Host multiple SSL sites with IP aliases

There is growing interest in combining SSL and name-based virtual hosting. Some people think this is impossible, but in Apache, you can implement virtual hosts with IP-based virtual hosts. In this article, John Liao and Jim Miles will introduce you to the specifics.

In the previous developerWorks article "Secure remote data access for Domino®", we discussed how to use the Apache Web server to solve business problems in a budget-saving manner. (See Resources for a link.) In this article, we continue to discuss this topic, explaining how to use the Apache Web server to provide multiple Secure Sockets Layer (SSL) Web sites on a server connected to the network through a physical NIC. .

Why do I need to place multiple SSL sites on one server? Does a business need to host multiple SSL sites on a single server? We will explain these issues through a real scene. Innovative users will definitely find new uses for this idea.

Case Study: Two Applications, One Server

In one of our early projects, the Human Resources (HR) department wanted to provide an external Internet for a Web-based welfare application. access. Most users access this web application from within the corporate network, but occasionally access it through the external Internet. To meet security needs, we decided to put the application on a server inside the corporate network and build a reverse proxy server using Apache's HTTP server. The reverse proxy server terminates the SSL connection and reopens another SSL connection to the web application server hosting the HR application. By adding the mod_security module to the Apache web server, you can change the reverse proxy server to an application gateway and provide greater security for your web applications. The HR department has carefully selected a fully qualified domain name (FQDN) that is user friendly and easy to remember. Later, we continued to move forward and obtained the SSL certificate, and we thought that everything was so successful.

A year soon passed. Another enterprise web application has emerged, and its requirements are very similar to those of HR applications. It also needs to provide access to external users. The number of external users is very small. Most of the visits are made in the corporate network. We immediately thought of using a reverse proxy server to provide external access to this new web application.

However, this new application is a bit of a hassle. First, we are concerned about the physical space of the data center and strive to find opportunities to consolidate servers in all application deployments. Second, we must prove that it is worthwhile to purchase an additional reverse proxy server. These two factors combine to motivate us to look closely at how to use existing reverse proxy servers to meet the needs of new web applications. The only problem is that this application requires a different FQDN than the existing HR application.

We have studied several ways to use existing reverse proxy servers for new web applications. The first idea is to change the domain names of both the old and new applications to a generic domain name, such as rp.company.com, and use the context path to distinguish between the two applications. However, the original reverse proxy server users strongly opposed changing the domain name. If the domain name is changed, they must notify the owner of the company of the domain name change and modify all printed materials to reflect the new URL. The cost of changing a domain name is very high and can affect customer support, and they inevitably receive a large number of user complaints. In addition, both application groups want to keep their FQDNs, and they think their carefully chosen FQDNs are more eye-catching than this generalized URL and are an effective way to promote these Web applications.

Another idea is: Why not register a DNS entry and let it point the new domain to an existing server? This idea was quickly rejected. In an SSL application, the SSL certificate must match the URL requested by the user, or a warning message will pop up stating that the requested URL does not match the domain name of the SSL certificate. As pop-up ads and malware become increasingly rampant, every well-trained person in the company cancels the web interaction that generates the pop-up warning box. Product-based web applications are strictly prohibited from generating pop-up warning messages as required by corporate architecture standards.

Another suggestion is to have the second SSL site reside on a different port on the server running the first site. However, we feel that this will cause too much trouble for users, and it is difficult for users to remember the site URL and port number at the same time. If the user enters only the URL and does not enter a port number, they are redirected to the HR application. This can cause a lot of problems.

Solution: IP Alias ​​

The final solution is IP aliasing. When looking for this solution, the most technical part is to determine the correct terminology. When we first introduced this concept, we heard terms such as virtual interface and virtual IP. We struggled to find information about these concepts; but we finally realized that what we were looking for was what was commonly referred to as the IP aliasing feature, which helped us find more literature on the topic. IP aliases are sometimes referred to as network interface aliasing or logical interfaces.

IP aliases on Linux systems

Promiscuous mode: One warning
When multiple IP addresses are configured, some Ethernet cards will enter the so-called promiscuous mode (promiscuous mode) )
. In promiscuous mode, the NIC captures all traffic on the local network. This can cause the server to be vulnerable to attacks from other hosts on the network. Most sniffer and network monitoring software puts the Ethernet card into promiscuous mode to capture all network traffic packets.

The concept behind IP aliases is simple: you can configure multiple IP addresses on a single network interface. This allows multiple web servers to run on the same server with a single interface. Setting up an IP alias is also very easy. Simply configure the network interface on your system and let it listen for additional IP addresses. On LinuxTM systems, you can add IP aliases using standard network configuration tools such as the ifconfig and route commands, or you can take advantage of graphical network management tools.

In general, one physical unit number is configured for each Ethernet card. To add an extra IP alias to an already configured Ethernet card, you should configure the same physical unit number for an interface, but use a logical unit number to qualify it. For example, if an existing IP address has been configured on an Ethernet card with physical unit number eth0, you can create an IP alias by adding a logical unit number of :1, as shown in Listing 1. You can add more IP addresses by incrementing the logical unit number. (Note that you need to be logged in as root.)

Listing 1. Add an extra IP address to the existing network interface
ifconfig eth0:1 192.168.0.2 netmask 255.255. 255.0

On the system you are configuring, the Linux kernel must support IP aliases in order to use this technique. If the kernel does not provide this support, you may need to rebuild the kernel. To find out if your kernel supports IP aliases, check to see if the /proc/net/alias* file exists.

After configuring a new IP address, you need to route the new interface, as shown in Listing 2.

Listing 2. Adding a route to a new IP address
route add -host 192.168.0.2 dev eth0:1

Creating a new IP After the address, you also need to name this new address in the /etc/hosts file, as shown in Listing 3.

Listing 3. Naming the new IP address

192.168.0.1 primaryserver192.168.0.2 secondaryserver
IP alias on the Solaris system

To set an IP alias on SolarisTM, the commands used are slightly different. The configuration of the network interface is shown in Listing 4. You need to be logged in as root. //This article comes from the computer software and hardware application network www.45it.com reproduced please specify

Listing 4. Add virtual IP on Solaris
ifconfig eth0:1 plumbifconfig eth0:1 192.168.0.2 netmask 255.255.255.0ifconfig eth0:1 up

To make the virtual IP still valid after reboot, you can add the IP address or hostname in /etc/hosts to /etc/hostname .eth0:1 in the file.

On Linux and Solaris systems, you can create multiple virtual interfaces on a single physical Ethernet card to connect to IP addresses on different subnets. However, this should generally be avoided as it becomes a bottleneck between the two subnets and the performance of all network devices on both subnets is compromised.

Other uses for IP aliases
Load and stress tests can also be performed on the client using IP aliases. For more information, please refer to the article "Testing and tuning load balancers and networks" (see Resources for a link).

Configure Multiple SSL Sites by IP Address

After configuring the second IP address, you can add additional SSL sites to the Apache web server configuration file by IP address, such as the checklist. 5 is shown.

This will do! We have built multiple SSL Web sites on the same server and on the same physical NIC.

Listing 5. Configuration of two SSL Web sites
Listen 443 DocumentRoot "/Web site1/docs" ServerName Web site1.company.com:443 SSLEngine on SSLCertificateFile ssl/site1 .crt SSLCertificateKeyFile ssl/site1.key DocumentRoot "/Web site2/docs" ServerName Web site2.company.com:443 SSLEngine on SSLCertificateFile ssl/site2.crt SSLCertificateKeyFile ssl/site2.key

Multiple SSL Sites Other uses

Due to the low traffic on our Apache web server, this reverse proxy server can be used to serve more server services with similar low traffic requirements on the back end.

Larger, stronger servers and network cards are emerging, and bandwidth capacity is higher than ever, so you can also host multiple virtual SSL sites in this way. If a customer has a low-traffic site that provides a small retail business and requires SSL security, you can set up an ISP that provides a limited-bandwidth SSL site. You can use an IP alias to host an SSL Web site on one IP address and another service, such as a Web service, on another address. Other possibilities include setting up a primary production system and a failover system to form an alternate QA system and/or DR system. Now that you understand the basic concepts behind IP aliases, there is a broader possibility when designing your application.