LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: [lvs-users] ldirectord fails to test HTTPS real servers.

from [Timur I. Bakeyev] [Permanent Link]
To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] ldirectord fails to test HTTPS real servers.
From: "Timur I. Bakeyev" <timur@xxxxxxxxxx>
Date: Wed, 4 Dec 2013 18:39:34 +0100 
Well, "virtualhost" wouldn't help anything, as it's part of HTTP protocol
and SSL check happens one(half:)) layer below - during the TCP connection
negotiation. At that point only DNS name of the real server does matter and
it's match to the SSL certificate.

With wildcard certificate if you real servers have their host names from
the same domain.ext - the check will succeed, but for that they have to be
refered by hostname in the ldirectord.conf as well. I believe that SSL
negotiation doesn't do back resolve of the IP addresses.

With regards,
Timur.


On Wed, Dec 4, 2013 at 5:13 PM, Filipe Cifali <cifali.filipe@xxxxxxxxx>wrote:

> Yeah the LWP is 6.0.5, but it's working now as intended, probably is
> Crypt-SSLeay working then.
>
> But then again, my setup is working now, and I suspect the virtualhost
> clause helped, since the SSL I have the same subdomain (*.domain.ext) so
> the virtualhost is always valid on my domain.
>
>
> On Wed, Dec 4, 2013 at 12:43 PM, Timur I. Bakeyev <timur@xxxxxxxxxx>
> wrote:
>
> > Not sure, how all that mix of SSL modules would work together, but if
> > Crypt-SSLeay-0.64-Pc0dMJ took preference then host checks effectively
> were
> > disabled:
> >
> > NET::HTTPS states in the code:
> >
> >         if ($cnf->{SSL_verifycn_scheme}) {
> >             $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames;
> either
> > install IO::Socket::SSL or turn off verification by setting the
> > PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0";
> >             return undef;
> >         }
> >
> > In any case, you should verify which version of LWP you are using, as
> host
> > check verification occurred there in 6.x only.
> >
> > With regards,
> > Timur.
> >
> >
> > On Wed, Dec 4, 2013 at 12:48 PM, Filipe Cifali <cifali.filipe@xxxxxxxxx
> > >wrote:
> >
> > > For me to make this work on my setup I had to install some Perl
> Modules,
> > if
> > > you use Ldirectord -d to debug you will see a internal error on
> messages
> > > checking SSL
> > >
> > > My config that works now:
> > >
> > > virtual = <IP>:443
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         real = <IP>:443 gate 10
> > >
> > >         persistent = 3600
> > >
> > >         scheduler = wrr
> > >
> > >         service = https
> > >
> > > checktype = negotiate
> > >
> > > checkport = 443
> > >
> > > request = "server.php"
> > >
> > > receive = "ok"
> > >
> > > virtualhost = "<ssl-domain>"
> > >
> > >
> > > The modules I have installed (dunno which worked)
> > >
> > >
> > > Crypt-SSLeay-0.64-Pc0dMJ
> > >
> > > IO-Socket-SSL-1.953-c7ub4t
> > >
> > > Net-SSLeay-1.55-8NXQ3I
> > >
> > >
> > > Installed all via cpan.
> > >
> > >
> > > The thing is to always check the debug from ldirectord -d -c
> > <config-file>
> > > cause it tells you what's failing
> > >
> > >
> > > On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
> > > <malcolm@xxxxxxxxxxxxxxxx>wrote:
> > >
> > > > We use the same patch at Loadbalancer.org (or something very similar
> > > > anyway). Most of our customers specifically do not want use a virtual
> > > > host (for a health check) OR care if the SSL cert is valid.
> > > >
> > > >
> > > >
> > > > On 4 December 2013 10:05, Timur I. Bakeyev <timur@xxxxxxxxxx> wrote:
> > > > > Have you tried it, Dennis? Did you look into the ldirectord code?
> You
> > > > know,
> > > > > how SSL is working?
> > > > >
> > > > > Regards,
> > > > > Timur.
> > > > >
> > > > >
> > > > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> > > > dennisml@xxxxxxxxxxxx
> > > > >> wrote:
> > > > >
> > > > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > > > >> > Hi guys!
> > > > >> >
> > > > >> > I've posted bug report regarding ldirectord, can you please
> review
> > > it
> > > > and
> > > > >> > commit, if possible?
> > > > >> >
> > > > >> > https://github.com/ClusterLabs/resource-agents/issues/361
> > > > >> >
> > > > >> > Ldirectord is using LWP for it's negotiate checks for the
> > HTTP/HTTPS
> > > > >> sites.
> > > > >> > Since LWP 6.0 by default it verifies the correspondence of the
> SSL
> > > > >> > certificate and the server hostname. In 99.9% of the cases this
> is
> > > the
> > > > >> VIP
> > > > >> > hostname and RIP are identified by their internal hostnames or,
> > most
> > > > >> common
> > > > >> > - by their IP addresses.
> > > > >> >
> > > > >> > That breaks hostname verification and hence - marks HTTPS
> backends
> > > as
> > > > >> > invalid and kicks them off the pool. This problem did hit me in
> > the
> > > > >> > production when we've upgraded from Debian squeeze to Debian
> > wheezy,
> > > > >> which
> > > > >> > brought newer version of LWP.
> > > > >> >
> > > > >> >
> > > > >>
> > > >
> > >
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> > > > >> >
> > > > >> > Luckily, the fix to the problem is easy:
> > > > >> >
> > > > >> > --- ldirectord.orig     2013-12-03 11:59:11.114983525 +0100
> > > > >> > +++ ldirectord  2013-12-03 11:59:34.703026282 +0100
> > > > >> > @@ -2834,7 +2834,7 @@
> > > > >> >          &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > > > >> >                  . "virtualhost=\"$virtualhost\"");
> > > > >> >
> > > > >> > -       my $ua = new LWP::UserAgent();
> > > > >> > +       my $ua = new LWP::UserAgent(ssl_opts => {
> verify_hostname
> > > => 0
> > > > >> });
> > > > >> >
> > > > >> >          my $h = undef;
> > > > >> >          if ($$v{service} eq "http_proxy") {
> > > > >> >
> > > > >> > I haven't verified that with older version of LWP, but I believe
> > it
> > > > >> should
> > > > >> > just ignore unknown parameters to the constructor.
> > > > >>
> > > > >> I don't think that's a bug but you have to specify the virtualhost
> > > > >> parameter to set the Host header for the realservers.
> > > > >>
> > > > >> Regards,
> > > > >>    Dennis
> > > > >>
> > > > >>
> > > > >> _______________________________________________
> > > > >> Please read the documentation before posting - it's available at:
> > > > >> http://www.linuxvirtualserver.org/
> > > > >>
> > > > >> LinuxVirtualServer.org mailing list -
> > lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > > > >> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > > > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > > >>
> > > > > _______________________________________________
> > > > > Please read the documentation before posting - it's available at:
> > > > > http://www.linuxvirtualserver.org/
> > > > >
> > > > > LinuxVirtualServer.org mailing list -
> > lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > > > > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > >
> > > >
> > > >
> > > > --
> > > > Regards,
> > > >
> > > > Malcolm Turnbull.
> > > >
> > > > Loadbalancer.org Ltd.
> > > > Phone: +44 (0)870 443 8779
> > > > http://www.loadbalancer.org/
> > > >
> > > > _______________________________________________
> > > > Please read the documentation before posting - it's available at:
> > > > http://www.linuxvirtualserver.org/
> > > >
> > > > LinuxVirtualServer.org mailing list -
> lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > > > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > >
> > >
> > >
> > >
> > > --
> > > [ ]'s
> > >
> > > Filipe Cifali Stangler
> > > _______________________________________________
> > > Please read the documentation before posting - it's available at:
> > > http://www.linuxvirtualserver.org/
> > >
> > > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
>
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [lvs-users] ldirectord fails to test HTTPS real servers., Filipe Cifali
Next by Date:  Re: [lvs-users] ldirectord fails to test HTTPS real servers., Timur I. Bakeyev
Previous by Thread:  Re: [lvs-users] ldirectord fails to test HTTPS real servers., Filipe Cifali
Next by Thread:  Re: [lvs-users] ldirectord fails to test HTTPS real servers., Timur I. Bakeyev
Indexes:  [Date] [Thread] [Top] [All Lists]