UI application is not opening with VIP URL but UI application is working as expected with Apache HTTPD URL

Question

Earlier we had 1 vm where apache httpd (Loadbalancer) is running to loadbalannce our UI application which is deployed on weblogic managed servers in cluster with multiple instances. We can able to access UI with server A loadbalancer ip and in the backend httpd is calling weblogic managed servers.

Now we are trying to implement VIP based approach for the high availability of loadbalancer service (apache httpd) running on server A and server B. Currently VIP C is getting resolved to corresponding VMs i.e. server A or server B. However if we are hitting VM related URLs on browser it is navigating to SSO i.e. Siteminder Authenticaon Page but the same is not being achieved via VIP URL i.e. http://ip-of-c/ . We assume there might be some extra parameter needed on actual VMs apache httpd configuration so that URL http://ip-of-c/ can navigate to SSO page. Below is the error we are getting while hitting VIP URL http://ip-of-c/.

Not Found The requested URL /test was not found on this server.

http://ip-of-c/ - VIP URL (Not working)
http://ip-of-a/ - 1st LB URL (Working)
http://ip-of-b/ - 2nd LB URL (Working)

Tried to change Listen section with VIP on actual vms but no luck.

This will work if you use domain name VirtualHost definitions. Show us your VirtualHost configurations (relevant parts). How is the VIP implemented? DNS, layer 4, proxy, ...? — Nic3500, Mar 28 '22 at 12:22
VIP -> underlying 2 vms running with keepalived to monitor eth0 network interface to maintain HA of httpd. — Mangesh Sarangi, Mar 29 '22 at 09:55
DebugConfigInfo On SetHandler weblogic-handler WebLogicHost ip-of-server-a WeblogicPort 61001 However I have tried with fqdn of the VIP in 1 of the httpd configuration but no luck. — Mangesh Sarangi, Mar 29 '22 at 09:59

score 0 · Accepted Answer · answered Mar 30 '22 at 01:46

0

In /etc/hosts on all servers and clients, or in DNS

1.1.1.1     ip-of-a             # Server A
2.2.2.2     ip-of-b             # Server B
3.3.3.3     ip-of-c             # VIP
3.3.3.3     www.exemple.com     # OR can be defined in DNS

On Server A:

<VirtualHost *:80>
    ServerName  www.exemple.com
    ServerAlias serverA.domain
    # Logs configuration
    # DocumentRoot
    # DocumentIndex
    # ... other configurations ...
</VirtualHost>

On Server B:

<VirtualHost *:80>
    ServerName  www.exemple.com
    ServerAlias serverB.domain
    # Logs configuration
    # DocumentRoot
    # DocumentIndex
    # ... other configurations ...
</VirtualHost>

To access the site via the VIP, use http://www.exemple.com To access the site only on server A, use http://serverA.domain To access the site only on server B, use http://serverB.domain

Avoid accessing directly via IP, it breaks the domain name mechanism that Apache uses to select VirtualHost.

This works with static sites. Your Weblogic servers must accept requests with all 3 names for it to respond correctly.

answered Mar 30 '22 at 01:46

Nic3500

8,144
10
29
40

Thanks! We created 3 DNS (2 for actual vm ips and 1 for VIP). It worked with above approach. I still have more activity to complete i.e. implementing SSL i.e. all the call via https. I can able to achieve this https DNS of VIP -> https DNS of VM1 (i.e. apache httpd with SSL)-> http weblogic managed server cluster. I want to achieve https DNS of VIP -> https DNS of VM1 (i.e. apache httpd with SSL)-> https weblogic managed server cluster.. Have implemented https on top of weblogic managed server & working as expected. How do I integrate SSL apache httpd with SSL weblogic cluster? – Mangesh Sarangi Mar 30 '22 at 19:55
The difficulty here will be your certificates. You want to have 1 certificate that is valid for all 3 names. To do this you need to create your CSR with an alias section (Subject Alternative Name (SAN) field), which lists all 3 possible names. This way the single certificate will cover all 3 names. Look at https://4sysops.com/archives/create-a-certificate-request-file-with-alias-support-using-a-powershell-script/. The powershell seciton you might not need for linux, but it does explain the SAN field correctly. – Nic3500 Mar 31 '22 at 17:12
I actually have 3 certificate for 3 DNS. VIP DNS' certificate is used at LB level and rest 2 are being used for corresponding weblogic managed servers running on 2 different servers. – Mangesh Sarangi Mar 31 '22 at 18:59
The primary factor to make this work is to ensure that your clients are always presented with a single certificate. If clients always talk to an apache httpd server, the certificates you use for the rest of your infrastructure is of no importance to them. The client's browser always negotiates certificates with Apache httpd. Your internal infra (i.e. communications between Apache and Weblogic for example) are secured via other certificates that the client will never see. – Nic3500 Apr 01 '22 at 02:53
https DNS (for VIP) -> https HTTPD (LB) -> https weblogic managed servers cluster for UI -> UI Landing Page -> https DNS (for VIP) -> https Loadbalancer -> https weblogic managed servers cluster for middleware rest services I am newbie to this but If you look at this journey, at no point of time client is directly communicating to weblogic managed servers directly. – Mangesh Sarangi Apr 01 '22 at 07:04
If I break the above journey like this: 1. https DNS (for VIP) -> https HTTPD (LB) -> https weblogic managed servers cluster for UI --- Not working from https HTTPD (LB) to https weblogic managed servers but working as expected with https HTTPD (LB) to http weblogic managed servers 2. UI Landing Page -> https DNS (for VIP) -> https Loadbalancer (haproxy) -> https weblogic managed servers cluster for middleware rest services --- Successfully working as expected In addition to above points, at no point of time, client(browser) is any DNS except https DNS (for VIP). – Mangesh Sarangi Apr 01 '22 at 07:12

UI application is not opening with VIP URL but UI application is working as expected with Apache HTTPD URL

1 Answers1