LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: LVS problem with SSLProxy

To: "'LinuxVirtualServer.org users mailing list.'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: LVS problem with SSLProxy
From: "Longhua Li" <zyllh@xxxxxxxxxxxx>
Date: Tue, 11 Oct 2005 11:29:28 -0600
Thanks for your reply. I know https is 443. 441 is only for my test purpose.
And I am using apache httpd as the web server. SSLProxy is running on the
load balancer as well, which might be the problem. I want the sslproxy
handle all the handshakes, encryption/decryption staff and switch the port
443 to 80 and then Load Balancer can load balance them to the real servers.
Is that possible? (which is actually your second option)

Many thanks!

-----Original Message-----
From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Mark
Sent: Tuesday, October 11, 2005 11:13 AM
To: 'LinuxVirtualServer.org users mailing list.'
Subject: RE: LVS problem with SSLProxy

First of all: https is 443, not 441 (unless you intentionally changed this).
Or does your SSLProxy use 441 on the downstream side?
You can not forward HTTPS (443) to HTTP (80) just like this, unless you
configure your webserver to expect https requests on port
80.
Https is different from http in a way that there are additional handshake-
and encryption/decryption steps, and your webserver needs
to know what to expect on each port (at least for the apache httpd server -
I don't know which webserver you are using).
The SSLProxy should be doing the HTTPS processing, including the port switch
from 443 to 80.

So in your case, you have two options how to chain your modules:
1. client -> loadbalancer (443) -> SSLProxy (443) -> Webserver (80)
Or
2. client -> SSLProxy (443) -> loadbalancer (80) -> Webserver (80)

I would suggest the first solution, since this allows you to loadbalance
multiple SSLProxies as well, if you should run into
performance problems with that part...

Hope this helps.

MARK


> -----Original Message-----
> From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx 
> [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf 
> Of Longhua Li
> Sent: Tuesday, October 11, 2005 10:01 AM
> To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Subject: LVS problem with SSLProxy
> 
> 
> Here is my scenario.
> 
> My Load Balancer handles SSL requests, but my real servers 
> don't. I have an SSLProxy running on the Load Balancer. 
> Question is: Can I actually load balance the requests 441 to 
> real servers port 80? Many thanks!
> 
> I set the config like this:
> 
> virtual=xxx.xxx.xxx.xxx:441
> 
>         service=https
> 
>         fallback=127.0.0.1:441
> 
>         request="index.html"
> 
>         receive="Test Page"
> 
>         scheduler=rr
> 
>         protocol=tcp
> 
>         checktype=negotiate
> 
>         real=192.168.0.233:80 masq 1
> 
>         real=192.168.0.234:80 masq 1
> 
>  
> 
> But after running ldirectord
> 
> /sbin/ipvsadm -L -n 
> 
> Gives the following:
> 
>  
> 
> TCP  xxx.xxx.xxx.xxx:441 rr
> 
>   -> 192.168.0.233:441            Masq    0      0          0         
> 
>   -> 192.168.0.234:441            Masq    0      0          0         
> 
>   -> 127.0.0.1:441                Local   1      0          0
> 
>  
> 
>  
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - 
> lvs-users@xxxxxxxxxxxxxxxxxxxxxx Send requests to 
> lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> 




<Prev in Thread] Current Thread [Next in Thread>