SSL certs in App server farm

Batti

Golden Member
Feb 2, 2000
1,608
0
0
Hi folks,

I have a need to convert an app server farm to SSL. I have multiple app servers behind a load balancer, all responding to one IP address. How do I handle SSL certs in this situation? Does each server need a cert plus the floating address? Anyone have a tutorial?

Thanks!
 

Garion

Platinum Member
Apr 23, 2001
2,329
6
81
Yup, Spidey has it right - It's usually best to do SSL at your load balancer, if it's capable. If you can't, you have to install the same cert (for the externally-resolveable domain name) on each of the servers. Beware, however, that doing SSL without some kind of hardware SSL Accelerator card (i.e. Rainbow card) will KILL your server CPU's. The key exchanges are very cpu-intensive.

- G
 

Batti

Golden Member
Feb 2, 2000
1,608
0
0
Garion,

In this situation, I cannot terminate the SSL at the load balancer, so indeed my app servers must bear the load. Are you then saying I really only need one cert, and that it's not machine dependant?

Spidey, thanks for the link. I'll read up, but I don't see a BIG-IP in our immediate future.

 

Garion

Platinum Member
Apr 23, 2001
2,329
6
81
Spidey knows me too well - I live and breath load balancing, proxies and web traffic flow.

A SSL certificate is assigned for the hostname of your site - www.mysite.com. If each of your app servers (which are, I assume, really a combo web / app servers) responds to requests for www.mysite.com the same cert can be installed on each of them. Depending on your SSL certificate provider (Verisign, thawte, etc.) they might or might allow you to pay for a single cert. I believe that some (i.e. verisign) requires you buy a cert PER server, not just one cert for the site. With a load balancer, there's only one device terminating SSL, so only one cert.

Look at the costs. If you have to pay $500 for a cert for each server and then add either new servers or SSL accelerators on the existing ones, the $$ adds up. Run the numbers, figure out the two-year cost and see what it's going to cost to do it WITHOUT offloading it onto a load balancer.

Look around at ebay and see what you can find used. Before you buy, however, talk to the vendor to determine what kind of strings there might be. i.e., F5's warranties AND software licenses are non-transferable (accoriding to our rep). You might get the hardware, but might never be able to get support on the box since you don't officially own the software.

- G
 

AmigaMan

Diamond Member
Oct 12, 1999
3,644
1
0
would it be possible to use a reasonably fast but cheap server as a loadbalancer? You could use Apache to do that couldn't you? I wonder if it's cheaper than a dedicated hardware load balancer...
 

Batti

Golden Member
Feb 2, 2000
1,608
0
0
That's actually what we are doing, AmigaMan. I use a pair of these 1U servers ASA 1URS1 running Redhat Enterprise Linux and the "Pen" loadbalancer - Pen. We use VRRP to fail over between load balancers.

For non-SSL, this has worked awesome for the money. SSL is a new wrinkle, though.