[lvs-users] ldirectord fails to test HTTPS real servers.

Timur I. Bakeyev timur at com.bat.ru
Wed Dec 4 14:28:03 GMT 2013


Nice you also use it, Malcolm!

But for the inexperienced user it's kind of frustrating when working
configuration stops working after the upgrade. That's why I'd like this fix
to be in the main source tree :)

I'm afraid, that with the real servers behind VIP validity of the
certificate is almost impossible to verify. Well, unless you trick DNS at
least :)

With best regards,
Timur.



On Wed, Dec 4, 2013 at 11:33 AM, Malcolm Turnbull
<malcolm at loadbalancer.org>wrote:

> We use the same patch at Loadbalancer.org (or something very similar
> anyway). Most of our customers specifically do not want use a virtual
> host (for a health check) OR care if the SSL cert is valid.
>
>
>
> On 4 December 2013 10:05, Timur I. Bakeyev <timur at com.bat.ru> wrote:
> > Have you tried it, Dennis? Did you look into the ldirectord code? You
> know,
> > how SSL is working?
> >
> > Regards,
> > Timur.
> >
> >
> > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> dennisml at conversis.de
> >> wrote:
> >
> >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> >> > Hi guys!
> >> >
> >> > I've posted bug report regarding ldirectord, can you please review it
> and
> >> > commit, if possible?
> >> >
> >> > https://github.com/ClusterLabs/resource-agents/issues/361
> >> >
> >> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS
> >> sites.
> >> > Since LWP 6.0 by default it verifies the correspondence of the SSL
> >> > certificate and the server hostname. In 99.9% of the cases this is the
> >> VIP
> >> > hostname and RIP are identified by their internal hostnames or, most
> >> common
> >> > - by their IP addresses.
> >> >
> >> > That breaks hostname verification and hence - marks HTTPS backends as
> >> > invalid and kicks them off the pool. This problem did hit me in the
> >> > production when we've upgraded from Debian squeeze to Debian wheezy,
> >> which
> >> > brought newer version of LWP.
> >> >
> >> >
> >>
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> >> >
> >> > Luckily, the fix to the problem is easy:
> >> >
> >> > --- ldirectord.orig     2013-12-03 11:59:11.114983525 +0100
> >> > +++ ldirectord  2013-12-03 11:59:34.703026282 +0100
> >> > @@ -2834,7 +2834,7 @@
> >> >          &ld_debug(2, "check_http: url=\"$$r{url}\" "
> >> >                  . "virtualhost=\"$virtualhost\"");
> >> >
> >> > -       my $ua = new LWP::UserAgent();
> >> > +       my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0
> >> });
> >> >
> >> >          my $h = undef;
> >> >          if ($$v{service} eq "http_proxy") {
> >> >
> >> > I haven't verified that with older version of LWP, but I believe it
> >> should
> >> > just ignore unknown parameters to the constructor.
> >>
> >> I don't think that's a bug but you have to specify the virtualhost
> >> parameter to set the Host header for the realservers.
> >>
> >> Regards,
> >>    Dennis
> >>
> >>
> >> _______________________________________________
> >> Please read the documentation before posting - it's available at:
> >> http://www.linuxvirtualserver.org/
> >>
> >> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> >> Send requests to lvs-users-request at LinuxVirtualServer.org
> >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >>
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> > Send requests to lvs-users-request at LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>
>
> --
> Regards,
>
> Malcolm Turnbull.
>
> Loadbalancer.org Ltd.
> Phone: +44 (0)870 443 8779
> http://www.loadbalancer.org/
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>


More information about the lvs-users mailing list