[lug] IP aliasing, https and iptables

Sean Reifschneider jafo at tummy.com
Tue Jun 17 16:22:14 MDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

karl horlen wrote:
>Is this the way ssl is implemented on servers with multiple vhosts or is
>there some other technique?

This is the typical approach.  You can run one SSL instance on the same IP
you are using for non-SSL, since the SSL usually runs on port 443, so it
can share the IP with the non-SSL sites running on port 80.

you *COULD* run multiple SSL instances on the same IP, if you put them on
different ports.  However, that would lead to needing to use the URL
"https://hostname:444/" and so on, where you explicitly specify the port.
If the site is only referenced from internal URLs that might be fine, but
if you ever expect users to directly access it, using a different IP is
what you want to do.

> My current iptables rules are based on the single ip address presently bound

You probably want to use a rule like:

   iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT

to signal that you will accept SSL on any local IP, rather than listing it
out for every individual IP.

iptables rules are processed linearly for every packet, so every rule you
add adds processing time, in general.  Unless you do particularly clever
things.  But worse, the longer the rule-sets are, the harder it is to
maintain and review them.  We've worked with clients who have had thousands
of rules set up to protect a dozen hosts.  These rules took forever to
change because they were so complex, and it was very time-intensive to
review them for correctness.

For comparison, we have a router handling 50 VLANs and well over 100
machines, running fairly tight rule-sets, which is only 235 lines of output
from "iptables-save".  Most of the systems that our hosting branch manages
have around 20 rules, and they run REALLY tight firewalls.

> Does anybody have an idea of how much overhead if any multiple ips on a

Very little overhead for the aliases, we have some machines running
hundreds of IP aliases (massive web serving machines).  The firewalls are
probably the bigger issue if you let the rule sets get too long.  But even
then, if we're talking SSL, the overhead of crypto is probably higher than
either of these.

Sean
- --
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIWDkWxUhyMYEjVX0RAnoDAJ9I2vwdqur+xLGTyAJera/ifRRCoQCffUEL
HoGnlDoTZzAl3MLz2M9zoL0=
=hSQP
-----END PGP SIGNATURE-----

More information about the LUG mailing list