Serving multiple SSL Websites from a limited number of IPs using load balancers?

Ben asked:

We currently host multiple sitecore sites on a rackspace cloud server, we have 5 sites, with 5 IPs and with 5 SSLs. Because rackspace will only allow 4 additional IPv4 addresses on a box we’re at the limit of what we can do. Also with Sitecore licencing costs being somewhat astronomical we’re trying to investigate how we can expand our solution without having to purchase another software licence.

Our setup is currently simple,

  • 1 Rackspace cloud Server
    • www.1site1.com x.x.x.1 SSL1
    • www.2site2.com x.x.x.2 SSL2
    • www.3site3.com x.x.x.3 SSL3
    • www.4site4.com x.x.x.4 SSL4
    • www.5site5.com x.x.x.5 SSL5

I’ve been reading this – http://digital.bigfish.co.uk/2012/04/ssl-in-the-rackspace-cloud/ and I’m now confused over what a load balancer could and couldn’t enable us to achieve. In theory it sounds like a great solution to our problem – but I may not be understanding it all correctly.

If we were to use an SSL Terminating LB, would we be able to have all these sites on the one cloud server, with all their respective SSLs on the LB?

  • HTTPS
    to
  • Rackspace SSL Terminating Load Balancer [SSL1 SSL2 SSL3 SSL4 SSL5]
    to
  • Rackspace Cloud Server [ site1 site2 site3 site4 site5 ]

Or does the Load Balancer expect multiple cloud servers each with their own SSL as opposed to separate sites on one box.

Likewise if we went the other way of having a LB for HTTP and a LB for HTTPS, would they all tie to one external IP and effectively listen to the same port 443 before directing internally

  • 1.1.1.1 Port 80 HTTP (LB1)
  • 1.1.1.1 Port 443 HTTPS (LB2)
    • Cloud Server Port 443 – www.1site1.com
  • 1.1.1.1 Port 443 HTTPS (LB3)
    • Cloud Server Port 444 – www.2site2.com
  • 1.1.1.1 Port 443 HTTPS (LB4)
    • Cloud Server Port 445 – www.3site3.com
  • 1.1.1.1 Port 443 HTTPS (LB5)
    • Cloud Server Port 446 – www.4site4.com
  • 1.1.1.1 Port 443 HTTPS (LB6)
    • Cloud Server Port 447 – www.5site5.com

Or would we need separate IPs for each – therefore not changing the current (IP Limited) situation at all.

My answer:


Yes, you can use SNI if your load balancer supports it (and your traffic from Windows XP users is minimal), but you really should be accelerating your IPv6 deployment for a long-term solution.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.