Use an IP alias to host multiple SSL sites

Source: Internet
Author: User
Tags dns entry ssl certificate server hosting ssl connection fully qualified domain name
Article title: use an IP alias to host multiple SSL sites. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
People are increasingly interested in using SSL and name-based virtual hosts. Some people think this is impossible, but in Apache, you can implement virtual hosts through IP-based virtual hosts. In this article, John Liao and Jim Miles will introduce you to specific practices.

In the previous developerWorks article "Secure remote data access for Domino®", We discussed how to use Apache Web servers to solve enterprise problems in a budget-saving manner. (See references .) In this article, we will continue to discuss this topic and explain how to use Apache Web server to provide multiple Secure Sockets Layer (SSL) Web sites on a server that connects to the network through a physical Nic.

Why do I need to place multiple SSL sites on one server? Do enterprises need to host multiple SSL sites on one server? We will explain these problems through a real scenario. Innovative users will certainly find more innovative uses for this idea.

Case study: two applications, one server

In an early project in our company, the HR department wanted to provide external Internet access to a Web-based welfare application. Most users access this Web application from within the company network, but occasionally access it through the Internet. To meet the security requirements, we decided to place this application on a server inside the company's network and use Apache's HTTP server to build a reverse proxy server. The reverse proxy server terminates the SSL connection and re-opens another SSL connection to the Web application server hosting the HR application. By adding the mod_security module to the Apache Web server, you can change the reverse proxy server to the application gateway and provide higher security for Web applications. The HR department carefully selected a fully qualified domain name (FQDN), which is user-friendly and easy to remember. Then, we continued to move forward and obtained the SSL certificate, which we thought was a complete conclusion.

A year passed quickly. Another Enterprise Web application has appeared, and its requirements are extremely similar to those of HR applications. It also needs to provide access capabilities for external users. The number of external users is very small. Most accesses are made on the company network. We immediately wanted to use the reverse proxy server to provide external access to this new Web application.

However, this new application is a little troublesome. First, we are very concerned about the physical space of the data center and strive to seek opportunities to integrate servers in the deployment of all applications. Second, we must prove that it is worthwhile to purchase an additional reverse proxy server. These two factors work together to encourage us to carefully study how to use the existing reverse proxy server to meet the needs of new Web applications. The only problem is that this application requires a different FQDN from the existing HR application.

We have studied several methods to use existing reverse proxy servers for new Web applications. The first idea is to change the domain names of both new and old applications to a common domain name, such as rp.company.com, and distinguish the two applications using the context path. However, the original reverse proxy server users strongly opposed domain name change. If the domain name changes, they must notify all owners of the domain name changes, and modify all printed materials to reflect the new URL. Domain name change costs are very high and may affect customer support departments. they will inevitably receive a large number of user complaints. In addition, both application groups want to retain their own FQDN, they think that their carefully selected FQDN is more eye-catching than this generic URL, and it is also an effective means to promote these Web applications.

Another idea is: why don't I register a DNS entry so that it directs the new domain name to an existing server? This idea was quickly rejected. In an SSL application, the SSL certificate must match the URL requested by the user. Otherwise, a warning message is displayed, indicating that the requested URL does not match the domain name of the SSL certificate. As pop-up advertisements and malware are increasingly rampant, every well-trained person in the company will cancel Web interactions that generate pop-up warning boxes. According to the requirements of the company's architecture standards, it is strictly prohibited to generate pop-up warning messages for productive Web applications.

Another suggestion is to make the second SSL site reside on different ports of the server running the first site. However, we think this will bring too much trouble to users, and it is difficult for users to remember the site URL and port number at the same time. If you only enter the URL without entering the port number, they will be redirected to the HR application. This causes many problems.

Solution: IP alias

The final solution isIP alias (IP aliasing). When looking for this solution, the most skillful part is to determine the correct terminology. When we first introduced this concept, we heardVirtual interface)AndVirtual IP). We struggled to find information about these concepts, but we finally realized that what we are looking for is a concept commonly called the IP alias function, this helps us find more documents on this topic. The IP alias is also calledNetwork interface aliasing)OrLogical interface).

IP alias on Linux

Mixed mode: a warning
When multiple IP addresses are configured, some Ethernet cards enter the so-calledPromiscuous mode). In hybrid mode, the network adapter captures all communication traffic on the local network. This may cause the server to be vulnerable to attacks forwarded by other hosts on the network. Most sniffer and network monitoring software enable the Ethernet card to enter the hybrid mode to capture all network communication packets.

The concept behind an IP alias is simple: you can configure multiple IP addresses on a network interface. In this way, multiple Web servers can be run on the same server using a single interface. It is also very easy to set IP aliases. You only need to configure the network interface on the system to allow it to listen for additional IP addresses. In Linux™On the system, you can use standard network configuration tools (suchifconfigAndrouteCommand) add an IP alias, or use a graphical network management tool.

In general, a physical unit number is configured for each Ethernet card. To add an extra IP alias to the configured Ethernet card, configure the same physical unit number for an interface, but use a logical unit number to limit it. For example, if an existing IP address has been configured on the Ethernet card with the physical unit number eth0, you can add a logical unit number: 1 to create an IP alias, as shown in listing 1. You can add more IP addresses by increasing the number of logical units. (Note: you must log on as the root user .)



List 1. add an additional IP address to an existing network interface

ifconfig eth0:1 192.168.0.2 netmask 255.255.255.0    

On the system you are configuring, the Linux kernel must support IP aliases to use this technology. If the kernel does not provide such support, you may need to re-build the kernel. To check whether your kernel supports IP aliases, check whether the/proc/net/alias * file exists.

After a new IP address is configured, set a route for the new interface, as shown in list 2.



List 2. add a route for the new IP address

route add -host 192.168.0.2 dev eth0:1    

After creating an IP address, you also need to name it in the/etc/hosts file, as shown in listing 3.



Listing 3. naming a new IP address

192.168.0.1 primaryserver192.168.0.2 secondaryserver    

[1] [2] Next page

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.