Multilink multihoming: What is the best approach?

Question

Multilink multihoming: What is the best approach?

We're virtually hosting around 50 domains on our Mac Pro Server. Currently, we have a single machine with one public IP address. We're using DigiCert's UC (SAN) certificate. We need to implement another valid SSL UC certificate for one of our clients. In a nutshell, we need to host multiple IP addresses with multilink multihoming.

First things first, we need another public IP, recursion from our ISP and properly configured DNS. Our server works like a charm for over a year now, so, I really don't like the idea that something can/will go wrong. I'd like to make a good plan and a prioritized to-do list to manage this task effectively.

I'd do my best to avoid making silly mistakes, so, can someone please advise me what will be the best approach implementing multihoming on Mac OS X Server?

Posted on Apr 22, 2011 5:14 AM

Reply

Answer 1

Apr 22, 2011 8:13 AM in response to Ravenous Bugblatter

Why the second IP?

If you're looking to add a Subject Alternative Name (SAN) certificate that's not tied to your base SAN certificate, then generate and add a new SAN certificate for the base box host name and for the new domain, and select and use it just on that Apache virtual host (Site).

If you're also planning to use two IP addresses and two links for (for instance) uptime or bandwidth, then you'll probably want an external gateway box that supports multiple parallel IP links and failover, and to configure the public DNS servers for round-robin DNS for the IPs for each of the links, or configure a pair of gateway boxes that can cooperate if you're concerned about a gateway failure. DNS translations would have a moderate TTL setting, configured for whatever window you want to have for performing a DNS-based failover.

Reply

Answer 2

Apr 22, 2011 10:11 AM in response to MrHoffman

Thank you for your quick response.

We already have a working SAN certificate for our own domains. Indeed, I can easily add our virtual hosts (up to 150 DNS names) into the base certificate's Subject Alternative Name extension. But a certificate authority needs to verify that the entity or organization owns all the domains in the certificate. Basically, the WHOIS records for the domains in the SAN extensions must match the legal name or address of that entity/organization. Of course, the owner of those domains must be an existing entity or organization and the CA needs to verify the legal name and the address as well.

So, my company provides hosting services for our clients. If one of my clients needs a verified, valid certificate (for example securing web traffic for e-commerce), I can't just simply add that client's domain into my existing certificate's SAN extension, because that domain is owned by the client, not my company. Therefore I need a separate IP address for every separate 'domain owner' who wants verified certificate, because SSL protocol is bound to static IP addresses, while a certificate is bound to domain names.

I'm sorry MrHoffman, I'm pretty sure you already know all this, I just want to explain a little about certificates for others. Anyway, back to the subject, what do you think about multihoming on Mac OS X Server? Especially from DNS and Apache perspective?

Reply