I use a ldirectord setup for load balancing a couple of real servers and for the HTTPS conenctions I am considering using some offloading mechanism on the LB - is there some functionality already implemented in the ldirectord, or should I look for another solutions that I will have to pair with ldirectord?
Thanks in advance!
when using lvs with ssl, set the certificates on the ssl service servers (ldap in my case) to match the load-balancer VIP, not the hosting server DNS names. This means that when you hit the lvs server VIP:ssl port, the cert negotiation matchs the reverse dns name that is expected by the initiating server.
Testing ssl handshake -> openssl s_client -connect hostname:port
the problem isnt the config. A standard lvs config works fine. The problem is the the ssl certificate negotiation. The "client" expects a certifcate that matches the reverse dns for the IP it is connecting to. (ie the load balancer virtual IP interface IP). If the host farm responder responds with "its" certificate, it will look like a spoofed cert because it wont match the connection IP. Therefore the "fix" is to load all the farm responders with the LB virt IP certificate instead
Andrew.
I should start by saying that I haven't configured LVS for a couple of years, now, and it may have moved on.
That said, when I last did it was very much software that worked at layer 3, not layer 4. If you wanted something that would redirect your incoming TCP/443 connections to one of a pool of back-end servers, LVS was your man. If you wanted something to receive incoming HTTPS connections, decrypt them, and farm the decrypted requests out to a pool of back-end servers, it wasn't your man.
Edit: yes, I'd consider using apache to do the decrypt and redirect-to-the-pool. Furthermore, you could use Linux-HA to control two front-end apache boxes (one live, one hot standby), so that the redirector was still always-up, on an IP address that floated between the two under HA's control.
