LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: LVS problem with SSLProxy

To: "'LinuxVirtualServer.org users mailing list.'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: LVS problem with SSLProxy
From: "Mark" <msalists@xxxxxxx>
Date: Tue, 11 Oct 2005 10:49:57 -0700
Hm...
I'm not sure about choosing option 2 over option 1. As far as I know, the SSL 
stuff can be pretty processor heavy...
But anyway... I think what you want to do should be possible (ldirector and 
SSLProxy on one machine) - although I haven't done it
myself...

The only problem I could think of is that the box figures out that both pieces 
are its own Ips and then somehow uses the local
interface rather than the eth interfaces. If that happens, I am not sure about 
whether the ldirector hooks are still able to pick up
and redirect the traffic, or if they rely on it coming in through a real eth 
interface... I don't know enough about the internals of
the ldirector mechanisms...
If you really cant get that to work, try it with option 1, maybe that will 
work. 

The most important thing is to make sure that you have the input and output 
ports of each chain element set up properly, I think.

Which SSLProxy are you using?

I use a load balancer to forward HTTPS to a bunch of apache servers, each of 
them has their own HTTPS proxy. I just use mod_rewrite
for that. You could use mod_proxy as well, but mod_rewrite gives you better 
mapping options with regex-based rules, etc...

MARK


> -----Original Message-----
> From: 
> lvs-users-bounces+msalists=gmx.net@xxxxxxxxxxxxxxxxxxxxxx 
> [mailto:lvs-users-bounces+msalists=gmx.net@linuxvirtualserver.
> org] On Behalf Of Longhua Li
> Sent: Tuesday, October 11, 2005 10:29 AM
> To: 'LinuxVirtualServer.org users mailing list.'
> Subject: RE: LVS problem with SSLProxy
> 
> 
> Thanks for your reply. I know https is 443. 441 is only for 
> my test purpose. And I am using apache httpd as the web 
> server. SSLProxy is running on the load balancer as well, 
> which might be the problem. I want the sslproxy handle all 
> the handshakes, encryption/decryption staff and switch the 
> port 443 to 80 and then Load Balancer can load balance them 
> to the real servers. Is that possible? (which is actually 
> your second option)
> 
> Many thanks!
> 
> -----Original Message-----
> From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
> [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Mark
> Sent: Tuesday, October 11, 2005 11:13 AM
> To: 'LinuxVirtualServer.org users mailing list.'
> Subject: RE: LVS problem with SSLProxy
> 
> First of all: https is 443, not 441 (unless you intentionally 
> changed this). Or does your SSLProxy use 441 on the 
> downstream side? You can not forward HTTPS (443) to HTTP (80) 
> just like this, unless you configure your webserver to expect 
> https requests on port 80. Https is different from http in a 
> way that there are additional handshake- and 
> encryption/decryption steps, and your webserver needs to know 
> what to expect on each port (at least for the apache httpd 
> server - I don't know which webserver you are using). The 
> SSLProxy should be doing the HTTPS processing, including the 
> port switch from 443 to 80.
> 
> So in your case, you have two options how to chain your 
> modules: 1. client -> loadbalancer (443) -> SSLProxy (443) -> 
> Webserver (80) Or 2. client -> SSLProxy (443) -> loadbalancer 
> (80) -> Webserver (80)
> 
> I would suggest the first solution, since this allows you to 
> loadbalance multiple SSLProxies as well, if you should run 
> into performance problems with that part...
> 
> Hope this helps.
> 
> MARK
> 
> 
> > -----Original Message-----
> > From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
> > [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf 
> > Of Longhua Li
> > Sent: Tuesday, October 11, 2005 10:01 AM
> > To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > Subject: LVS problem with SSLProxy
> > 
> > 
> > Here is my scenario.
> > 
> > My Load Balancer handles SSL requests, but my real servers
> > don't. I have an SSLProxy running on the Load Balancer. 
> > Question is: Can I actually load balance the requests 441 to 
> > real servers port 80? Many thanks!
> > 
> > I set the config like this:
> > 
> > virtual=xxx.xxx.xxx.xxx:441
> > 
> >         service=https
> > 
> >         fallback=127.0.0.1:441
> > 
> >         request="index.html"
> > 
> >         receive="Test Page"
> > 
> >         scheduler=rr
> > 
> >         protocol=tcp
> > 
> >         checktype=negotiate
> > 
> >         real=192.168.0.233:80 masq 1
> > 
> >         real=192.168.0.234:80 masq 1
> > 
> >  
> > 
> > But after running ldirectord
> > 
> > /sbin/ipvsadm -L -n
> > 
> > Gives the following:
> > 
> >  
> > 
> > TCP  xxx.xxx.xxx.xxx:441 rr
> > 
> >   -> 192.168.0.233:441            Masq    0      0          
> 0         
> > 
> >   -> 192.168.0.234:441            Masq    0      0          
> 0         
> > 
> >   -> 127.0.0.1:441                Local   1      0          0
> > 
> >  
> > 
> >  
> > 
> > _______________________________________________
> > LinuxVirtualServer.org mailing list -
> > lvs-users@xxxxxxxxxxxxxxxxxxxxxx Send requests to 
> > lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> > 
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> 
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> 


<Prev in Thread] Current Thread [Next in Thread>