LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: https + lvs + ipchains redirect.

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: https + lvs + ipchains redirect.
From: tc lewis <tcl@xxxxxxxxx>
Date: Wed, 6 Dec 2000 15:01:36 -0500 (EST)
i'm not sure if this ever even made it to the list, but the problem was
that my ssl virtualhost line was _default_:5083, so apache didn't know
that dest ports of 443 were ssl-wrapped.  changing the virtualhost to
_default_:443 solves this.  note that "listen 5083" should still be in
there, however.  my bad.  silly mistake.

anyway, for the curious / in case anyone has similar problems...

-tcl.


On Tue, 21 Nov 2000, tc lewis wrote:

> 
> i'm having some issues with https and i'm not sure why.
> 
> i have lvs directing port 443 traffic for my VIP to my 2 real servers
> using direct routing:
> 
> TCP  64.211.224.165:443 lc persistent 360
>   -> 192.168.1.101:443           Route   1      0          0         
>   -> 192.168.1.102:443           Route   1      0          0         
> 
> on the real servers i'm using horms' ipchains redirect method to accept
> traffic for that ip, and also to redirect it to a non-privileged port:
> 
> REDIRECT   tcp  ------  0.0.0.0/0            64.211.224.165        * ->
> 443 => 5083
> 
> the real servers' gateways are set to the router in front of the lvs
> machine.  i use this same setup for port 80 traffic and it works as
> expected.  but something's wrong with this 443 https traffic.
> 
> the packets appear to be arriving to the real server, and the real server
> even processes them, but something is going awry in the process:
> 
> from CIP:
> [tcl@jam tcl]$ openssl s_client -connect 64.211.224.165:443
> CONNECTED(00000003)
> 9395:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:458:
> 
> apache even shows a strange request, but i didn't make one yet:
> ==> ./logs/access_log <==
> 64.211.151.249 - - [21/Nov/2000:18:59:07 -0800] "z" 200 11644
>                                                 ^^
>                                                 ^^
>                                 some funky character(s) in there.
> 
> 
> doing it from the real server to the unprivileged port works fine,
> however:
> 
> [mybiz@sfo /mybiz]$ ./bin/openssl s_client -connect localhost:5083
> CONNECTED(00000003)
> depth=0 /C=US/ST=California/L=Sunnyvale/O=mybiz Technologies,
> Inc./CN=www.mybiz.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=US/ST=California/L=Sunnyvale/O=mybiz Technologies,
> Inc./CN=www.mybiz.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=US/ST=California/L=Sunnyvale/O=mybiz Technologies,
> Inc./CN=www.mybiz.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/C=US/ST=California/L=Sunnyvale/O=mybiz Technologies,
> Inc./CN=www.mybiz.com
>    i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
> cc/OU=Certification Services Division/CN=Thawte Server
> CA/Email=server-certs@xxxxxxxxxx
> ---
> [snip snip snip]
> 
> 
> i tried adding:
> REDIRECT   tcp  ------  0.0.0.0/0            0.0.0.0               * ->
> 443 => 5083
> 
> to test from localhost, but that doesn't fly:
> 
> [mybiz@sfo /mybiz]$ ./bin/openssl s_client -connect localhost:443
> connect: Connection refused
> connect:errno=111
> [mybiz@sfo /mybiz]$ ./bin/openssl s_client -connect sfo:443
> connect: Connection refused
> connect:errno=111
> 
> 
> from the CIP, netscape says
> "
> A network error occured while Netscape was receiving data.
> (Network Error: I/O error)
> 
> Try connecting again.
> "
> 
> 
> i'm wondering if anyone has ideas on what i might be missing.  does ssl
> have issues with a port redirect (i can't see why)?  could i be missing
> something in my apache/mod_ssl config?  hmm.
> 
> thanks.
> 
> -tcl.
> 
> 



<Prev in Thread] Current Thread [Next in Thread>
  • Re: https + lvs + ipchains redirect., tc lewis <=