[lvs-users] ldirectord fails to test HTTPS real servers.

Timur I. Bakeyev timur at com.bat.ru
Wed Dec 4 17:43:14 GMT 2013


To be precise there is a SNI extension to the SSL protocol, that allows
selection of the virtual host during negotiation, but it still not(?)
widely used. At least, I wouldn't suspect LWP in that :)

http://en.wikipedia.org/wiki/Server_Name_Indication


On Wed, Dec 4, 2013 at 5:13 PM, Filipe Cifali <cifali.filipe at gmail.com>wrote:

> Yeah the LWP is 6.0.5, but it's working now as intended, probably is
> Crypt-SSLeay working then.
>
> But then again, my setup is working now, and I suspect the virtualhost
> clause helped, since the SSL I have the same subdomain (*.domain.ext) so
> the virtualhost is always valid on my domain.
>
>
> On Wed, Dec 4, 2013 at 12:43 PM, Timur I. Bakeyev <timur at com.bat.ru>
> wrote:
>
> > Not sure, how all that mix of SSL modules would work together, but if
> > Crypt-SSLeay-0.64-Pc0dMJ took preference then host checks effectively
> were
> > disabled:
> >
> > NET::HTTPS states in the code:
> >
> >         if ($cnf->{SSL_verifycn_scheme}) {
> >             $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames;
> either
> > install IO::Socket::SSL or turn off verification by setting the
> > PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0";
> >             return undef;
> >         }
> >
> > In any case, you should verify which version of LWP you are using, as
> host
> > check verification occurred there in 6.x only.
> >
> > With regards,
> > Timur.
> >
> >
> > On Wed, Dec 4, 2013 at 12:48 PM, Filipe Cifali <cifali.filipe at gmail.com
> > >wrote:
> >
> > > For me to make this work on my setup I had to install some Perl
> Modules,
> > if
> > > you use Ldirectord -d to debug you will see a internal error on
> messages
> > > checking SSL
> > >
> > > My config that works now:
> > >
> > > virtual = <IP>:443
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         persistent = 3600
> > >
> > >         scheduler = wrr
> > >
> > >         service = https
> > >
> > > checktype = negotiate
> > >
> > > checkport = 443
> > >
> > > request = "server.php"
> > >
> > > receive = "ok"
> > >
> > > virtualhost = "<ssl-domain>"
> > >
> > >
> > > The modules I have installed (dunno which worked)
> > >
> > >
> > > Crypt-SSLeay-0.64-Pc0dMJ
> > >
> > > IO-Socket-SSL-1.953-c7ub4t
> > >
> > > Net-SSLeay-1.55-8NXQ3I
> > >
> > >
> > > Installed all via cpan.
> > >
> > >
> > > The thing is to always check the debug from ldirectord -d -c
> > <config-file>
> > > cause it tells you what's failing
> > >
> > >
> > > On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
> > > <malcolm at loadbalancer.org>wrote:
> > >
> > > > We use the same patch at Loadbalancer.org (or something very similar
> > > > anyway). Most of our customers specifically do not want use a virtual
> > > > host (for a health check) OR care if the SSL cert is valid.
> > > >
> > > >
> > > >
> > > > On 4 December 2013 10:05, Timur I. Bakeyev <timur at com.bat.ru> wrote:
> > > > > Have you tried it, Dennis? Did you look into the ldirectord code?
> You
> > > > know,
> > > > > how SSL is working?
> > > > >
> > > > > Regards,
> > > > > Timur.
> > > > >
> > > > >
> > > > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> > > > dennisml at conversis.de
> > > > >> wrote:
> > > > >
> > > > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > > > >> > Hi guys!
> > > > >> >
> > > > >> > I've posted bug report regarding ldirectord, can you please
> review
> > > it
> > > > and
> > > > >> > commit, if possible?
> > > > >> >
> > > > >> > https://github.com/ClusterLabs/resource-agents/issues/361
> > > > >> >
> > > > >> > Ldirectord is using LWP for it's negotiate checks for the
> > HTTP/HTTPS
> > > > >> sites.
> > > > >> > Since LWP 6.0 by default it verifies the correspondence of the
> SSL
> > > > >> > certificate and the server hostname. In 99.9% of the cases this
> is
> > > the
> > > > >> VIP
> > > > >> > hostname and RIP are identified by their internal hostnames or,
> > most
> > > > >> common
> > > > >> > - by their IP addresses.
> > > > >> >
> > > > >> > That breaks hostname verification and hence - marks HTTPS
> backends
> > > as
> > > > >> > invalid and kicks them off the pool. This problem did hit me in
> > the
> > > > >> > production when we've upgraded from Debian squeeze to Debian
> > wheezy,
> > > > >> which
> > > > >> > brought newer version of LWP.
> > > > >> >
> > > > >> >
> > > > >>
> > > >
> > >
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> > > > >> >
> > > > >> > Luckily, the fix to the problem is easy:
> > > > >> >
> > > > >> > --- ldirectord.orig     2013-12-03 11:59:11.114983525 +0100
> > > > >> > +++ ldirectord  2013-12-03 11:59:34.703026282 +0100
> > > > >> > @@ -2834,7 +2834,7 @@
> > > > >> >          &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > > > >> >                  . "virtualhost=\"$virtualhost\"");
> > > > >> >
> > > > >> > -       my $ua = new LWP::UserAgent();
> > > > >> > +       my $ua = new LWP::UserAgent(ssl_opts => {
> verify_hostname
> > > => 0
> > > > >> });
> > > > >> >
> > > > >> >          my $h = undef;
> > > > >> >          if ($$v{service} eq "http_proxy") {
> > > > >> >
> > > > >> > I haven't verified that with older version of LWP, but I believe
> > it
> > > > >> should
> > > > >> > just ignore unknown parameters to the constructor.
> > > > >>
> > > > >> I don't think that's a bug but you have to specify the virtualhost
> > > > >> parameter to set the Host header for the realservers.
> > > > >>
> > > > >> Regards,
> > > > >>    Dennis
> > > > >>
> > > > >>
> > > > >> _______________________________________________
> > > > >> Please read the documentation before posting - it's available at:
> > > > >> http://www.linuxvirtualserver.org/
> > > > >>
> > > > >> LinuxVirtualServer.org mailing list -
> > lvs-users at LinuxVirtualServer.org
> > > > >> Send requests to lvs-users-request at LinuxVirtualServer.org
> > > > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > > >>
> > > > > _______________________________________________
> > > > > Please read the documentation before posting - it's available at:
> > > > > http://www.linuxvirtualserver.org/
> > > > >
> > > > > LinuxVirtualServer.org mailing list -
> > lvs-users at LinuxVirtualServer.org
> > > > > Send requests to lvs-users-request at LinuxVirtualServer.org
> > > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > >
> > > >
> > > >
> > > > --
> > > > Regards,
> > > >
> > > > Malcolm Turnbull.
> > > >
> > > > Loadbalancer.org Ltd.
> > > > Phone: +44 (0)870 443 8779
> > > > http://www.loadbalancer.org/
> > > >
> > > > _______________________________________________
> > > > Please read the documentation before posting - it's available at:
> > > > http://www.linuxvirtualserver.org/
> > > >
> > > > LinuxVirtualServer.org mailing list -
> lvs-users at LinuxVirtualServer.org
> > > > Send requests to lvs-users-request at LinuxVirtualServer.org
> > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > >
> > >
> > >
> > >
> > > --
> > > [ ]'s
> > >
> > > Filipe Cifali Stangler
> > > _______________________________________________
> > > Please read the documentation before posting - it's available at:
> > > http://www.linuxvirtualserver.org/
> > >
> > > LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> > > Send requests to lvs-users-request at LinuxVirtualServer.org
> > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> > Send requests to lvs-users-request at LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
>
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>


More information about the lvs-users mailing list