[lvs-users] ldirectord fails to test HTTPS real servers.

Dennis Jacobfeuerborn dennisml at conversis.de
Wed Dec 4 05:09:25 GMT 2013


On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> Hi guys!
>
> I've posted bug report regarding ldirectord, can you please review it and
> commit, if possible?
>
> https://github.com/ClusterLabs/resource-agents/issues/361
>
> Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS sites.
> Since LWP 6.0 by default it verifies the correspondence of the SSL
> certificate and the server hostname. In 99.9% of the cases this is the VIP
> hostname and RIP are identified by their internal hostnames or, most common
> - by their IP addresses.
>
> That breaks hostname verification and hence - marks HTTPS backends as
> invalid and kicks them off the pool. This problem did hit me in the
> production when we've upgraded from Debian squeeze to Debian wheezy, which
> brought newer version of LWP.
>
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
>
> Luckily, the fix to the problem is easy:
>
> --- ldirectord.orig     2013-12-03 11:59:11.114983525 +0100
> +++ ldirectord  2013-12-03 11:59:34.703026282 +0100
> @@ -2834,7 +2834,7 @@
>          &ld_debug(2, "check_http: url=\"$$r{url}\" "
>                  . "virtualhost=\"$virtualhost\"");
>
> -       my $ua = new LWP::UserAgent();
> +       my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0 });
>
>          my $h = undef;
>          if ($$v{service} eq "http_proxy") {
>
> I haven't verified that with older version of LWP, but I believe it should
> just ignore unknown parameters to the constructor.

I don't think that's a bug but you have to specify the virtualhost 
parameter to set the Host header for the realservers.

Regards,
   Dennis




More information about the lvs-users mailing list