Join Log in
Score:1
avatar Server

Google Cloud Load Balancer + Instance Group + SSL Certificates

in flag
Nuno

My project consist of a main website where users can register an account. After registering they each get a website (subdomain of my own domain) where they have an e-commerce shop managed by a platform hosted on my main site (the one they registered with) Like this

example1.com -> main website (login, register etc)
example1.com/platform -> management platform
store1.example1.com -> User 1's store
store2.example1.com -> User 2's store

And in terms of hardware right now my setup is this: 1 VM instance in GCP with apache, a couple of virtual hosts setup with some wildcards that can map the domain requested to the apropriate folder.
I also generated a wildcard certificate on my main domain protecting all my customers stores with SSL.

Now, i wanted to prevent server overload over time so i though having a load balancer connected to an instance group of machines replicated from the one explained above would solve my problem, in theory it works but i have a problem:

Each user has the power to buy a domain name of his own and redirect it to my ip (LB or VM) so that their store would look something like this:

store1.com -> User 1's store
store2.com -> User 2's store

And, if they wanted they could "buy" a SSL certificate on my platform to protect their domain name. I can easily handle creation of SSL certificates on the fly through API's certbot and letsencrypt but, since my vm's would be running on a instance group, any certificate file that i save on the currently working VM would not be replicated to the others (if any) and could even be lost when the instance group decided it no longer needed that current VM. How could i arranje everything (LB, instance group, vm and/or apache) so that the load balancer would send traffic to multiple vm in my instance group but they could "share" in someway the certificates folder or even the whole disk..?

BTW persistent disk on VM's can only be mounted to multiple VM's if they are in read-only mode (not gonna work) and i also tried filestore but it cost 200 per month and that's a bit much just for this..

161
1 + 1
ssl
John Hanley avatar
cn flag
John Hanley
Setting up the SSL certificate on each VM will not help you. The SSL certificate and custom domain must be set up at the load balancer. You will need to write code to create a custom domain and also request a quota increase for SSL certificates as the default is around 10 certificates.
1
Reply
Score:1
avatar Server
co flag
ppuschmann

As @JohnHanley pointed out:

Manage the certificates on the LB-setup and remove certbot from the Webserver. There will be some overhead with Google domain-verification, but it is definitely worth a try.

Regarding LB-configuration and certificates:

  • you can't change a configured certificate on a LB
  • but you can add a new certificate (e.g. with an additional hostname) and add it to a existing LB and later remove the older certificate setup

There are some Terraform modules around that could support you, but of course this would create some learning and management effort as well.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.