[lvs-users] ldirectord fails to test HTTPS real servers.

Darren Mansell darren.mansell at gmail.com
Wed Dec 4 13:21:14 GMT 2013


I just always use an external check for HTTP(S) these days anyway. Much
more flexibility that way.


On 4 December 2013 11:48, Filipe Cifali <cifali.filipe at gmail.com> wrote:

> For me to make this work on my setup I had to install some Perl Modules, if
> you use Ldirectord -d to debug you will see a internal error on messages
> checking SSL
>
> My config that works now:
>
> virtual = <IP>:443
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         persistent = 3600
>
>         scheduler = wrr
>
>         service = https
>
> checktype = negotiate
>
> checkport = 443
>
> request = "server.php"
>
> receive = "ok"
>
> virtualhost = "<ssl-domain>"
>
>
> The modules I have installed (dunno which worked)
>
>
> Crypt-SSLeay-0.64-Pc0dMJ
>
> IO-Socket-SSL-1.953-c7ub4t
>
> Net-SSLeay-1.55-8NXQ3I
>
>
> Installed all via cpan.
>
>
> The thing is to always check the debug from ldirectord -d -c <config-file>
> cause it tells you what's failing
>
>
> On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
> <malcolm at loadbalancer.org>wrote:
>
> > We use the same patch at Loadbalancer.org (or something very similar
> > anyway). Most of our customers specifically do not want use a virtual
> > host (for a health check) OR care if the SSL cert is valid.
> >
> >
> >
> > On 4 December 2013 10:05, Timur I. Bakeyev <timur at com.bat.ru> wrote:
> > > Have you tried it, Dennis? Did you look into the ldirectord code? You
> > know,
> > > how SSL is working?
> > >
> > > Regards,
> > > Timur.
> > >
> > >
> > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> > dennisml at conversis.de
> > >> wrote:
> > >
> > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > >> > Hi guys!
> > >> >
> > >> > I've posted bug report regarding ldirectord, can you please review
> it
> > and
> > >> > commit, if possible?
> > >> >
> > >> > https://github.com/ClusterLabs/resource-agents/issues/361
> > >> >
> > >> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS
> > >> sites.
> > >> > Since LWP 6.0 by default it verifies the correspondence of the SSL
> > >> > certificate and the server hostname. In 99.9% of the cases this is
> the
> > >> VIP
> > >> > hostname and RIP are identified by their internal hostnames or, most
> > >> common
> > >> > - by their IP addresses.
> > >> >
> > >> > That breaks hostname verification and hence - marks HTTPS backends
> as
> > >> > invalid and kicks them off the pool. This problem did hit me in the
> > >> > production when we've upgraded from Debian squeeze to Debian wheezy,
> > >> which
> > >> > brought newer version of LWP.
> > >> >
> > >> >
> > >>
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> > >> >
> > >> > Luckily, the fix to the problem is easy:
> > >> >
> > >> > --- ldirectord.orig     2013-12-03 11:59:11.114983525 +0100
> > >> > +++ ldirectord  2013-12-03 11:59:34.703026282 +0100
> > >> > @@ -2834,7 +2834,7 @@
> > >> >          &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > >> >                  . "virtualhost=\"$virtualhost\"");
> > >> >
> > >> > -       my $ua = new LWP::UserAgent();
> > >> > +       my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname
> => 0
> > >> });
> > >> >
> > >> >          my $h = undef;
> > >> >          if ($$v{service} eq "http_proxy") {
> > >> >
> > >> > I haven't verified that with older version of LWP, but I believe it
> > >> should
> > >> > just ignore unknown parameters to the constructor.
> > >>
> > >> I don't think that's a bug but you have to specify the virtualhost
> > >> parameter to set the Host header for the realservers.
> > >>
> > >> Regards,
> > >>    Dennis
> > >>
> > >>
> > >> _______________________________________________
> > >> Please read the documentation before posting - it's available at:
> > >> http://www.linuxvirtualserver.org/
> > >>
> > >> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> > >> Send requests to lvs-users-request at LinuxVirtualServer.org
> > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >>
> > > _______________________________________________
> > > Please read the documentation before posting - it's available at:
> > > http://www.linuxvirtualserver.org/
> > >
> > > LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> > > Send requests to lvs-users-request at LinuxVirtualServer.org
> > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
> >
> >
> > --
> > Regards,
> >
> > Malcolm Turnbull.
> >
> > Loadbalancer.org Ltd.
> > Phone: +44 (0)870 443 8779
> > http://www.loadbalancer.org/
> >
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> > Send requests to lvs-users-request at LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
>
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>


More information about the lvs-users mailing list