Use an IP alias to host multiple SSL sites

People are increasingly interested in using SSL and name-based virtual hosts. Some people think this is impossible, but in Apache, You can implement virtual hosts through IP-based virtual hosts. In this article, John Liao and Jim Miles will introduce you to specific practices.
In the previous developerWorks article "Secure remote data access for Domino ?" We discussed how to use Apache Web servers to Solve enterprise problems in a budget-saving manner. For more information, see references .) In this article, we will continue to discuss this topic and explain how to use the Apache Web server to provide multiple Secure Sockets LayerSSL Web sites on a server that connects to the network through a physical Nic.

Why do I need to place multiple SSL sites on one server? Do enterprises need to host multiple SSL sites on one server? We will explain these problems through a real scenario. Innovative users will certainly find more innovative uses for this idea.

Case study: two applications, one server

In an early project in our company, the HR department wanted to provide external internet access to a Web-based welfare application. Most users access this Web application from within the company network, but occasionally access it through the Internet. To meet the security requirements, we decided to place this application on a server inside the company's network and use Apache's HTTP server to build a reverse proxy server. The reverse proxy server terminates the SSL connection and re-opens another SSL connection to the Web application server hosting the HR application. By adding the mod_security module to the Apache Web server, you can change the reverse proxy server to the application gateway and provide higher security for Web applications. The HR department carefully selects a fully qualified domain name FQDN), which is user-friendly and easy to remember. Then, we continued to move forward and obtained the SSL Certificate, which we thought was a complete conclusion.

A year passed quickly. Another Enterprise Web application has appeared, and its requirements are extremely similar to those of HR applications. It also needs to provide access capabilities for external users. The number of external users is very small. Most accesses are made on the company network. We immediately wanted to use the reverse proxy server to provide external access to this new Web application.

However, this new application is a little troublesome. First, we are very concerned about the physical space of the data center and strive to seek opportunities to integrate servers in the deployment of all applications. Second, we must prove that it is worthwhile to purchase an additional reverse proxy server. These two factors work together to encourage us to carefully study how to use the existing reverse proxy server to meet the needs of new Web applications. The only problem is that this application requires a different FQDN from the existing HR application.

We have studied several methods to use existing reverse proxy servers for new Web applications. The first idea is to change the domain names of both new and old applications to a common domain name, such as rp.company.com, and distinguish the two applications using the context path. However, the original reverse proxy server users strongly opposed domain name change. If the domain name changes, they must notify all owners of the domain name changes, and modify all printed materials to reflect the new URL. Domain Name Change costs are very high and may affect customer support departments. They will inevitably receive a large number of user complaints. In addition, both application groups want to retain their own FQDN, they think that their carefully selected FQDN is more eye-catching than this generic URL, and it is also an effective means to promote these Web applications.

Another idea is: Why don't I register a DNS entry so that it directs the new domain name to an existing server? This idea was quickly rejected. In an SSL application, the SSL certificate must match the URL requested by the user. Otherwise, a warning message is displayed, indicating that the requested URL does not match the Domain Name of the SSL certificate. As pop-up advertisements and malware are increasingly rampant, every well-trained person in the company will cancel Web interactions that generate pop-up warning boxes. According to the requirements of the company's architecture standards, it is strictly prohibited to generate pop-up warning messages for productive Web applications.

Another suggestion is to make the second SSL site reside on different ports of the server running the first site. However, we think this will bring too much trouble to users, and it is difficult for users to remember the site URL and port number at the same time. If you only enter the URL without entering the port number, they will be redirected to the HR application. This causes many problems.

Solution: IP alias

The final solution is IP alias IP aliasing ). When looking for this solution, the most skillful part is to determine the correct terminology. When we first introduced this concept, we heard terms such as virtual interface and virtual IPvirtual IP. We struggled to find information about these concepts, but we finally realized that what we are looking for is a concept commonly called the IP alias function, this helps us find more documents on this topic. The IP alias is also known as the network interface alias network interface aliasing) or the logical interface ).

IP alias on Linux

Mixed Mode: a warning
When multiple IP addresses are configured, some Ethernet cards enter the so-called promiscuous mode ). In hybrid mode, the network adapter captures all communication traffic on the local network. This may cause the server to be vulnerable to attacks forwarded by other hosts on the network. Most sniffer and network monitoring software enable the ethernet card to enter the hybrid mode to capture all network communication packets.

The concept behind an IP alias is simple: you can configure multiple IP addresses on a network interface. In this way, multiple Web servers can be run on the same server using a single interface. It is also very easy to set IP aliases. You only need to configure the network interface on the system to allow it to listen for additional IP addresses. In Linux? In the system, you can use standard network configuration tools such as ifconfig and route commands to add IP aliases or use graphical network management tools.

In general, a physical unit number is configured for each Ethernet Card. To add an extra IP alias to the configured ethernet card, configure the same physical unit number for an interface, but use a logical unit number to limit it. For example, if an existing IP address has been configured on the ethernet card with the physical unit number eth0, you can add a logical unit number: 1 to create an IP alias, as shown in Listing 1. You can add more IP addresses by increasing the number of logical units. Note: You must log on as the root user .)

List 1. add an additional IP address to an existing network interface

Ifconfig eth0: 1 192.168.0.2 netmask 255.255.255.0

On the system you are configuring, the Linux kernel must support IP aliases to use this technology. If the kernel does not provide such support, you may need to re-build the kernel. To check whether your kernel supports IP aliases, check whether the/proc/net/alias * file exists.

After a new IP address is configured, set a route for the new interface, as shown in List 2.

List 2. Add a route for the new IP Address

Route add-host 192.168.0.2 dev eth0: 1

After creating an IP address, you also need to name it in the/etc/hosts file, as shown in listing 3.

Listing 3. Naming a new IP Address

192.168.0.1 primaryserver
192.168.0.2 secondaryserver

IP alias on Solaris System

In Solaris? The commands used to set the IP alias are slightly different. Figure 4 shows the network interface configuration. You need to log on as the root user.

Listing 4. Add a virtual IP address on Solaris

Ifconfig eth0: 1 plumb
Ifconfig eth0: 1 192.168.0.2 netmask 255.255.255.0
Ifconfig eth0: 1 up

To make the virtual IP address valid after restart, you can add the IP address or host name in/etc/hosts to the/etc/hostname. eth0: 1 file.

On Linux and Solaris systems, you can create multiple virtual interfaces on a physical ethernet card to connect them to IP addresses on different subnets. However, this should be avoided, because it will become a bottleneck between two subnets, and the performance of all network devices on the two subnets will be impaired.

Other Purposes of IP alias
You can also use the IP alias on the client to perform load and stress tests. For more information, see "Testing and tuning load balancers and networks ).
Configure multiple SSL sites by IP Address

After the second IP address is configured, you can add additional SSL sites to the configuration file of the Apache Web server according to the IP address, as shown in listing 5.

That's all! We have built multiple SSL Web sites on the same server and the same physical network card.

Listing 5. configuration of two SSL Web Sites

Listen 443 DocumentRoot "/Web site1/docs" ServerName Web site1.company.com:443 SSLEngine on SSLCertificateFile ssl/site1.crt SSLCertificateKeyFile ssl/site1.key DocumentRoot "/Web site2/docs" ServerName Web site2.company.com:443 SSLEngine on SSLCertificateFile ssl/site2.crt SSLCertificateKeyFile ssl/site2.key

Other functions of multiple SSL sites

Because the communication traffic on our Apache Web server is very low, we can use this reverse proxy server to serve more backend servers with similar low-traffic requirements.

Larger and stronger servers and NICs are emerging, and the bandwidth is also higher than before. Therefore, you can use this method to host multiple virtual SSL sites. If a customer has a low-traffic site that provides small retail businesses and requires SSL security, you can set up an ISP that provides a limited-bandwidth SSL site. You can use an IP alias to host an SSL Web site on an IP address and provide other services, such as Web services, on the other address. Other possibilities include setting up a primary production system and a Failover system to form a standby QA system and/or DR system. Now that you have understood the basic concepts behind an IP alias, there is a broader possibility of designing an application.

Related Articles]

• Tian Rongxin network guard SSL Security Gateway
  

• IP_Classless _ command usage
  

• SSL makes data transmission over the network more secure