{"id":56,"date":"2015-08-25T07:59:46","date_gmt":"2015-08-25T06:59:46","guid":{"rendered":"http:\/\/www.haxed.me.uk\/?p=56"},"modified":"2015-08-26T07:52:31","modified_gmt":"2015-08-26T06:52:31","slug":"configuring-a-load-balancer-with-ssl-without-needing-a-new-ip","status":"publish","type":"post","link":"https:\/\/haxed.me.uk\/index.php\/2015\/08\/25\/configuring-a-load-balancer-with-ssl-without-needing-a-new-ip\/","title":{"rendered":"Configuring a Load Balancer with SSL, with & without needing a New IP"},"content":{"rendered":"

So, at work we had a lot of customers that were asking for new ipv4’s all of the time, and it’s a little known thing to the mainstream that it is actually possible to configure SSL just fine without the addition of a new IP, or the implementation of SNI (Server Name Indication).<\/p>\n

Here is how I configured a basic apache2 server without the need for additional IP’s or SNI. The trick is to use ports. This works for Debian, Ubuntu and also CentOS, RHEL and Fedora but you will want to replace apt-get with yum for the latter 3 distributions.<\/p>\n

(for security purposes, I removed the real private and public network IP of my servers to prevent attacks. It does however not affect the clarity of this tutorial providing that you bear in mind you need to replace your load balancer private IP in the apache2 virtualhost configuration. )<\/strong><\/p>\n

1. Step 1, Install apache2 and enable SSL<\/p>\n

\n
apt-get update\r\napt-get install apache2\r\na2enmod ssl\r\nservice apache2 restart\r\n<\/pre>\n<\/blockquote>\n
2. Step 2 Create Self Signed Certificates (optional step), you can use some SSL certificates you purchased instead, place them in \/etc\/apache2\/ssl\/your.website.com.crt and \/etc\/apache2\/ssl\/yourwebsite.com.key for organisational reasons.<\/p>\n
\n
mkdir \/etc\/apache2\/ssl<\/code><\/pre>\n
mkdir -p \/var\/www\/shop.example.com\/html<\/pre>\n
 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \/etc\/apache2\/ssl\/apache.key -out \/etc\/apache2\/ssl\/apache.crt\r\n<\/code><\/pre>\n
The prompt looks like this; answer the contact and country details, this can generally be anything but be sure to include your FQDN ( fully qualified domain name ) that you want SSL to run with. I will be configured shop.example.com
\n<\/em><\/p>\n
Country Name (2 letter code) [AU]:US<\/span>\r\nState or Province Name (full name) [Some-State]:New York<\/span>\r\nLocality Name (eg, city) []:New York City<\/span>\r\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company<\/span>\r\nOrganizational Unit Name (eg, section) []:Department of Catz<\/span>\r\nCommon Name (e.g. server FQDN or YOUR name) []:shop.example.com<\/span>\r\nEmail Address []:your_email@domain.com<\/span><\/pre>\n
3. Step 3 Configure Apache2 with your primary IP address using SSL being sure to ensure that you specify an SSLCertificateFile and SSLCertificateKeyFile. You generated the CertficateFile and KeyFile in step 2, but the below directive is an example of how I configured a HTML website for use with SSL<\/p>\n
<VirtualHost 134.213.1.1:443>\r\n\r\nServerName shop.example.com\r\n\r\nDocumentRoot \/var\/www\/shop.example.com\/html\r\nCustomLog \/var\/www\/shop.example.com\/access.log combined\r\nErrorLog \/var\/www\/shop.example.com\/error.log\r\nDirectoryIndex index.html\r\n\r\nSSLEngine on\r\nSSLCertificateFile \/etc\/apache2\/ssl\/secure.website.com.crt\r\nSSLCertificateKeyFile \/etc\/apache2\/ssl\/secure.website.com.key\r\n\r\n<\/VirtualHost>\r\n<\/code><\/pre>\n<\/blockquote>\n
You now have a functioning SSL website with self signed certificate running on a primary IP. If you want to add a load balancer without an additional IP address then keep reading, because that’s the next part.<\/p>\n
4. Create a Load Balancer in the Rackspace Control Panel.
\nImportant things to notice here is that.
\na) Configure sensible name for load balancer representing TLD I want to host
\nb) Configure Port 443 for the incoming connections to the Load Balancer
\nc) Configure Port 543 for the outgoing connections to your cloud server<\/p>\n
\"Screen<\/a>
\nOnce your configuration looks like this you should be almost ready.<\/p>\n
5. Configure Apache2 for use with a Rackspace Load Balancer<\/strong><\/p>\n
Previously, in step 3, you configured SSL on apache2 for a single IP address<\/strong> which was publicly accessible<\/strong>. Because the server is now behind a load balancer we need to tell the apache2 webserver to listen on a local private ip address, 10.0.0.1<\/strong>, we also need to tell apache2 webserver to expect connections from the load balancer on port 543<\/strong>. So we need to modify the apache configuration for apache2 to listen on port<\/strong> and to bind to the correct IP<\/strong> now load balancer is sending requests thru the private network instead than to it’s public IP. This is the magic of using a load balancer, you don’t need separate IP’s on the apache2 , the load balancer has an IP already, and you can simply identify the SSL configurations in virtualhosts by binding to ports as opposed to IP’s to provide that isolation necessary for secure SSL. It’s simple to do:<\/p>\n
Listen 543\r\n<VirtualHost 10.0.0.1:543>\r\n#ServerName localhost\r\nServerName shop.example.com\r\n\r\nDocumentRoot \/var\/www\/shop.example.com\/html\r\nCustomLog \/var\/www\/shop.example.com\/access.log combined\r\nErrorLog \/var\/www\/shop.example.com\/error.log\r\nDirectoryIndex index.html\r\n\r\nSSLEngine on\r\n\r\nSSLCertificateFile \/etc\/apache2\/ssl\/shop.example.com.crt\r\nSSLCertificateKeyFile \/etc\/apache2\/ssl\/shop.example.com.key\r\n\r\n<\/VirtualHost>\r\n<\/code><\/pre>\n
As you can see we added a new IP for the VirtualHost, this is the private IP of the Rackspace Server:
\n\"Screen<\/a>
\nAll Rackspace cloud Servers have two networks<\/strong>, a public<\/strong> network IP like we configured earlier as 134.213.1.1. <\/strong>And a private<\/strong> network IP 10.0.0.1<\/strong> for internal communications between things like the load balancer and this cloud server.<\/p>\n
Also you can see we added a Listen 543, this tells Apache2 to listen to connections on this port so that the load balancer can connect to apache2 to send data.<\/p>\n
5. Restart apache2<\/strong> and chmod<\/strong> your directories with the right user and group permissions like you would on any apache2 server<\/p>\n
chmod -R www-data:www-data \/var\/www\/shop.example.com\/html\r\nservice apache2 restart\r\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
So, at work we had a lot of customers that were asking for new ipv4’s all of the time, and it’s a little known thing to the mainstream that it is actually possible to configure SSL just fine without the … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-56","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/haxed.me.uk\/index.php\/wp-json\/wp\/v2\/posts\/56","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/haxed.me.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/haxed.me.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/haxed.me.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/haxed.me.uk\/index.php\/wp-json\/wp\/v2\/comments?post=56"}],"version-history":[{"count":0,"href":"https:\/\/haxed.me.uk\/index.php\/wp-json\/wp\/v2\/posts\/56\/revisions"}],"wp:attachment":[{"href":"https:\/\/haxed.me.uk\/index.php\/wp-json\/wp\/v2\/media?parent=56"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/haxed.me.uk\/index.php\/wp-json\/wp\/v2\/categories?post=56"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/haxed.me.uk\/index.php\/wp-json\/wp\/v2\/tags?post=56"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}