LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: LVS problem with SSLProxy

To: "'LinuxVirtualServer.org users mailing list.'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: LVS problem with SSLProxy
From: "Longhua Li" <zyllh@xxxxxxxxxxxx>
Date: Tue, 11 Oct 2005 16:27:16 -0600
No, no, no, this is not right. The request is not handled by the SSL proxy
at all but instead, it is forwarded to real servers. 

-----Original Message-----
From: lvs-users-bounces+zyllh=adelphia.net@xxxxxxxxxxxxxxxxxxxxxx
[mailto:lvs-users-bounces+zyllh=adelphia.net@xxxxxxxxxxxxxxxxxxxxxx] On
Behalf Of Longhua Li
Sent: Tuesday, October 11, 2005 4:19 PM
To: 'LinuxVirtualServer.org users mailing list.'
Subject: RE: LVS problem with SSLProxy

Thanks.
As you suggested here is my setup

virtual=xxx.xxx.xxx.xxx:441
        service=http
        fallback=127.0.0.1:80
        request="index.html"
        receive="Test Page"
        scheduler=rr
        protocol=tcp
        real=192.168.0.233:80 masq 1
        real=192.168.0.234:80 masq 1

And ipvsadm -L -n
Shows
TCP  xxx.xxx.xxx.xxx:441 rr
  -> 192.168.0.234:80             Masq    1      0          1         
  -> 192.168.0.233:80             Masq    1      0          0         
  -> 192.168.0.233:441            Masq    0      0          0         
  -> 192.168.0.234:441            Masq    0      0          0

The request is http://xxx.xxx.xxx.xxx:441 instead of
https://xxx.xxx.xxx.xxx.441 and I saw the real server pages instead of the
fall back server.
Question is why I did not see the certificate pop up windows? Might be my
sslproxy problem? 
Thank you very much and your suggestions are very helpful!

Longhua

-----Original Message-----
From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Mark
Sent: Tuesday, October 11, 2005 3:51 PM
To: 'LinuxVirtualServer.org users mailing list.'
Subject: RE: LVS problem with SSLProxy

I think the problem is in your ldirector parameters.
Here are the parameters that work for me:
        service=http
        request="pooling_status.html"
        receive="html"
        scheduler=rr
        protocol=tcp

"request" and "receive" you have to adjust to your scenario.
I don't use checktype (not sure what the default is).
Service is definitely "http" for you, since the HTTPS envelop is already
stripped off when ldirector comes into play.
Even for me "service=https" didn't work - no idea why, since unlike you, I
actually DO have https traffic going through ldirectord.
Maybe it validates the certificate or something.

After I switched from "service=https" to "service=http" it worked fine. That
should do the trick for you as well...

MARK

> -----Original Message-----
> From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx 
> [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf 
> Of Longhua Li
> Sent: Tuesday, October 11, 2005 2:13 PM
> To: 'LinuxVirtualServer.org users mailing list.'
> Subject: RE: LVS problem with SSLProxy
> 
> 
> Thanks for your information.
> The SSLProxy is a homemade stuff. My coworker wrote it. And I 
> don't know how he implements it. And I don't know the 
> internals of the ldirector mechanisms either. Hmm, big problem then. 
> Ideally, ldirector does not need to know SSLProxy.
> The request goes like this
> Client -> SSLProxy(443)->(80)->Load Balancer(80)->Real Servers (80)
> 
> After I run my SSLProxy, response always comes from the fall 
> back server instead of from any real servers. It looks like I 
> have to look into the source codes. Any suggestions! Thanks again
> 
> Longhua
> 
> -----Original Message-----
> From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
> [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Mark
> Sent: Tuesday, October 11, 2005 11:50 AM
> To: 'LinuxVirtualServer.org users mailing list.'
> Subject: RE: LVS problem with SSLProxy
> 
> Hm...
> I'm not sure about choosing option 2 over option 1. As far as 
> I know, the SSL stuff can be pretty processor heavy... But 
> anyway... I think what you want to do should be possible 
> (ldirector and SSLProxy on one machine) - although I haven't 
> done it myself...
> 
> The only problem I could think of is that the box figures out 
> that both pieces are its own Ips and then somehow uses the 
> local interface rather than the eth interfaces. If that 
> happens, I am not sure about whether the ldirector hooks are 
> still able to pick up and redirect the traffic, or if they 
> rely on it coming in through a real eth interface... I don't 
> know enough about the internals of the ldirector 
> mechanisms... If you really cant get that to work, try it 
> with option 1, maybe that will work. 
> 
> The most important thing is to make sure that you have the 
> input and output ports of each chain element set up properly, I think.
> 
> Which SSLProxy are you using?
> 
> I use a load balancer to forward HTTPS to a bunch of apache 
> servers, each of them has their own HTTPS proxy. I just use 
> mod_rewrite for that. You could use mod_proxy as well, but 
> mod_rewrite gives you better mapping options with regex-based 
> rules, etc...
> 
> MARK
> 
> 
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - 
> lvs-users@xxxxxxxxxxxxxxxxxxxxxx Send requests to 
> lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> 






<Prev in Thread] Current Thread [Next in Thread>