This section contains information about the following topics:
Multi-homing is the ability to read from multiple origin Web servers over the same IP address and IP port.
Within a large company or corporation, IP addresses (for example, 10.1.1.1) are valued resources that are carefully managed. Opening additional ports can be time-consuming and political because of firewall and security issues.
For example, imagine using iChain to accelerate 100 back-end origin Web servers. Each of these Web servers has its own IP address. In order to grant access to these Web servers through iChain without multi-homing, a DNS server must map each Web server name to a separate IP address that iChain is listening on. A simple mapping would mean that 100 IP addresses would be needed by iChain to map to 100 backend Web servers.
With multi-homing, it is possible for iChain to provide access to all 100 back-end origin Web servers through one IP address and port. Most installations, however, will organize the origin Web servers into a handful of groups where each group is a group of multi-homing accelerators listening on one IP address.
There are four ways that iChain can multi-home origin Web servers on a single IP address and port. Before these features are explained, some terms must be defined:
Host name: In the URL http://www.novell.com/products/iChain, the host name is www.novell.com. The host name is used to name a Web server.
DNS name: A DNS name is a host name that has been mapped to an IP address using a DNS server or DNS mapping table. A browser may use the hosts file on the local drive as a DNS mapping table.
Cookie Domain: The cookie domain represents a group of host names that have in common two or more of the right-end pieces of the host name. For example, novell.com is a cookie domain for both www.novell.com and download.novell.com.
Origin Web Server: The origin Web server is a Web server that iChain accelerates through defining a Web Server Accelerator. A browser does not have direct access to an origin Web server and must obtain data from the Web server through iChain. The host name of an origin Web server might be different than the DNS name used by the browser. In fact, most iChain installations have a different DNS name than the host name of the origin Web server.
A multi-homing Web server is a Web server that listens on a single IP address and directs incoming requests to multiple logical Web servers running on the same machine. This is an easy way of having multiple alias names representing one host name. At the Web Server Accelerator page, you should select the Use Host Name Sent by Browser (Multi-homing Web Server) option. If a request is made on the accelerator IP address and port, the host name sent by the browser is not checked against the DNS name of the accelerator.
Host-based multi-homing is not one of the standard multi-homing options for an accelerator. Host-based multi-homing is a way to listen for requests to a number of different host names on a single IP address and port. For example, www.a.com, www.b.com, and www.c.com can have the same DNS table entry of 100.1.1.1. There would be three accelerators defined, where each of the accelerators reads from three origin Web servers. See the table below:
If either authentication is enabled or Secure Exchange is enabled for two or more of the above accelerators, you must specify a unique SSL listening port. When authentication or Secure Exchange is enabled, an SSL listening port is issued to the accelerator. Two or more accelerators cannot listen on the same SSL port unless multi-homing is enabled. This is because a certificate must be used to establish an SSL connection. The certificate has the host name or a wildcard host name (*.novell.com). A single certificate cannot be served to secure both www.a.com and www.b.com. Usually each accelerator has its own unique SSL listening port for an IP address. See the table below.
Domain-based multi-homing is selectable when Enable Multi-Homing is checked. To be more specific, this feature could be named Cookie-Domain-Based Multi-Homing because all of the DNS names for the accelerators in the multi-homing have the same cookie domain (see acme.com in the table below).
There must be a master accelerator already defined. A master accelerator is not part of a host-based multi-homing group and is not a child of a multi-homing group. The master defines the cookie domain, accelerator IP address, accelerator proxy port, SSL listening port, and certificate.
The same SSL port can be used for a group of domain-based accelerators if the SSL certificate supports wild card host names. In the table above, the SSL certificate would be *.acme.com.
NOTE:There are some browser versions that give a warning that the host name doesn't match the certificate name when a wildcard certificate is used. If the AUTO certificate is used, iChain creates a wildcard certificate using the cookie domain value.
Path-based multi-homing is available when you select Enable Multi-Homing. Path-based multi-homing could be considered the most secure option because an SSL certificate containing a host name is used. The belief exists that wildcard certificates are less secure than a certificate with just a host name. All accelerators that participate in a path-based group have the same DNS name. All children must have a unique starting path.
NOTE:JavaScript* might obscure the URL data that iChain needs to access and modify in order to direct requests to backend servers. Because an absolute path reference can occur anywhere in JavaScript, the iChain word parse does not know how to assemble or parse through JavaScript.
We recommend that you do not use JavaScript applications with the iChain path-based multi-homing services. All other types of iChain accelerators should function correctly.
The same rules apply as they do for a domain-based multi-homing master: There must be a master accelerator already defined. A master accelerator is not part of a host-based multi-homing group and is not a child or a multi-homing group. The master defines the cookie domain, accelerator IP address, accelerator proxy port, SSL listening port, and certificate.
There are two types of options for a path-based multi-homing child. The next two tables outline the URL requested from the browser and the URL that will be submitted to the origin Web server.
|
URL from browser |
URL to Web server |
|
http://a.acme.com/Bstuff/index.html |
http://b.internal.com/index.html |
This first example is the most common use of path-based multi-homing. A base path tells iChain that a specific accelerator is to be used to service the request. The base path is stripped when requesting the page from the Web server. Within the HTML pages that come from the Web server, all absolute and some relative references are rewritten by iChain so that the sub-path is present. For example, a reference in the HTML page might have href=/index.html. The rewriter rewrites this reference as href=/Bstuff/index.html so that the browser sets the correct GET request and iChain maps the request to the correct accelerator.
iChain can easily locate absolute path references because only the data coming from a path-based multi-homed accelerator is considered for this kind of rewriting. The word parser in iChain then locates all of the valid URL tags (href, src, action, etc.) and adds the subpath if the reference is an absolute-path reference. Absolute-path references that are outside of these tags are not considered for rewriting because there are too many variations of what the sub-path information could be.
|
URL from browser |
URL to web server |
|
http://a.acme.com/Bstuff/index.html |
http://b.internal.com/Bstuff/index.html |
This second example expects the sub-path match string to be present as a valid path on the origin Web server. The rewriter doesn't need to update the absolute references as it did in the previous table.
The information in the following example uses the Multi-homing Options dialog box.
The ZXY Company wants to accelerate its support and sales Web sites as a single external Web site.
The administrators sets up two accelerators for www.zxy.org on the same IP address and port number, and configures them with path-based multi-homing rules.
One accelerator has a rule for paths that start with /sales, the other has a rule for paths that start with /support.
Customers can now access the single www.zxy.org Web site and have all requests starting with www.zxy.org/sales be directed to the sales Web server farm, and all requests starting with xxx.zxy.org/support be directed to the support Web server farm.
The ZXY Company can decide whether a URL such as www.zxy.org/sales/newproducts.html gets sent to the Web server with sales included in the path (www.zxy.org/sales/newproducts.html) or without sales included in the path (www.zxy.org/newproducts.html) by using the check box Remove Sub-Path from URL option.