Enable SSL

[kidkl]

Would it be possible to enable ssl (even with a self signed cert) on the forum? So that when we login we aren't transmitting user names/password in plain text?

[J]

Short answer: Maybe. Let me think about it.

Long answer: There are some considerations to take with the load balancing setup, and how SSL sessions are to failover gracefully. There are additional considerations with ip address allocation in the rack. Finally, if we do set it up and don't go to a full signed SSL, it will be a manual process for you to navigate to https. We don't want to scare away novice Internet users with the scary browser warning messages.

I'll get back to you shortly, after I can plan and discuss with foxtrot.

[J]

Ok, we have some tentative plans here. But there are some things we want to get done as prerequisites.

We have been wanting/planning an upgrade to the newest version of vBulletin. The way things are setup in the mirrored pair, we need to make a few modifications to the vBulletin software to make it run exactly how we want with SSL. Upgrading before the SSL implementation will eliminate the need to do the work twice.

We are also going to do a UCC certificate such that we do not have the IP address constraints.

Of course, both of these things take time and cost money. So they will come along when we have the time and the funds to get them in (or when the donation system is setup by foxtrot and donations can cover some of the cost). But yes, your suggestion is on the list of things to be done.

[cfortune]

What type of load balancing setup is this site on? In my experience terminating the certificate at the load balancer should cover all the hosts in that load balance group. If it's load balanced between locations, just simply install the cert in both location's load balancer.

[J]

What type of load balancing setup is this site on? In my experience terminating the certificate at the load balancer should cover all the hosts in that load balance group. If it's load balanced between locations, just simply install the cert in both location's load balancer.

ATM its DNS RR. I have a load-balancer at the location that I donate... but not at the location foxtrot donates. So we cant do loadbalancers at both locations, so we are just DNS RR.

vBulletin, in some simple testing, keeps session info very difficult to replicate when the phpsessid is secure. Just won't replicate. So OK while you stay on same server, not so much if you roam. Additionally, it doesn't like switching the cookie back and forth secure to non. So we have to deal with the additional load of all requests/posts/gets being SSL or get a unified session.

Like I said before... maybe someday we can have the cash to do a pair of F5 load balancers at multiple locations, until then, we are stuck with what we got.

[ray1970]

I have a really big hammer if that helps any.


(seriously, you guys might as well be speaking Greek.)

[cstone]

I have a really big hammer if that helps any.


(seriously, you guys might as well be speaking Greek.)

I heard they don't have any money to do anything either.

[kidkl]

It's my understanding that you can install memcached and configure vbulletin to store session information in that. I am also assuming that you are running a master-slave mysql configuration and not master-master. So you can also setup replication for memcache to transfer the cache over to your backup memcache instance on your mysql server. I personally have very little experience with memcache but I believe you can also create a pool configuration that is active-active.

As far as the load-balancer is concerned, I assume that you would be using SNAT on the F5 to load-balance between the servers at the different locations? If that's the case you can use a pound/haproxy configuration to terminate the ssl connection and then talk to the real servers via http. This configuration could be done on the same server as the webserver if need be.

If you don't want to install extra software, you can also use apaches mod_proxy balancer to load-balancing, or hot standbys. It will do the x-forwarded-for header as well as cookie injection for persistence.

[J]

I imagine you can use mencached. I've used it heavily on very large Magento ecommerce stores in tandem with APC. Haven't looked at integrating it with vbulletin.

We won't have a pair of F5s any time soon, so discussing layout there is kind of pointless. One of the servers is leased, so we can't just throw hardware into the rack like we can the second.

MySQL is setup master-master. Has to be for load balancing. Master-slave would only work for failover, and then carries a slower recovery time back to primary (no hot sync). PHP sessions are stored in the DB and cookie, so not much problem there. The only
Potential concern is the SSL session. F5s have the ability to replicate SSL sessions as well, but currently we can't. With newer browsers, it shouldn't be a large concern. They should renegotiate the SSL session on their own, though there will be some slight delay (timeout wait) after a failover occurs for users. Old browsers will error, an the refresh button will have to be pushed.

[brutal]

I like persistent cookie injections, but I'm already 25lbs over my fighting weight.