this issue ?

For sure i'm not seeing some basic thing, cause i think this could be easily done.

Best Regards,

PetrÃ³nio

Gilles Dufour · ‎10-08-2008

There is no way to solve this issue because https was designed to guarantee that your site is not hacked...therefore a certificate is linked to a domain name which is linked to a single ip address.

So, you will need to use 1 ip for each website that requires SSL.

Another solution is to request a special certificate which is for *.example.com.

This certificate is valid for all websites under your domain example.com

Regards,

Gilles.

View solution in original post

Gilles Dufour · ‎10-08-2008

There is no way to solve this issue because https was designed to guarantee that your site is not hacked...therefore a certificate is linked to a domain name which is linked to a single ip address.

So, you will need to use 1 ip for each website that requires SSL.

Another solution is to request a special certificate which is for *.example.com.

This certificate is valid for all websites under your domain example.com

Regards,

Gilles.

b.petronio · ‎10-09-2008

Once again, thank you for your explanation.

The special certificate you mentioned, i call it a domain certificate.

Is there any different procedure when i create it, beside the common name ?

*** Is this correct ? ***

Common Name (your domain name) [www.acompanyname.com]*.example.com

or should i write ".example.com", only ?

*** - ***

Best Regards,

PetrÃ³nio

Gilles Dufour · ‎10-09-2008

The exact name is a Wildcard Certificate.

So, I believe it should be *.yourdomain.com

http://www.rapidssl.com/ssl-certificate-products/rapidssl/usd/wildcard-ssl-certificate.htm

Gilles.