LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

https + lvs + ipchains redirect.

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: https + lvs + ipchains redirect.
From: tc lewis <tcl@xxxxxxxxx>
Date: Tue, 21 Nov 2000 22:10:41 -0500 (EST)
i'm having some issues with https and i'm not sure why.

i have lvs directing port 443 traffic for my VIP to my 2 real servers
using direct routing:

TCP  64.211.224.165:443 lc persistent 360
  -> 192.168.1.101:443           Route   1      0          0         
  -> 192.168.1.102:443           Route   1      0          0         

on the real servers i'm using horms' ipchains redirect method to accept
traffic for that ip, and also to redirect it to a non-privileged port:

REDIRECT   tcp  ------  0.0.0.0/0            64.211.224.165        * ->
443 => 5083

the real servers' gateways are set to the router in front of the lvs
machine.  i use this same setup for port 80 traffic and it works as
expected.  but something's wrong with this 443 https traffic.

the packets appear to be arriving to the real server, and the real server
even processes them, but something is going awry in the process:

from CIP:
[tcl@jam tcl]$ openssl s_client -connect 64.211.224.165:443
CONNECTED(00000003)
9395:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:458:

apache even shows a strange request, but i didn't make one yet:
==> ./logs/access_log <==
64.211.151.249 - - [21/Nov/2000:18:59:07 -0800] "z" 200 11644
                                                ^^
                                                ^^
                                some funky character(s) in there.


doing it from the real server to the unprivileged port works fine,
however:

[mybiz@sfo /mybiz]$ ./bin/openssl s_client -connect localhost:5083
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Sunnyvale/O=mybiz Technologies,
Inc./CN=www.mybiz.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Sunnyvale/O=mybiz Technologies,
Inc./CN=www.mybiz.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Sunnyvale/O=mybiz Technologies,
Inc./CN=www.mybiz.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Sunnyvale/O=mybiz Technologies,
Inc./CN=www.mybiz.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
CA/Email=server-certs@xxxxxxxxxx
---
[snip snip snip]


i tried adding:
REDIRECT   tcp  ------  0.0.0.0/0            0.0.0.0               * ->
443 => 5083

to test from localhost, but that doesn't fly:

[mybiz@sfo /mybiz]$ ./bin/openssl s_client -connect localhost:443
connect: Connection refused
connect:errno=111
[mybiz@sfo /mybiz]$ ./bin/openssl s_client -connect sfo:443
connect: Connection refused
connect:errno=111


from the CIP, netscape says
"
A network error occured while Netscape was receiving data.
(Network Error: I/O error)

Try connecting again.
"


i'm wondering if anyone has ideas on what i might be missing.  does ssl
have issues with a port redirect (i can't see why)?  could i be missing
something in my apache/mod_ssl config?  hmm.

thanks.

-tcl.



<Prev in Thread] Current Thread [Next in Thread>