[lvs-users] ldirectord fails to test HTTPS real servers.

Timur I. Bakeyev timur at com.bat.ru
Wed Dec 4 14:43:36 GMT 2013


Not sure, how all that mix of SSL modules would work together, but if
Crypt-SSLeay-0.64-Pc0dMJ took preference then host checks effectively were
disabled:

NET::HTTPS states in the code:

        if ($cnf->{SSL_verifycn_scheme}) {
            $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames; either
install IO::Socket::SSL or turn off verification by setting the
PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0";
            return undef;
        }

In any case, you should verify which version of LWP you are using, as host
check verification occurred there in 6.x only.

With regards,
Timur.


On Wed, Dec 4, 2013 at 12:48 PM, Filipe Cifali <cifali.filipe at gmail.com>wrote:

> For me to make this work on my setup I had to install some Perl Modules, if
> you use Ldirectord -d to debug you will see a internal error on messages
> checking SSL
>
> My config that works now:
>
> virtual = <IP>:443
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         persistent = 3600
>
>         scheduler = wrr
>
>         service = https
>
> checktype = negotiate
>
> checkport = 443
>
> request = "server.php"
>
> receive = "ok"
>
> virtualhost = "<ssl-domain>"
>
>
> The modules I have installed (dunno which worked)
>
>
> Crypt-SSLeay-0.64-Pc0dMJ
>
> IO-Socket-SSL-1.953-c7ub4t
>
> Net-SSLeay-1.55-8NXQ3I
>
>
> Installed all via cpan.
>
>
> The thing is to always check the debug from ldirectord -d -c <config-file>
> cause it tells you what's failing
>
>
> On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
> <malcolm at loadbalancer.org>wrote:
>
> > We use the same patch at Loadbalancer.org (or something very similar
> > anyway). Most of our customers specifically do not want use a virtual
> > host (for a health check) OR care if the SSL cert is valid.
> >
> >
> >
> > On 4 December 2013 10:05, Timur I. Bakeyev <timur at com.bat.ru> wrote:
> > > Have you tried it, Dennis? Did you look into the ldirectord code? You
> > know,
> > > how SSL is working?
> > >
> > > Regards,
> > > Timur.
> > >
> > >
> > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> > dennisml at conversis.de
> > >> wrote:
> > >
> > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > >> > Hi guys!
> > >> >
> > >> > I've posted bug report regarding ldirectord, can you please review
> it
> > and
> > >> > commit, if possible?
> > >> >
> > >> > https://github.com/ClusterLabs/resource-agents/issues/361
> > >> >
> > >> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS
> > >> sites.
> > >> > Since LWP 6.0 by default it verifies the correspondence of the SSL
> > >> > certificate and the server hostname. In 99.9% of the cases this is
> the
> > >> VIP
> > >> > hostname and RIP are identified by their internal hostnames or, most
> > >> common
> > >> > - by their IP addresses.
> > >> >
> > >> > That breaks hostname verification and hence - marks HTTPS backends
> as
> > >> > invalid and kicks them off the pool. This problem did hit me in the
> > >> > production when we've upgraded from Debian squeeze to Debian wheezy,
> > >> which
> > >> > brought newer version of LWP.
> > >> >
> > >> >
> > >>
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> > >> >
> > >> > Luckily, the fix to the problem is easy:
> > >> >
> > >> > --- ldirectord.orig     2013-12-03 11:59:11.114983525 +0100
> > >> > +++ ldirectord  2013-12-03 11:59:34.703026282 +0100
> > >> > @@ -2834,7 +2834,7 @@
> > >> >          &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > >> >                  . "virtualhost=\"$virtualhost\"");
> > >> >
> > >> > -       my $ua = new LWP::UserAgent();
> > >> > +       my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname
> => 0
> > >> });
> > >> >
> > >> >          my $h = undef;
> > >> >          if ($$v{service} eq "http_proxy") {
> > >> >
> > >> > I haven't verified that with older version of LWP, but I believe it
> > >> should
> > >> > just ignore unknown parameters to the constructor.
> > >>
> > >> I don't think that's a bug but you have to specify the virtualhost
> > >> parameter to set the Host header for the realservers.
> > >>
> > >> Regards,
> > >>    Dennis
> > >>
> > >>
> > >> _______________________________________________
> > >> Please read the documentation before posting - it's available at:
> > >> http://www.linuxvirtualserver.org/
> > >>
> > >> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> > >> Send requests to lvs-users-request at LinuxVirtualServer.org
> > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >>
> > > _______________________________________________
> > > Please read the documentation before posting - it's available at:
> > > http://www.linuxvirtualserver.org/
> > >
> > > LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> > > Send requests to lvs-users-request at LinuxVirtualServer.org
> > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
> >
> >
> > --
> > Regards,
> >
> > Malcolm Turnbull.
> >
> > Loadbalancer.org Ltd.
> > Phone: +44 (0)870 443 8779
> > http://www.loadbalancer.org/
> >
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> > Send requests to lvs-users-request at LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
>
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>


More information about the lvs-users mailing list