Load balancing ssl that terminates on servers

hi,
right now i have a very simple clear-text http + https setup. initially, my load-balancer was terminating SSL, but because of the way our application works, we moved away from that and installed an SSL-server on the servers themselves which we know works fine when we access the servers directly.
on the css i have a very simple ssl-balance rule:
content srv.443
add service srv1.ssl
add service srv2.ssl
advanced-balance sticky-srcip
protocol tcp
port 443
url "/*"
vip address 10.72.39.17
active
service srv1.ssl
ip address 10.72.39.71
protocol tcp
keepalive port 51001
port 51001
active
service srv2.ssl
ip address 10.72.39.72
protocol tcp
port 51001
keepalive port 51001
active
the problem i'm seeing right now is that even though i deleted all config regarding ssl-termination on the css, every time i hit the 'ssl-vip' i still get the locally generated certificate instead of the valid one i get when hitting the web-servers directly.
it's weird that the css keeps trying to use its own certificate, when all related config has been deleted.
now i have a question, i assumed that there was no problem if one tries to load-balance ssl-traffic when the traffic is terminated on the servers themselves. now i'm not so sure, so an initial question is: can this be done?
regards,
c.

yes, SSL can be terminated on the servers and loadbalancer by the CSS.
You should remove the "url" from your config because the traffic is now encrypted and the CSS can't see the url.
If the config is what you indicated, there is no way the CSS can send its own certificate.
Absolutely no way :-)
Are you sure your server is sending the correct certificate ?
Gilles.

Similar Messages

Recommended configuration for load balanced Portal with load balancer, multiple gateways and multiple servers.

Does anyone have a recommended network, hardware and software configuration guide for a Portal installation running with multiple gateways load balanced (ie one URL) that talk to multiple servers?

David,
We've used Resonate (software) to load balance the gateways. It allows
you to group all the gateways under 1 virtual URL and load balance the
incoming connections over each gateway depending on the rules that you
define in Resonate. Look in the SUN portal whitepapers there is one that
talks about it specifically.
As far as load balancing the calls to the portals, the gateways will
automatically load balance across all the portals that they know about
using a simple round-robin rotation. You may be able to use Resonate in
front of the portals but you may need to activate persistance within
Resonate to ensure that the user always ends up on the portal that he
established his initial connection on (if you want that), check with Sun
on this one.
David Broeren wrote:
Recommended configuration for load balanced Portal with load balancer,
multiple gateways and multiple servers.
Does anyone have a recommended network, hardware and software
configuration guide for a Portal installation running with multiple
gateways load balanced (ie one URL) that talk to multiple servers?
Try our New Web Based Forum at http://softwareforum.sun.com
Includes Access to our Product Knowledge Base!

Interesting ACE URL Header & Load-balance & SSL on 2 VIPs

Hi There
I have an interesting situation that I am trying to solve. I have 4 websites, each one with SSL Off-Loading on the ACE on the outside. All FOUR websites run on a single server on the inside, but each website is using a different port number for differentiation. Also, they are currently only available on TWO IPs on the outside! I know.....it's a mare!
So, RSERVER = SERVER = 192.168.0.1
Each website has SSL Certs on the outside. https://website1.abc.com - https://website4.abc.com
But, DNS is only bound to 2 IPs on the outside, as that is all we have available currently, until we free up more IPs.
OUTSIDE:
website1.abc.com = 172.16.0.1:443
website2.abc.com = 172.16.0.1:443
website3.abc.com = 172.16.0.2:443
website4.abc.com = 172.16.0.2:443
On the server we have:
INSIDE: 192.168.0.1
SERVER:8001 = website1.abc.com
SERVER:8002 = website2.abc.com
SERVER:8003 = website3.abc.com
SERVER:8004 = website4.abc.com
So, in a nutshell what I need to do is:
Terminate SSL for each website, then match the HTTP header, and pass it to the SERVER on the right port. Sounds easy enough.
But, I am struggling like hell. The VIPs (Wirtual IPs on the OUTSIDE are causing me grief) My steps seem to be breaking my ruleset. Individually they all work, but once I tie them to the VIPs on the outside, it seems to stop. The first site in each CM (class-map) match in the PM (Profile-Map) works but the subsequent site just breaks.
I would post my config, but right now I have sooooooooooooo many variations, it looks like a dog's breakfast.
Can anyone give advice on the process flow to follow to get this to work. My issue is arround the VIPs mainly. To be honest, I don't really care about Load-Balancing right now. That will come later when more servers are added to mix. And then we might have to do inbound NAT too to the Server Farm, but that can wait! :-o
I have created a HEADER map for the headers, individual SERVER FARMS for each port on the RSERVER, ACLs matching the VIPs inbound on 443, CLASS-MAPs matching the HEADER and applying to SFARM, POLICY MAPS matching the CMAPs and doing Load-Balancing with SSL-PROXYs for the SSL headers. SERVICE-POLICY tieing it all together on Interface.
But .... things are going hey-wire.
So, steps are:
RSERVER
SFARMs = RSERVER:PORTs
ACLs = VIPs
CMAP = HEADER = URL
LB PMAP = HEADER CMAP & SFARM
PMAP MULITM = ACL CMAP + LB PMAP & SSL-Proxy
SVC-POL = PMAP MULTIM

Hi Surya
Thanks for the prompt reply. I'm not quite sure what you mean when you say it ca only handle 2 certs. Can you elaborate please?
It would appear to me that you can actually only bind one cert to an IP, based on using a VIP address for the server farm as per the CM in the PM. I can hack out the irrelevant bits tomorrow and post what I have done thus far. I have played with multiple lines of code and various ways of trying to do this, but the end result is that it appears once I have the CM set per VIP I can only set one SSL-Proxy, and so only one cert. If I use multiple CMs, as per the MultiMatch policy, it matches the first CM against the VIP and doesn't appear to move on as per the HTTP Header. If any of that makes sense?
regards
Sent from Cisco Technical Support iPad App

VMware vCloud Load Balancing SSL / HTTP

Hi,
I'm having issues with enabling SSL Health check for my CAS VMs, works fine when I select TCP however doesn't work when I change health check to SSL. This relates to a previous issue I've raised (http://social.technet.microsoft.com/Forums/office/en-US/0b3e2573-99ed-49a0-9fbb-c46a629dcc50/exchange-2013-load-balancing-owaecp?forum=exchangesvravailabilityandisasterrecovery
TCP is great but would much prefer to do an SSL check instead;
Tests servers using SSLv3 client hello messages. The server is considered valid only when the response contains server hello messages.
This url helps,
http://blogs.vmware.com/vsphere/2012/11/load-balancing-using-vcloud-networking-and-security-5-1-edge.html
The only other issue is I have a redirect at root mail.domain.com => mail.domain.com/owa Could that be the issue because of the re-direct!
Thanks ;)

Hi,
Try to redirect to HTTPs. More details as below:
Simplify the Outlook Web App URL
http://technet.microsoft.com/en-us/library/aa998359(v=exchg.150).aspx
How to configure Exchange to redirect OWA HTTP requests to HTTPS requests in IIS 7
http://support.microsoft.com/kb/975341
Please correct me if there is any misunderstanding.
Also find some external resource for your reference:
Add a Pool Server to an Edge Gateway
http://pubs.vmware.com/vcd-51/index.jsp?topic=%2Fcom.vmware.vcloud.admin.doc_51%2FGUID-C12B3954-155F-48AF-9855-E0DE026752D0.html
Introduction to Gateway Services: Load Balancing
http://vcloud.vmware.com/using-vcloud-hybrid-service/tutorials/introduction-to-gateway-services-load-balancing
Disclaimer:
Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure
that you completely understand the risk before retrieving any suggestions from the above link.
Thanks
Mavis
Mavis Huang
TechNet Community Support

Coyotepoint E350 and OracleAs 10g Hardware Load Balancing SSL

Hi:
Has anyone been successful using a CoyotePoint E350 with XCEL SSL accelerator card and OracleAS 10g with SSL to hardware load balance an HTTPS site?

You're on the right track adding the SSL certificate to the Load Balancer. I'm not really sure what you mean 'without the use of Webcache'? However, if I had the choise, I'd always add the certificate to the Load Balancer.
A good document setting up a load balanced environment is the Enterprise Deployment Guide. Chapter 8 describes the tasks for a Forms environment.
Regards,
Martin

Load Balancing Portal that uses JPDK portlets

We are having the following Portal architecture :
-Browser
-Firewall
-Load Balancers
-Multiple 9iAS middle-tiers (2)
-DB Server
We are using Web Providers registered with Portal which calls JPDK portlets.
We have registered the Web Provider url's, but of course had to
enter a URL to point to the location of the provider.xml. If we enter the URL specifying a particular 9iAS middle-tier hostname, all requests for the provider from any of the middle-tiers are routed through the one 9iAS server, which places a heavy load on this server.
Requirement : We want to specify the location of the provider.xml as local to the particular 9iAS server and so call the portlet from the same server, which will spread the load.
What would be the best way to achieve this ?

Hi,
You can very well provide the URL of 'Load balancer' while registering the WebProvider, provided it meets the following condition :
Condition : For example, your middle-tiers are named 'machineA' & 'machineB'. Your loadbalancer's name being 'loadbalancer'. Say, a user wants to access a file by name 'test.html' which exists in both machineA & machineB and is identical. Let http://machineA/test.html & http://machineB/test.html be the URLS for accessing it.
The user should get the output after specifying the loadbalancer's name in the place of the 'serverA' or serverB.
Something like, http://loadbalancer/test.html
If the condition is satisified, you can register the webprovider with Loadbalancer's URL.
--Sriram

RPC Load Balancing on CSM and SSL

We are load-balancing SSL successfully but the Exchange people want to use RPC to access
mailboxes using CSM.
We need to allow ports 6005 through 59530 used by the Client Access Servers. Any suggestions?

Thanks. I tried that, but according to our exchange administrators, the solution didn't work. Here is my configuration:
serverfarm EXCH-CAS
nat server
no nat client
real x.x.248.100
inservice
real x.x.248.101
inservice
probe EXCH-CAS
serverfarm EXCH-CAS-SSL
nat server
no nat client
real x.x.254.60
inservice
real x.x.254.61
inservice
probe SSL-FARM
! vserver EXCH-CAS
virtual x.x.254.154 tcp www
vlan 460
serverfarm EXCH-CAS
sticky 1440 group 152
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver EXCH-CAS-S
virtual x.x.214.139 tcp https
vlan 400
serverfarm EXCH-CAS-SSL
sticky 5 group 252
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver EXCH-CAS-TEST-S
virtual x.x.214.139 tcp 0
vlan 400
serverfarm EXCH-CAS
sticky 5 group 252
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
Thanks,
Mohamad

Load Balancing with BigIP / SSL question

I have an oddball question. We're load balancing ColdFusion
MX7 across 3 servers using a BigIP load balancing server. We
decided to go the hardware approach and it has been great except
for one small configuration issue.
We use a mix of SSL and non SSL pages, prior to the switch
from a single server to a load balanced setup I used to script that
would determine if a page that was supposed to be SSL had the
variable CGI.HTTPS turned on or off. If it was off, the page would
redirect back to itself with the SSL turned on.
The problem we have is that we followed BigIP's instruction
to secure the load balancing hardware instead of the three servers
running behind it. So what happens is that the traffic goes to the
load balancer port 441, but then the calls from the load balancer
to the individual servers is port 80. So even if a page is called
as HTTPS://... the coldfusion server says that CGI.HTTPS is "off"
since the traffic is port 80.
This isn't much of a problem, our SSL pages are linked as
HTTPS:// and the only problem would actually arise if someone was
to type in the URL and call it as HTTP rather than HTTPS.
My questions is this, does anyone know of a way that I can
detect if the page should be HTTPS and is not without changing our
configuration and putting SSL certificates on each individual
server?

Hey,
Well the load balancing with the BigIP device is really very
amazing. I think
what i liked most was swapping out servers when their lease
was up, through the
BigIP manager I just stopped all traffic to a server, shut it
down, plugged in
the new one and turned traffic back on. It was really very
easy.
The SSL stuff still gives me a headache to think about. but
I should mention I
no longer work where I was, plus now I'm all .net C# but
that's a different
story.
I think if I was going to do this all again I would not have
secured the bigIP
unit. It was nice to buy one SSL cert for all the servers I
attached rather
than one per server, but getting the SSL sites to work
properly was a headache.
We also use windows file replication where now I would go
with like a pair of
Dell MD1000's mirrored for storage and just have tons of ram
and cpu on the
front end units. Depends what you want to spend I guess. I
think the bigIP unit
we bought was like 20 grand, i think they are cheaper now
though.
Hope I helped.

Load Balancing with a CSM & SSL Module

I'm trying to understand the best way to balance traffic to two servers when decrypting and re-encrypting with the CSM and an SSL module. I take the SSL traffic hitting the first CSM VIP and forward to the SSL module for decryption. Send the decrypted traffic back to another VIP on the CSM. Send the traffic to the client proxy VIP on the SSL which encrypts the traffic and forwards to the CSM VIP. That final VIP passes the traffic to the serverfarm containing the actual servers. How do I make sure the traffic is balanced between the final VIP and my servers. It seems that sticking on SSL session ID is the only way to go at that point which made decryption pointless. I feel like I'm missing something basic here.
Thanks..

Hi David,
Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
Sachin garg

Load balancing solution for 2-3 web servers

i am looking for a solution for load balancing between 2-3 servers in the same datacenter. i saw the ACE 4710 but that seems expensive compared to the rest of the the cisco gear in that datacenter. anybody knows what would be an entry level load balancing solution (2-3 web servers)? thanks in advance.

the Ace appliance is the new generation and if you take the lowest license 1/2 Gig you should pay a lower price.
You can still buy the old generation.
This would be the CSS11501.
If you need SSL offload this comes by default with ACE but no the CSS.
CSS11501-K has the SSL offload feature.
Also note the appliance has many more features which can be turned on by simply adding a new license.
So, if your site grows and you require more functionalities or more BW, you won't need new hardware.
Gilles.

Load balancing across 4 web servers in same datacentre - advice please

Hi All
Im looking for some advice please
The apps team have asked me about load balancing across some servers but im not that well up on it for applications
Basically we have 4 apache web servers with about 2000 clients connecting to them, they would like to load balance connections to all these servers, they all need the same DNS name etc.
what load balancing methods would I need for this, I believe they run on Linux
Would I need some sort of device, or can the servers run some software that can do this, how would it work? and how would load balancing be achieved here?
cheers

Carl,
What you have mentioned sounds very straightforward then everything should go well.
The ACE is a load balancer which takes a load balancing decisions based on different matching methods like matching virtual address, url, source address, etc then once the load balance decision has been taken then the ACE will load balance the traffic based on the load balance method which you have configured (if you do not configure anything then it will use the default which is "round robin"), then it will send the traffic to the servers which it has available and finally the client should get the content.
If you want to get some details about the load balancing methods here you have them:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/overview.html#wp1000976
For ACE deployments the most common designs are the following.
Bridge Mode
One Arm Mode
Routed Mode
Here you have a link for Bridge Mode and a sample for that:
http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Bridged_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
Here you have a link for One Arm Mode and a sample for that:
http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
Here you have a link for Routed Mode and a sample for that:
http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Routed_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
Then as you could see in all those links you may end up having a configuration like this:
interface vlan 40
description "Default gateway of real servers"
ip address 192.168.1.1 255.255.255.0
service-policy input remote-access
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.1
class-map match-all slb-vip
2 match virtual-address 172.16.1.100 any
policy-map multi-match client-vips
class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
policy-map type loadbalance http first-match slb
class class-default
    serverfarm web
serverfarm host web
rserver lnx1
    inservice
rserver lnx2
    inservice
rserver lnx3
    inservice
rserver host lnx1
ip address 192.168.1.11
inservice
rserver host lnx2
ip address 192.168.1.12
inservice
rserver host lnx3
ip address 192.168.1.13
inservice
Please mark it if it answered you question then other users can use it as reference in the future.
Hope this helps!
Jorge

Load Balancing Linux servers with CSS 11050 series

We would like to load balance Linux FTP and Web servers with a CSS 11050 series device. Does the content switch use SNMP to load balance the servers? If so, which MIBs need to be loaded on the servers?

I dont believe that the CSS supports any SNMP load balancing mechanism.
There is basically two factors involved in load balancing. One: the state of the servers which can be done via a range of mechanisms including ping, TCP connection, Application request, etc. Two: the way a server is chosen when a request comes in including round-robin, least connections, ACA etc.
Checkout these links:-
http://www.cisco.com/warp/customer/117/basic_css_lb_config.html
http://www.cisco.com/warp/customer/117/methods_load_bal.html

Solution load Balancing for two Servers run Sun One Web Server 7.0

Hi All ,
I must configure load balancing web server for two server . Could you tell me Solution ?
Please help
Thanks .

The following should help you configure Web Server to reverse proxy (load balance) to your two backend servers.
[http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy|http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy]

Deploy Forms and Reports with Load Balancing

I am trying to determine what we need to install here. I have read OracleAS, Web Cache, Application Server, and
Forms documents and have no answer still.
We are currently run 9iAS with Forms and Reports 6i only.
I did not do any of those installs. We are migrating to
Forms and Reports 10g. I need to setup an OracleAS 10g
Forms and Reports application server with the ability to
do Load Balancing over 2 windows Web servers to handle
4,000+ users. The application database will be on its own
Windows server.
Do I need to install the Infastructure, BI, and Web cache?
Or just Oracle 10g Application Server option? Or other?
Do I need to install it on both web servers and do
something like clustering? Do I need to install Web
cache? I just took the 10g AS class and basically did not learn anything about deploying Forms and Reports.
Can anyone give me a place to find the things I need to
install and setup?
Thanks.
Kim

I am a DBA and have not done an iAS or AS installation
before but am now required to learn it. We will be using
SSL and no load balancing hardware. We setup for other
customer sites and setting Windows servers in the past.
We have not done load balancing before.
I am just confused with all the 10gAS options there are to
install to just run 10g Forms and Reports and setup
OracleAS 10g with the load balancing features.
So I just need to install OracleAS Forms and Reports
Server if I am just installing Forms and Reports with SSL.
But if for Load Balancing Oracle 10g I need to cluster
just Reports 10g? I thought I would need OracleAS10g
installed on my two Windows servers and somehow cluster
or let the two know they are the same web page handling
the incoming requests? I do know about Apache redirct. Is
that an Apache feature and is it covered in an Oracle
documentation? They did not cover it in class either.

CF8/JRun4 Cluster for Load Balancing

Does anyone have an example of how to set up a CF8/JRun4
cluster for load balancing?
I have three servers:
x004 - Linux - Apache2 (10.0.0.54,10.1.0.54)
x020 - Linux - JRun4/CF8 (10.0.0.70,10.1.0.70)
x021 - Linux - JRun4/CF8 (10.0.0.71,10.1.0.71)
Every server in our network has two network cards. One
network card is attached to 10.0.x.x which has a gateway to the
internet and runs at 100Mbps and is firewalled, and the other is
attached to 10.1.x.x which runs at 1Gbps and is internal with no
gateway. I'm trying to set it up so web traffic arrives on
10.0.0.54 into Apache and mod_jrun20 bootstraps a cluster named
STST using 10.1.0.54 which consists of STST_x020 coldfusion server
running on x020 and STST_x021 running on x021. I want the
communications between JRun4 on x020 and x021 to occur on the
10.1.x.x network and eventhough JRun and ColdFusion will only use
the 10.1.x.x network I still need the 10.0.x.x network card
attached for other purposes which require a gateway. I have
installed JRun4/CF8 about 10 times already and it seems I have no
control over what network JRun4 clusters on... sometimes it will
communicate on one, sometimes the other and without being able to
set which network is being used there always seems to be "network
error" on at least one of the two CF8 servers. I was able to get
everything working fine by disabling the network cards on the
10.0.x.x network and re-installing everything... but as soon as I
added the network cards back the whole thing was broken again.
How is this supposed to work? Most of the examples are either
no clustering or clustering on the same machine with Apache running
on the same box... I don't see any clustering across machines
examples.
How do I install a connector on a web server which doesn't
have JRun on it and get wsconfig to connect to a multi-machine
cluster when wsconfig only accepts a single IP address as a host
and the cluster is not listed?
How do I get JRun to bind to a specific network card?
Does this work if I choose a J2EE server other than JRun?
Any help anyone can provide is greatly appreciated. I'm
getting close to giving up which means staying on the non-clustered
environment and figuring out how we can deal with scalability by
switching to something else.

The article at
http://www.adobe.com/go/1e8e9170
is specific to configuring two or more cluster nodes that reside on
separate networks, e.g. 10.0.1.0/24 and 10.0.2.0/24. (The article
doesn't state it, but you can only use unicast peers if your
cluster nodes host a single instance of JRun or multiple instances
of JRun in the same cluster domain. When performing unicast
discovery, JRun looks for all Jini groups and not just the cluster
group.)
Anyhow, that's not your problem. The simplest solution is you
haven't enabled the jrun.servlet.jrpp.JRunProxyService service. I'm
most familiar with the Windows version of JRun, but I'm assuming
the directory structure is similar across platforms. In
<jrun_root>/servers/<name>/SERVER-INF/jrun.xml, set the
deactivated attribute of the jrun.servlet.jrpp.JRunProxyService
service to false and restart JRun. You should now see JRun
listening on the appropriate port. (The default for the first
manually created instance is 51000.) You can limit the proxy
service to a single interface using the interface attribute.
If you have enabled the proxy service, verify your security
settings in <jrun_root>/lib/security.properties. It's usually
best to limit access to specific hosts. Comment out the
jrun.subnet.restriction parameter and set the jrun.trusted.hosts to
the IP address of your web server, e.g. 10.1.0.54.
Forcing all JRun processes/services to listen on a single
interface isn't difficult, but it does require modifying quite a
few configuration files by hand. If you need assistance with that,
I can elaborate.
Configuring the JRun module under Apache is pretty
straightforward. If you're not using virtual hosts, it's very
simple. If you are using virtual hosts, it's still simple, but your
JRun configuration can be virtual host-specific.
On your Apache server, you'll want to create a directory
structure for the JRun module. I'll assume
/opt/jrun/lib/wsconfig/1, but you can use anything you want. Once
the directory structure is created, extract the appropriate JRun
module from wsconfig.jar to the new directory. You're most likely
interested in the Apache 2.0 module,
wsconfig.jar/connectors/apache/intel-linux/prebuilt/mod_jrun20.so.
Let's assume you've extracted the module to
/opt/jrun/lib/wsconfig/1/mod_jrun20.so. Your Apache service account
should have read, write, and execute permissions on the
/opt/jrun/lib/wsconfig/1 directory.
The JRun module configuration is normally appended to your
current httpd.conf file by wsconfig. Here's a sample configuration:
LoadModule jrun_module
"/opt/jrun/lib/wsconfig/1/mod_jrun20.so"
<IfModule mod_jrun20.c>
JRunConfig Verbose false
JRunConfig Apialloc false
JRunConfig Ssl false
JRunConfig Ignoresuffixmap false
JRunConfig Serverstore
"/opt/jrun/lib/wsconfig/1/jrunserver.store"
JRunConfig Bootstrap 10.1.0.70:51000
#JRunConfig Errorurl <optionally redirect to this URL on
errors>
#JRunConfig ProxyRetryInterval 600
#JRunConfig ConnectTimeout 30
#JRunConfig RecvTimeout 30
#JRunConfig SendTimeout 30
AddHandler jrun-handler .jsp .jws .cfm .cfml .cfc .cfr
.cfswf
</IfModule>
You may also want to update your DirectoryIndex directive
with an appropriate index page, e.g. index.cfm.
After the first request to a page handled by the JRun module
is received, the module will query the boostrap server,
10.1.0.70:51000, for a list of cluster peers. If you've configured
your cluster correctly, a line similar to following will be written
to /opt/jrun/lib/wsconfig/1/jrunserver.store:
proxyservers=10.1.0.70:51000;10.1.0.71:51000
You can create/edit this file manually as well.
Unfortunately, the bootstrap option only accepts one server. If
your bootstrap server is down, the JRun module will use the values
in jrunserver.store directly, if the file exists.
Here's a complete list of JRun module options:
metrics *
debugger *
ssl *
verbose
traceflags
serverstore
bootstrap
errorurl
apialloc
ignoresuffixmap
proxyretryinterval
connecttimeout
recvtimeout
sendtimeout
sslcalist
Options flagged with an asterisk can only be configured at
the Apache server level. All other options can be configured at the
server level and/or the virtual host level. The usage of these
options is in the JRun documentation, and the JRun module source
code is included in wsconfig.jar. Keep in mind that versions of the
JRun module shipped prior to ColdFusion 8 were coded to assign the
connecttimeout and sendtimeout options to the socket connection
timeout. Whichever option appeared last in your configuration ended
up as the final value. This has been fixed in ColdFusion 8 and
presumably the next release of the JRun updater.
I think that's a good start. If you need more information or
can't find what you need in the JRun or ColdFusion documentation,
let me know.
If you're looking for resiliency, I highly recommend
expanding your configuration to include a second web server and a
hardware load-balancer (preferably one that supports redudancy via
multiple paths and devices, e.g. devices from Cisco, F5, or Foundry
Networks). Often, however, running Apache on the ColdFusion
server(s) provides adequate performance, and round-robin DNS
records coupled with the ability to update DNS quickly in the event
of a failure may be all you need for load-balancing and
failover.

Load balancing ssl that terminates on servers

Similar Messages

Maybe you are looking for