LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] ldirectord fails to test HTTPS real servers.

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] ldirectord fails to test HTTPS real servers.
From: "Timur I. Bakeyev" <timur@xxxxxxxxxx>
Date: Wed, 4 Dec 2013 15:43:36 +0100
Not sure, how all that mix of SSL modules would work together, but if
Crypt-SSLeay-0.64-Pc0dMJ took preference then host checks effectively were
disabled:

NET::HTTPS states in the code:

        if ($cnf->{SSL_verifycn_scheme}) {
            $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames; either
install IO::Socket::SSL or turn off verification by setting the
PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0";
            return undef;
        }

In any case, you should verify which version of LWP you are using, as host
check verification occurred there in 6.x only.

With regards,
Timur.


On Wed, Dec 4, 2013 at 12:48 PM, Filipe Cifali <cifali.filipe@xxxxxxxxx>wrote:

> For me to make this work on my setup I had to install some Perl Modules, if
> you use Ldirectord -d to debug you will see a internal error on messages
> checking SSL
>
> My config that works now:
>
> virtual = <IP>:443
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         real = <IP>:443 gate 10
>
>         persistent = 3600
>
>         scheduler = wrr
>
>         service = https
>
> checktype = negotiate
>
> checkport = 443
>
> request = "server.php"
>
> receive = "ok"
>
> virtualhost = "<ssl-domain>"
>
>
> The modules I have installed (dunno which worked)
>
>
> Crypt-SSLeay-0.64-Pc0dMJ
>
> IO-Socket-SSL-1.953-c7ub4t
>
> Net-SSLeay-1.55-8NXQ3I
>
>
> Installed all via cpan.
>
>
> The thing is to always check the debug from ldirectord -d -c <config-file>
> cause it tells you what's failing
>
>
> On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
> <malcolm@xxxxxxxxxxxxxxxx>wrote:
>
> > We use the same patch at Loadbalancer.org (or something very similar
> > anyway). Most of our customers specifically do not want use a virtual
> > host (for a health check) OR care if the SSL cert is valid.
> >
> >
> >
> > On 4 December 2013 10:05, Timur I. Bakeyev <timur@xxxxxxxxxx> wrote:
> > > Have you tried it, Dennis? Did you look into the ldirectord code? You
> > know,
> > > how SSL is working?
> > >
> > > Regards,
> > > Timur.
> > >
> > >
> > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> > dennisml@xxxxxxxxxxxx
> > >> wrote:
> > >
> > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > >> > Hi guys!
> > >> >
> > >> > I've posted bug report regarding ldirectord, can you please review
> it
> > and
> > >> > commit, if possible?
> > >> >
> > >> > https://github.com/ClusterLabs/resource-agents/issues/361
> > >> >
> > >> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS
> > >> sites.
> > >> > Since LWP 6.0 by default it verifies the correspondence of the SSL
> > >> > certificate and the server hostname. In 99.9% of the cases this is
> the
> > >> VIP
> > >> > hostname and RIP are identified by their internal hostnames or, most
> > >> common
> > >> > - by their IP addresses.
> > >> >
> > >> > That breaks hostname verification and hence - marks HTTPS backends
> as
> > >> > invalid and kicks them off the pool. This problem did hit me in the
> > >> > production when we've upgraded from Debian squeeze to Debian wheezy,
> > >> which
> > >> > brought newer version of LWP.
> > >> >
> > >> >
> > >>
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> > >> >
> > >> > Luckily, the fix to the problem is easy:
> > >> >
> > >> > --- ldirectord.orig     2013-12-03 11:59:11.114983525 +0100
> > >> > +++ ldirectord  2013-12-03 11:59:34.703026282 +0100
> > >> > @@ -2834,7 +2834,7 @@
> > >> >          &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > >> >                  . "virtualhost=\"$virtualhost\"");
> > >> >
> > >> > -       my $ua = new LWP::UserAgent();
> > >> > +       my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname
> => 0
> > >> });
> > >> >
> > >> >          my $h = undef;
> > >> >          if ($$v{service} eq "http_proxy") {
> > >> >
> > >> > I haven't verified that with older version of LWP, but I believe it
> > >> should
> > >> > just ignore unknown parameters to the constructor.
> > >>
> > >> I don't think that's a bug but you have to specify the virtualhost
> > >> parameter to set the Host header for the realservers.
> > >>
> > >> Regards,
> > >>    Dennis
> > >>
> > >>
> > >> _______________________________________________
> > >> Please read the documentation before posting - it's available at:
> > >> http://www.linuxvirtualserver.org/
> > >>
> > >> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > >> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >>
> > > _______________________________________________
> > > Please read the documentation before posting - it's available at:
> > > http://www.linuxvirtualserver.org/
> > >
> > > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
> >
> >
> > --
> > Regards,
> >
> > Malcolm Turnbull.
> >
> > Loadbalancer.org Ltd.
> > Phone: +44 (0)870 443 8779
> > http://www.loadbalancer.org/
> >
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
>
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>