A few days ago I wrote an article about using SNI to host multiple SSL sites on a single IP. This method is excellent, and it works with Rackspace Cloud Load Balancers as a Service very well. The major drawback is that if your users are using a browser that does not support SNI, they won’t get the desired results. I want to first say that I am a huge fan of SNI, and as available IPv4 addresses become fewer and fewer, I think that SNI will be the preferred method of doing this. That being said, a lot of websites simply can not afford to write off anyone with an unsupported browser. For that reason, here are instructions on using Rackspace Cloud Load Balancer as a Service to host multiple SSL sites from the same pool of Web Servers.
High Level Overview
A high level overview is that you will have 2 Load Balancers for each site. The 2 Load Balancers will share a single Public IP address. One will listen on port 80 for standard HTTP traffic and the other will listen on port 443 for HTTPS traffic. In my proof of concept below, I will have two sites: test1.com and test2.com, ergo I will have four Load Balancers.
Create the Load Balancers
Let’s create the Load Balancers. Since Rackspace Cloud LoadBalancers as a Service is only available via the API at the time of this writing, that is what we will use.
First we authenticate (Obviously change out your username and API key for the made up values:
curl -D - -H "x-auth-user: UserName" -H "x-auth-key: ABCDEFG-123456" https://auth.api.rackspacecloud.com/v1.0
This will return a few headers, the one we care about is X-Auth-Token.
Now using that token we will build a Load Balancer in the datacenter of our choice. For my example, I will build into the DFW datacenter. If you want to build into ORD, just change out ‘dfw’ for ‘ord’ below.
First up, create an xml file for test1-http. Let’s call it createtest1-http.xml
<loadBalancer xmlns="http://docs.openstack.org/loadbalancers/api/v1.0" name="test1-http" port="80" protocol="HTTP"> <virtualIps> <virtualIp type="PUBLIC"/> </virtualIps> <nodes> <node address="10.177.130.14" port="80" condition="ENABLED"/> <node address="10.177.130.96" port="80" condition="ENABLED"/> </nodes> </loadBalancer>
Those values are pretty self explanatory, but you are giving the Load Balancer a name, telling it to listen on port 80 for HTTP traffic, requesting a public IP, and assigning it two nodes that it should send traffic to on port 80 as well.
Now that we have the xml file, let’s create the Load Balancer. Change out your Auth Code and your Account number in the example below:
M0Z8AGY:LBaaS josh.prewitt$ curl -H "X-Auth-Token: f3ec3064-c855-4d9d-8291-410cd1098765" -H "content-type: application/xml" -d @createtest1-http.xml -X POST https://dfw.loadbalancers.api.rackspacecloud.com/v1.0/123456/loadbalancers
{"loadBalancer":{"name":"test1-http","id":156,"protocol":"HTTP","port":80,"algorithm":"RANDOM","status":"BUILD","cluster":{"name":"ztm-n05.lbaas.dfw1.rackspace.net"},"nodes":[{"address":"10.177.130.14","id":4377,"port":80,"status":"ONLINE","condition":"ENABLED","weight":1},{"address":"10.177.130.96","id":4378,"port":80,"status":"ONLINE","condition":"ENABLED","weight":1}],"virtualIps":[{"address":"174.143.139.241","id":88,"type":"PUBLIC","ipVersion":"IPV4"}],"created":{"time":"2011-03-26T05:31:11+0000"},"updated":{"time":"2011-03-26T05:31:11+0000"},"connectionLogging":{"enabled":false}}}
The important take away from above is the new Public IP address and IP address ID. We will use the ID when we build the https load balancer so that they share the same IP.
Now, let’s build the test1-https Load Balancer. First, the xml file:
<loadBalancer xmlns="http://docs.openstack.org/loadbalancers/api/v1.0" name="test1-https" port="443" protocol="HTTPS"> <virtualIps> <virtualIp id="88"/> </virtualIps> <nodes> <node address="10.177.130.14" port="444" condition="ENABLED"/> <node address="10.177.130.96" port="444" condition="ENABLED"/> </nodes> </loadBalancer>
The changes here are going to be that we are giving it a different name, telling the Load Balancer to listen on port 443 for HTTPS traffic, and instead of requesting a new public IP, we are asking it to use the IP that we created above. In my case, that was IP ID 88. Also, note that we are asking it to send all traffic to the nodes on port 444. That’s not a typo. In order for the web nodes to distinguish test1.com from test2.com we are going to send the traffic on different ports.
Now, the command to create this Load Balancer is just like above:
M0Z8AGY:LBaaS josh.prewitt$ curl -H "X-Auth-Token: f3ec3064-c855-4d9d-8291-410cd1098765" -H "content-type: application/xml" -d @createtest1-https.xml -X POST https://dfw.loadbalancers.api.rackspacecloud.com/v1.0/123456/loadbalancers
{"loadBalancer":{"name":"test1-https","id":158,"protocol":"HTTPS","port":443,"algorithm":"RANDOM","status":"BUILD","cluster":{"name":"ztm-n07.lbaas.dfw1.rackspace.net"},"nodes":[{"address":"10.177.130.96","id":4381,"port":444,"status":"ONLINE","condition":"ENABLED","weight":1},{"address":"10.177.130.14","id":4382,"port":444,"status":"ONLINE","condition":"ENABLED","weight":1}],"virtualIps":[{"address":"174.143.139.241","id":88,"type":"PUBLIC","ipVersion":"IPV4"}],"created":{"time":"2011-03-26T05:37:21+0000"},"updated":{"time":"2011-03-26T05:37:21+0000"},"connectionLogging":{"enabled":false}}}
test2-http and test2-https will be just like above, but give them different names and have test2-https send traffic to the nodes on port 445.
<loadBalancer xmlns="http://docs.openstack.org/loadbalancers/api/v1.0" name="test2-http" port="80" protocol="HTTP"> <virtualIps> <virtualIp type="PUBLIC"/> </virtualIps> <nodes> <node address="10.177.130.14" port="80" condition="ENABLED"/> <node address="10.177.130.96" port="80" condition="ENABLED"/> </nodes> </loadBalancer>
M0Z8AGY:LBaaS josh.prewitt$ curl -H "X-Auth-Token: f3ec3064-c855-4d9d-8291-410cd1098765" -H "content-type: application/xml" -d @createtest2-http.xml -X POST https://dfw.loadbalancers.api.rackspacecloud.com/v1.0/123456/loadbalancers
{"loadBalancer":{"name":"test2-http","id":157,"protocol":"HTTP","port":80,"algorithm":"RANDOM","status":"BUILD","cluster":{"name":"ztm-n06.lbaas.dfw1.rackspace.net"},"nodes":[{"address":"10.177.130.14","id":4379,"port":80,"status":"ONLINE","condition":"ENABLED","weight":1},{"address":"10.177.130.96","id":4380,"port":80,"status":"ONLINE","condition":"ENABLED","weight":1}],"virtualIps":[{"address":"174.143.139.164","id":11,"type":"PUBLIC","ipVersion":"IPV4"}],"created":{"time":"2011-03-26T05:31:22+0000"},"updated":{"time":"2011-03-26T05:31:22+0000"},"connectionLogging":{"enabled":false}}}
<loadBalancer xmlns="http://docs.openstack.org/loadbalancers/api/v1.0" name="test2-https" port="443" protocol="HTTPS"> <virtualIps> <virtualIp id="11"/> </virtualIps> <nodes> <node address="10.177.130.14" port="445" condition="ENABLED"/> <node address="10.177.130.96" port="445" condition="ENABLED"/> </nodes> </loadBalancer>
M0Z8AGY:LBaaS josh.prewitt$ curl -H "X-Auth-Token: f3ec3064-c855-4d9d-8291-410cd1098765" -H "content-type: application/xml" -d @createtest2-https.xml -X POST https://dfw.loadbalancers.api.rackspacecloud.com/v1.0/123456/loadbalancers
{"loadBalancer":{"name":"test2-https","id":159,"protocol":"HTTPS","port":443,"algorithm":"RANDOM","status":"BUILD","cluster":{"name":"ztm-n01.lbaas.dfw1.rackspace.net"},"nodes":[{"address":"10.177.130.14","id":4384,"port":445,"status":"ONLINE","condition":"ENABLED","weight":1},{"address":"10.177.130.96","id":4383,"port":445,"status":"ONLINE","condition":"ENABLED","weight":1}],"virtualIps":[{"address":"174.143.139.164","id":11,"type":"PUBLIC","ipVersion":"IPV4"}],"created":{"time":"2011-03-26T05:38:06+0000"},"updated":{"time":"2011-03-26T05:38:06+0000"},"connectionLogging":{"enabled":false}}}
Configure Apache on the Individual Nodes
Ok, we now have 4 Load Balancers, now to take a look at the apache config for one of the web nodes. You will want to add the following:
#Set it to listen on the right ports Listen 80 Listen 444 Listen 445 #Set up Name Virtual Host NameVirtualHost *:80 NameVirtualHost *:444 NameVirtualHost *:445 #test1.com traffic for http listening on port 80 <VirtualHost *:80> DocumentRoot /var/www/vhosts/test1.com/html ServerName test1.com ErrorLog /var/www/vhosts/test1.com/logs/error.log CustomLog /var/www/vhosts/test1.com/logs/access.log common </VirtualHost> #test2.com traffic for http listening on port 80 <VirtualHost *:80> DocumentRoot /var/www/vhosts/test2.com/html ServerName test2.com ErrorLog /var/www/vhosts/test2.com/logs/error.log CustomLog /var/www/vhosts/test2.com/logs/access.log common </VirtualHost> #test1.com for https listening on non-standard port 444 <VirtualHost *:444> DocumentRoot /var/www/vhosts/test1.com/html ServerName test1.com ErrorLog /var/www/vhosts/test1.com/logs/error.log CustomLog /var/www/vhosts/test1.com/logs/access.log common SSLEngine ON SSLCertificateFile /etc/httpd/certs/test1/server.crt SSLCertificateKeyFile /etc/httpd/certs/test1/server.key </VirtualHost> #test2.com for https listening on non-standard port 445 <VirtualHost *:445> DocumentRoot /var/www/vhosts/test2.com/html ServerName test2.com ErrorLog /var/www/vhosts/test2.com/logs/error.log CustomLog /var/www/vhosts/test2.com/logs/access.log common SSLEngine ON SSLCertificateFile /etc/httpd/certs/test2/server.crt SSLCertificateKeyFile /etc/httpd/certs/test2/server.key </VirtualHost>
That’s it – Apply those settings to all of the web nodes, open up iptables on the nodes for ports 80, 444 and 445, and start apache and you will be good to go. (Obviously, don’t forget to point DNS for test1.com to the IP of the loadbalancer for test1 and the same for test2.)
Related resource: The API guide for Load Balancers as a Service: http://docs.rackspacecloud.com/loadbalancers/api/clb-devguide-latest.pdf
I hope this helps! If anything doesn’t make sense or you have any comments leave a message below.