<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br></div><div>In the previous proposal, you would have your DNS refer to the IP address of the virtual server on the load balancer, such that DNS reflects the proper hostname of the SSL certificate in question.</div><div><br></div><div>Your Load Balancer would be configured with a Virtual Server that terminates SSL for you, and passes traffic to your backend varnish cluster, and varnish passes the traffic to your back end web servers.</div><div><br></div><div>To take it a step further I might recommend:</div><div><br></div><div>client -> DNS -> Public IP for the hostname on the Load Balancer (Virtual Server) -> Varnish Cluster -> An internal IP (RFC 1918) on the Load Balancer (Virtual Server) -> Web Server Cluster </div><div><br></div><div>That will ensure:</div><div><br></div><div>1. Valid termination of your SSL traffic and none of the client errors you are concerned about.</div><div><br></div><div>2. n+1 management for your varnish cluster</div><div><br></div><div>3. n+1 management for your web server cluster</div><div><br></div><div>Your IP will not need to change, you just want it move to the load balancer, and you can then use whatever you want (preferably internal IPs) for the rest of the hosts.</div><div><br></div><div>Joshua </div><div><br></div><br><div><div>On May 4, 2013, at 12:59 PM, Your Friend wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<div><div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: verdana, helvetica, sans-serif; font-size: 10pt; position: static; z-index: auto; "><div>
<div><span>Hi,<br></span></div><div style="color: rgb(0, 0, 0); font-size: 13.33px; font-family: "Verdana"; background-color: transparent; font-style: normal"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 13.33px; background-color: transparent; font-style: normal; font-family: "Verdana""><span>Please correct if i'm wrong but I think that your ssl certificate is issued for a specific ip && domain. Pointing your domain to loadbalancer (new different ip) may cause problem for you and demand that you reissue your ssl certificate to make it work.<br></span></div><div style="color: rgb(0, 0, 0); font-size: 13.33px; background-color: transparent; font-style: normal; font-family: "Verdana""><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 13.33px; background-color: transparent; font-style: normal; font-family: "Verdana""><span>Thanks, Ali</span></div><br></div> <div style="font-size: 10pt; font-family: "verdana", "helvetica", sans-serif"> <div style="font-size: 12pt; font-family: "times new roman", "new york", "times", serif"> <div dir="ltr"> <hr size="1"> <font size="2" face="Arial"> <b><span style="font-weight:bold;">Från:</span></b> Ashish <<a href="mailto:aashisn@hotmail.com">aashisn@hotmail.com</a>><br> <b><span style="font-weight: bold;">Till:</span></b> <a href="mailto:varnish-misc@varnish-cache.org">varnish-misc@varnish-cache.org</a> <br> <b><span style="font-weight: bold;">Skickat:</span></b> söndag, 14 april 2013 12:46<br> <b><span style="font-weight: bold;">Ämne:</span></b> varnish ssl<br> </font> </div> <div class="y_msg_container"><br>I am setting up varnish as caching+entry point for public traffic.<br><br>Public => varnish(x2) => loadbalancer => Web servers (x4)<br><br>We have around 15 domains with ssl support on login/payment pages.<br><br>I am not quite getting done here.<br><br>1) i could point all domins to varnish IP
and it could route <br>accordingly, but dont think i can make ssl workout to be sent st. to <br>loadbalancer and then webserver<br> question: Does ssl request gets untouched and sent directly to end <br>server?<br>2) Can i somehow configure varnish to be stand alone, but point dns to <br>loadbalancer IP's and somehow still manage to get varnish serve cached <br>objects?<br><br>Please guide me<br><br>_______________________________________________<br>varnish-misc mailing list<br><a ymailto="mailto:varnish-misc@varnish-cache.org" href="mailto:varnish-misc@varnish-cache.org">varnish-misc@varnish-cache.org</a><br><a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc" target="_blank">https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc</a><br><br><br></div> </div> </div> </div></div>_______________________________________________<br>varnish-misc mailing list<br><a href="mailto:varnish-misc@varnish-cache.org">varnish-misc@varnish-cache.org</a><br>https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc</blockquote></div><br></body></html>