HA SSL Setup

[bc2946088]

I have 2 ISPconfig servers that are setup for redundancy behind my firewall.

I've setup my public IPs on the firewall and then specify internal IP's on each server.

Public - NAT
1.1.1.10 - 192.168.10.100 - Server 1
1.1.1.11 - 192.168.10.200 - Server 2

It works great, however when I add an SSL site, it breaks the system.

For instance, I will create a new ssl site on the master. I then assign an internal IP on the master server then setup a public IP to NAT to it.

1.1.1.12 - 192.168.10.101 - Server 1

This works fine but then breaks apache on Server 2. The apache entry is created for 192.168.10.101, which isnt on that server. If I can create 192.168.10.201 on server 2, and edit the apache site, will the site get overwritten? The SSL certificate is a wildcard and it used on both servers, so that shouldn't be a problem.

I will then create a failover group on my firewall to determine which server the user will get sent to.

I just want to make sure that the vhost directive isn't going to get overwritten when I adjust anything on the master. I suppose it's fine, if I edit that particular site, I will just know I need to do manual editing on server 2. If I create a new site entirely, I don't want to have to edit every other site on server 2.

Thanks!

[till]

Sites are only updated when you edit that particular site, not when you create a new one. SSL sites with SNI should work asyou can use * instead of the IP address, but SNI is most likel not what you want.

It is planned to add a IP address translation table in one of the next ispconfig releases to resolve this problem on mirrored setups.

[bc2946088]

That is excellent news. I don't mind adding the site then editing it on the second server. Then any future modifications, I'll edit the virtual hosts directly.

Thanks!