|
Hi,
we are also using https on an different port, but
on our setup we
have the virtual IP on an loopback device and use
only the port-redirection.
/sbin/ipchains -p tcp -A input -d 0/0 443 -j
REDIRECT 9443
this works fine for many Systems.
tc lewis wrote:
>
> i'm having some issues with https and i'm not sure why.
>
> i have lvs directing port 443 traffic for my VIP to my 2 real servers
> using direct routing:
>
> TCP 64.211.224.165:443 lc persistent 360
> -> 192.168.1.101:443 Route 1 0 0
> -> 192.168.1.102:443 Route 1 0 0
>
> on the real servers i'm using horms' ipchains redirect method to accept
> traffic for that ip, and also to redirect it to a non-privileged port:
>
> REDIRECT tcp ------ 0.0.0.0/0 64.211.224.165 * ->
> 443 => 5083
>
> the real servers' gateways are set to the router in front of the lvs
> machine. i use this same setup for port 80 traffic and it works as
> expected. but something's wrong with this 443 https traffic.
>
> the packets appear to be arriving to the real server, and the real server
> even processes them, but something is going awry in the process:
>
> from CIP:
> [tcl@jam tcl]$ openssl s_client -connect 64.211.224.165:443
> CONNECTED(00000003)
> 9395:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:458:
>
> apache even shows a strange request, but i didn't make one yet:
> ==> ./logs/access_log <==
> 64.211.151.249 - - [21/Nov/2000:18:59:07 -0800] "z" 200 11644
> ^^
> ^^
> some funky character(s) in there.
perhaps Apache/ssl has an problem with answering
an requests for an ip
which isn´t on the System.
> ---
> [snip snip snip]
>
> i tried adding:
> REDIRECT tcp ------ 0.0.0.0/0 0.0.0.0 * ->
> 443 => 5083
>
> to test from localhost, but that doesn't fly:
>
ehm, did you delete the old chain?
was apchache running?
> [mybiz@sfo /mybiz]$ ./bin/openssl s_client -connect localhost:443
> connect: Connection refused
> connect:errno=111
> [mybiz@sfo /mybiz]$ ./bin/openssl s_client -connect sfo:443
> connect: Connection refused
> connect:errno=111
>
> from the CIP, netscape says
> "
> A network error occured while Netscape was receiving data.
> (Network Error: I/O error)
>
> Try connecting again.
> "
>
that is ok, because the realserver doesn´t know to
answer the request.
Try adding the VIP on an loopback-device and turn
off the arp before :-)
echo 1 > /proc/sys/net/ipv4/conf/all/hidden
echo 1 > /proc/sys/net/ipv4/conf/lo/hidden
> i'm wondering if anyone has ideas on what i might be missing. does ssl
> have issues with a port redirect (i can't see why)? could i be missing
> something in my apache/mod_ssl config? hmm.
sorry i don´t know much about apache, because we
are using an other webserver.
bye,
Chris
|
