[lvs-users] ldirectord fails to test HTTPS real servers.

Timur I. Bakeyev timur at com.bat.ru
Wed Dec 4 17:39:34 GMT 2013


Well, "virtualhost" wouldn't help anything, as it's part of HTTP protocol
and SSL check happens one(half:)) layer below - during the TCP connection
negotiation. At that point only DNS name of the real server does matter and
it's match to the SSL certificate.

With wildcard certificate if you real servers have their host names from
the same domain.ext - the check will succeed, but for that they have to be
refered by hostname in the ldirectord.conf as well. I believe that SSL
negotiation doesn't do back resolve of the IP addresses.

With regards,
Timur.


On Wed, Dec 4, 2013 at 5:13 PM, Filipe Cifali <cifali.filipe at gmail.com>wrote:

> Yeah the LWP is 6.0.5, but it's working now as intended, probably is
> Crypt-SSLeay working then.
>
> But then again, my setup is working now, and I suspect the virtualhost
> clause helped, since the SSL I have the same subdomain (*.domain.ext) so
> the virtualhost is always valid on my domain.
>
>
> On Wed, Dec 4, 2013 at 12:43 PM, Timur I. Bakeyev <timur at com.bat.ru>
> wrote:
>
> > Not sure, how all that mix of SSL modules would work together, but if
> > Crypt-SSLeay-0.64-Pc0dMJ took preference then host checks effectively
> were
> > disabled:
> >
> > NET::HTTPS states in the code:
> >
> >         if ($cnf->{SSL_verifycn_scheme}) {
> >             $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames;
> either
> > install IO::Socket::SSL or turn off verification by setting the
> > PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0";
> >             return undef;
> >         }
> >
> > In any case, you should verify which version of LWP you are using, as
> host
> > check verification occurred there in 6.x only.
> >
> > With regards,
> > Timur.
> >
> >
> > On Wed, Dec 4, 2013 at 12:48 PM, Filipe Cifali <cifali.filipe at gmail.com
> > >wrote:
> >
> > > For me to make this work on my setup I had to install some Perl
> Modules,
> > if
> > > you use Ldirectord -d to debug you will see a internal error on
> messages
> > > checking SSL
> > >
> > > My config that works now:
> > >
> > > virtual = <IP>:443
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         persistent = 3600
> > >
> > >         scheduler = wrr
> > >
> > >         service = https
> > >
> > > checktype = negotiate
> > >
> > > checkport = 443
> > >
> > > request = "server.php"
> > >
> > > receive = "ok"
> > >
> > > virtualhost = "<ssl-domain>"
> > >
> > >
> > > The modules I have installed (dunno which worked)
> > >
> > >
> > > Crypt-SSLeay-0.64-Pc0dMJ
> > >
> > > IO-Socket-SSL-1.953-c7ub4t
> > >
> > > Net-SSLeay-1.55-8NXQ3I
> > >
> > >
> > > Installed all via cpan.
> > >
> > >
> > > The thing is to always check the debug from ldirectord -d -c
> > <config-file>
> > > cause it tells you what's failing
> > >
> > >
> > > On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
> > > <malcolm at loadbalancer.org>wrote:
> > >
> > > > We use the same patch at Loadbalancer.org (or something very similar
> > > > anyway). Most of our customers specifically do not want use a virtual
> > > > host (for a health check) OR care if the SSL cert is valid.
> > > >
> > > >
> > > >
> > > > On 4 December 2013 10:05, Timur I. Bakeyev <timur at com.bat.ru> wrote:
> > > > > Have you tried it, Dennis? Did you look into the ldirectord code?
> You
> > > > know,
> > > > > how SSL is working?
> > > > >
> > > > > Regards,
> > > > > Timur.
> > > > >
> > > > >
> > > > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> > > > dennisml at conversis.de
> > > > >> wrote:
> > > > >
> > > > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > > > >> > Hi guys!
> > > > >> >
> > > > >> > I've posted bug report regarding ldirectord, can you please
> review
> > > it
> > > > and
> > > > >> > commit, if possible?
> > > > >> >
> > > > >> > https://github.com/ClusterLabs/resource-agents/issues/361
> > > > >> >
> > > > >> > Ldirectord is using LWP for it's negotiate checks for the
> > HTTP/HTTPS
> > > > >> sites.
> > > > >> > Since LWP 6.0 by default it verifies the correspondence of the
> SSL
> > > > >> > certificate and the server hostname. In 99.9% of the cases this
> is
> > > the
> > > > >> VIP
> > > > >> > hostname and RIP are identified by their internal hostnames or,
> > most
> > > > >> common
> > > > >> > - by their IP addresses.
> > > > >> >
> > > > >> > That breaks hostname verification and hence - marks HTTPS
> backends
> > > as
> > > > >> > invalid and kicks them off the pool. This problem did hit me in
> > the
> > > > >> > production when we've upgraded from Debian squeeze to Debian
> > wheezy,
> > > > >> which
> > > > >> > brought newer version of LWP.
> > > > >> >
> > > > >> >
> > > > >>
> > > >
> > >
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> > > > >> >
> > > > >> > Luckily, the fix to the problem is easy:
> > > > >> >
> > > > >> > --- ldirectord.orig     2013-12-03 11:59:11.114983525 +0100
> > > > >> > +++ ldirectord  2013-12-03 11:59:34.703026282 +0100
> > > > >> > @@ -2834,7 +2834,7 @@
> > > > >> >          &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > > > >> >                  . "virtualhost=\"$virtualhost\"");
> > > > >> >
> > > > >> > -       my $ua = new LWP::UserAgent();
> > > > >> > +       my $ua = new LWP::UserAgent(ssl_opts => {
> verify_hostname
> > > => 0
> > > > >> });
> > > > >> >
> > > > >> >          my $h = undef;
> > > > >> >          if ($$v{service} eq "http_proxy") {
> > > > >> >
> > > > >> > I haven't verified that with older version of LWP, but I believe
> > it
> > > > >> should
> > > > >> > just ignore unknown parameters to the constructor.
> > > > >>
> > > > >> I don't think that's a bug but you have to specify the virtualhost
> > > > >> parameter to set the Host header for the realservers.
> > > > >>
> > > > >> Regards,
> > > > >>    Dennis
> > > > >>
> > > > >>
> > > > >> _______________________________________________
> > > > >> Please read the documentation before posting - it's available at:
> > > > >> http://www.linuxvirtualserver.org/
> > > > >>
> > > > >> LinuxVirtualServer.org mailing list -
> > lvs-users at LinuxVirtualServer.org
> > > > >> Send requests to lvs-users-request at LinuxVirtualServer.org
> > > > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > > >>
> > > > > _______________________________________________
> > > > > Please read the documentation before posting - it's available at:
> > > > > http://www.linuxvirtualserver.org/
> > > > >
> > > > > LinuxVirtualServer.org mailing list -
> > lvs-users at LinuxVirtualServer.org
> > > > > Send requests to lvs-users-request at LinuxVirtualServer.org
> > > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > >
> > > >
> > > >
> > > > --
> > > > Regards,
> > > >
> > > > Malcolm Turnbull.
> > > >
> > > > Loadbalancer.org Ltd.
> > > > Phone: +44 (0)870 443 8779
> > > > http://www.loadbalancer.org/
> > > >
> > > > _______________________________________________
> > > > Please read the documentation before posting - it's available at:
> > > > http://www.linuxvirtualserver.org/
> > > >
> > > > LinuxVirtualServer.org mailing list -
> lvs-users at LinuxVirtualServer.org
> > > > Send requests to lvs-users-request at LinuxVirtualServer.org
> > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > >
> > >
> > >
> > >
> > > --
> > > [ ]'s
> > >
> > > Filipe Cifali Stangler
> > > _______________________________________________
> > > Please read the documentation before posting - it's available at:
> > > http://www.linuxvirtualserver.org/
> > >
> > > LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> > > Send requests to lvs-users-request at LinuxVirtualServer.org
> > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> > Send requests to lvs-users-request at LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
>
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>


More information about the lvs-users mailing list