Load Balancing an SSL site with Apache

This article is a continuation of Simple Load Balancing and uses extensions from Installing an SSL certificate. Ww will build a load balancer using the skeleton from the last article and encrypt all the traffic from the load balancer side. What this means is that all of your webheads have to do is serve content. They'll be passing unencrypted data across the backend network and all data will be encrypted by the load balancer for the customer. Make sure when using this type of setup that you are using a strong firewall via IPtables or some other software firewall.

As for the load balancer itself, I haven't actually put this into production so you may need to change the size from a standard 256M server to a larger configuration to allow for more processing cycles you may need.


So this is really going to be a short article, we are building off of a model that has completed 90% of the work for us already. You will need to have already created the load balancer from Simple Load Balancing and have a working SSL certificate from Installing an SSL certificate. I'll be running this from a 256M CentOS box for testing purposes.

The SSL addition

To pass SSL to your Proxy you only need to add the following lines to the config file. Keep in mind that you will need to change the path to were ever it is that you keep your ssl.crt and ssl.key files. Its almost a little anti-climatic, using this type of setup will keep the load of encrypting your traffic off of your webheads.

        SSLCertificateFile /etc/httpd/conf/ssl.crt/domain.com.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain.com.key


Final Virtual Host

Here is the final Virtual Host:

        ProxyRequests off
        ServerName domain.com

        <Proxy balancer://mycluster>
                # WebHead1
                # WebHead2

                # Security "technically we aren't blocking
                # anyone but this the place to make those
                # chages
                Require all denied
                # In this example, all requests are denied.

                # Load Balancer Settings
                # We will be configuring a simple Round
                # Robin style load balancer.  This means
                # that all webheads take an equal share of
                # of the load.
                ProxySet lbmethod=byrequests


        # balancer-manager
        # This tool is built into the mod_proxy_balancer
        # module and will allow you to do some simple
        # modifications to the balanced group via a gui
        # web interface.
        <Location /balancer-manager>

                SetHandler balancer-manager

                # I recommend locking this one down to your
                # your office
                Require all granted
                # In this example, all hosts in the example.org domain 
                # are allowed access; all other hosts are denied access. 

        # Point of Balance
        # This setting will allow to explicitly name the
        # the location in the site that we want to be
        # balanced, in this example we will balance "/"
        # or everything in the site.
        ProxyPass /balancer-manager !
        ProxyPass / balancer://mycluster/

        # mod_ssl
        # Here is the information that will allow you to Encrypt your
        # traffic behind the load balancer.  Not a whole big change
        # but it will get you up and running.
        SSLEngine on
        SSLCertificateFile /etc/httpd/conf/ssl.crt/domain.com.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain.com.key


Note: The preceding example is formatted for Apache 2.4. If using 2.2, replace Require all denied with Order Deny, Allow | Deny from all and replace Require all granted with Order Deny, Allow | Allow from all.


© 2015 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License

See license specifics and DISCLAIMER