Multi-Proxy Setup - SNI SSL

Ask questions about your setup or get help installing ZCS server (ZD section below).
User avatar
arkitoure
Posts: 10
Joined: Fri Feb 10, 2017 9:16 am

Multi-Proxy Setup - SNI SSL

Postby arkitoure » Thu Feb 23, 2017 11:10 am

Hi All!

When deploying a multiple proxy setup are all domain level certificates required to be on each proxy server?

So for example if you are to secure via SNI (https://wiki.zimbra.com/wiki/Multiple_S ... ation_(SNI)_for_HTTPS):

    email-00.com
    email-01.com
    email-03.com


Would those SSL certificates and their corresponding private/secondary IP's need be installed separately on each Proxy?


User avatar
arkitoure
Posts: 10
Joined: Fri Feb 10, 2017 9:16 am

Re: Multi-Proxy Setup - SNI SSL

Postby arkitoure » Fri Feb 24, 2017 3:14 pm

I've managed to answer my own question....
Hopefully it holds up in an HA environment. With assistance from Ansible it very well should. Any correction/improvement to this model from the Zimbra world is very much welcomed!


    - Each Proxy (2 proxies are running in my use case) has been configured with all virtual hosts and all related SSL's have been RSYNC'd from the master proxy.
    - An HAproxy loadbalancer is running in front of all Zimbra proxies.
    - Heartbeat detects health of proxy and directs traffic to healthy nodes.
    - On proxy node failure, Ansible (automation is important, choose a good platform!) is alerted and a script/playbook spins up a duplicate configuration as a new slave proxy.
    - The failed node is automatically disabled and the new, automatically provisioned proxy takes its place
    - *The master proxy holds all Virtual/Secondary IP information and replicates to the replacement proxy if the master proxy is the failed node.



Cant wait for version 9 to come out as these SNI issues regarding virtual/secondary IP are supposed to go away. Again Ansible really helps in this situation. You could of course do everything manually but with a tool like Ansible or Salt thats simply being lazy and stupid.

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 6 guests