Here is our current infrastructure:
这是我们目前的基础设施:
- 2 web servers behind a shared load balancer
- dns is pointing to the load balancer
- web app is done in asp.net, with wcf services
共享负载均衡器后面的2个Web服务器
dns指向负载均衡器
web应用程序在asp.net中完成,带有wcf服务
My question is how to set up the SSL certificate to support https connection.
我的问题是如何设置SSL证书以支持https连接。
Here are 2 ideas that I have:
以下是我的两个想法:
- SSL certificate terminates at the load balancer. secure/unsecure communication behind the load balancer will be forwarded to 2 different ports.
pro: only need 1 certificate as I scale horizontally
cons: I have to check secure or not secure by checking which port the request is coming from. doesn't quite feel right to me
WCF by design will not work when IIS is binded 2 different ports
(according to this)
- SSL certificate terminates on each of the server?
cons: need to add more certificates to scale horizontally
SSL证书终止于负载均衡器。负载均衡器后面的安全/不安全通信将转发到2个不同的端口。亲:只需要1个证书,因为我横向缩放:我必须通过检查请求来自哪个端口来检查安全性或不安全性。对我来说不太合适当IIS绑定2个不同的端口时,WCF的设计将不起作用(根据这个)
SSL证书终止于每台服务器上?缺点:需要添加更多证书才能水平扩展
thanks
4 个解决方案
#1
4
Definitely terminate SSL at the load balancer!!! Anything behind that should NOT be visible outside. Why wouldn't two ports for secure/insecure work just fine?
绝对在负载均衡器上终止SSL!外面的任何东西都不应该在外面可见。为什么安全/不安全的两个端口不能正常工作?
#2
3
You don't actually need more certificates at all. Because the externally seen FQDN is the same you use the same certificate on each machine.
您根本不需要更多证书。由于外部看到的FQDN相同,因此您在每台计算机上使用相同的证书。
This means that WCF (if you're using it) will work. WCF with the SSL terminating on the external load balancer is painful if you're signing/encrypting at a message level rather than a transport level.
这意味着WCF(如果您正在使用它)将起作用。如果您在消息级别而不是传输级别进行签名/加密,那么在外部负载均衡器上终止SSL的WCF会很痛苦。
#3
1
You don't need two ports, most likely. Just have the SSL virtual server on the load balancer add an HTTP header to the request and check for that. It's what we do with our Zeus ZXTM 5.1.
您最不可能需要两个端口。只需在负载均衡器上安装SSL虚拟服务器,就可以在请求中添加HTTP标头并进行检查。这就是我们用Zeus ZXTM 5.1做的事情。
#4
0
You don't have to get a cert for every site there are such things as wildcard certs. But it would have to be installed on every server. (assuming you are using subdomains, if not then you can reuse the same cert across machines)
您不必为每个站点获取证书,例如通配符证书。但它必须安装在每台服务器上。 (假设您正在使用子域,如果没有,那么您可以跨机器重用相同的证书)
But I would probably put the cert on the load balancer if not just for the sake of easy configuration.
但我可能会将证书放在负载均衡器上,如果不仅仅是为了方便配置。
#1
4
Definitely terminate SSL at the load balancer!!! Anything behind that should NOT be visible outside. Why wouldn't two ports for secure/insecure work just fine?
绝对在负载均衡器上终止SSL!外面的任何东西都不应该在外面可见。为什么安全/不安全的两个端口不能正常工作?
#2
3
You don't actually need more certificates at all. Because the externally seen FQDN is the same you use the same certificate on each machine.
您根本不需要更多证书。由于外部看到的FQDN相同,因此您在每台计算机上使用相同的证书。
This means that WCF (if you're using it) will work. WCF with the SSL terminating on the external load balancer is painful if you're signing/encrypting at a message level rather than a transport level.
这意味着WCF(如果您正在使用它)将起作用。如果您在消息级别而不是传输级别进行签名/加密,那么在外部负载均衡器上终止SSL的WCF会很痛苦。
#3
1
You don't need two ports, most likely. Just have the SSL virtual server on the load balancer add an HTTP header to the request and check for that. It's what we do with our Zeus ZXTM 5.1.
您最不可能需要两个端口。只需在负载均衡器上安装SSL虚拟服务器,就可以在请求中添加HTTP标头并进行检查。这就是我们用Zeus ZXTM 5.1做的事情。
#4
0
You don't have to get a cert for every site there are such things as wildcard certs. But it would have to be installed on every server. (assuming you are using subdomains, if not then you can reuse the same cert across machines)
您不必为每个站点获取证书,例如通配符证书。但它必须安装在每台服务器上。 (假设您正在使用子域,如果没有,那么您可以跨机器重用相同的证书)
But I would probably put the cert on the load balancer if not just for the sake of easy configuration.
但我可能会将证书放在负载均衡器上,如果不仅仅是为了方便配置。