RE: Please Help for my https problem~!

["Mark" <msalists@xxxxxxx>]

I had problems with https as well. I got it to work with "service=http". Also, 
I'm using masquerade rather than gateway mode, but
that should not make a difference. The rest of your configuration is similar to 
mine. Service=http may not be the perfect solution
but at least a fix that worked for me...

Since there seems to be a lot of problems with configuring https, can somebody 
comment on what the LVS engine does differently for
http and https mode?

Thanks,

MARK


> -----Original Message-----
> From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx 
> [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf 
> Of Louis Lam
> Sent: Tuesday, October 25, 2005 2:49 AM
> To: LinuxVirtualServer.org users mailing list.
> Cc: Anthony Cheung; Alex Ho
> Subject: Please Help for my https problem~!
> 
> 
> Dear All:
> 
> I have try to setup a LVS https service for a month. However, 
> i'm fail to config it successfully, 
> 
> The situation is All https connection have been stopped at 
> Director. But it can run smoothly with http service. I have 
> solved the ARP problem,  The https and http service can 
> access directly through the Real Server IP,  but fail to 
> connect the https service through VIP
> 
> this is the detail of my web farm:
> VIP           10.0.58.136
> Director      10.0.58.231
> Real Server1  10.0.58.232
> Real Server2  10.0.58.230
> 
> ========================================
> The Specification of Director:
> 
> OS Red Hat ES3.0      kernel 2.4.21-27.0.2.EL.um.1
> 
> UltraMonkey 2.01 
>   heartbeat-1.0.4-2.rh.el.um.1.i386.rpm 
>   heartbeat-ldirectord-1.0.4-2.rh.el.um.1.i386.rpm 
>   heartbeat-pils-1.0.4-2.rh.el.um.1.i386.rpm 
>   heartbeat-stonith-1.0.4-2.rh.el.um.1.i386.rpm 
>   ipvsadm-1.21-1.rh.el.1.i386.rpm 
>   libnet-1.1.0-1.rh.el.1.i386.rpm 
>   perl-Authen-SASL-2.03-1.rh.el.um.1.noarch.rpm 
>   perl-Convert-ASN1-0.16-2.rh.el.um.1.noarch.rpm 
>   perl-IO-Socket-SSL-0.92-1.rh.el.um.1.noarch.rpm 
>   perl-Mail-IMAPClient-2.2.7-1.rh.el.um.1.noarch.rpm 
>   perl-Net-SSLeay-1.23-1.rh.el.um.1.i386.rpm 
>   perl-Parse-RecDescent-1.80-1.rh.el.um.1.noarch.rpm 
>   perl-XML-NamespaceSupport-1.08-1.rh.el.um.1.noarch.rpm 
>   perl-XML-SAX-0.12-1.rh.el.um.1.noarch.rpm 
>   perl-ldap-0.2701-1.rh.el.um.1.noarch.rpm 
> 
> Extra package
> perl-Crypt-SSLeay-0.51-alt2.i586.rpm
> perl-Crypt-OpenSSL-DSA-0.12-1.1.el3.rf.i386.rpm
> ===========================================
> The Specification of the Two Real Server:
> 
> OS:  Red Hat 8.0              kernel 2.4.20-31.9.um.3 
> 
> Web Server package:
> 2. Jdk 1.4.2_09
> 3. Apache 1.3.14
> 4. Openssl 0.9.6g
> 5. ApacheJServ-1.1.2
> 6. Gnujsp-1.0.1
> 7. mod_ssl-2.7.1-1.3.14 ===========================================
> The configuration step:
> 
> On Director:
> ifconfig eth0:0 10.0.58.136 netmask 255.255.255.0 broadcast 
> 10.0.58.255 echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> ipvsadm -A -t 10.0.58.136:80 -s rr
> ipvsadm -a -t 10.0.58.136:80 -r 10.0.58.230 -g
> ipvsadm -a -t 10.0.58.136:80 -r 10.0.58.232 -g
> 
> ipvsadm -A -t 10.0.58.136:443 -s rr
> ipvsadm -a -t 10.0.58.136:443 -r 10.0.58.230 -g
> ipvsadm -a -t 10.0.58.136:443 -r 10.0.58.232 -g
> 
> /usr/sbin/ldirectord start
> -------------------------------------
> Ldirectord.cf
> #
> # Sample ldirectord configuration file to configure various 
> virtual services. # # Ldirectord will connect to each real 
> server once per second and request # /index.html. If the data 
> returned by the server does not contain the # string "Test 
> Message" then the test fails and the real server will be # 
> taken out of the available pool. The real server will be 
> added back into # the pool once the test succeeds. If all 
> real servers are removed from the # pool then localhost:80 is 
> added to the pool as a fallback measure.
> 
> # Global Directives
> checktimeout=500
> checkinterval=1
> fallback=127.0.0.1:80
> autoreload=yes
> logfile="/var/log/ldirectord.log"
> #logfile="local0"
> quiescent=yes
> 
> # A sample virual with a fallback that will override the 
> gobal setting virtual=10.0.58.136:80
>       real=10.0.58.230:80 gate
>       real=10.0.58.232:80 gate
>       real=192.168.6.6:80 gate
>       fallback=127.0.0.1:80 gate
>       service=http
>       request="index.htm"
>       receive="abc"
>       scheduler=rr
>       #persistent=600
>       netmask=255.255.255.255
>       protocol=tcp
> 
> #Sample configuration for an https virtual service.
> #Fallback setting overides global
> virtual=10.0.58.136:443
>       real=10.0.58.230:443 gate
>       real=10.0.58.232:443 gate
>       fallback=127.0.0.1:443
>       service=https
>       scheduler=rr
>       request="test.htm"
>       receive="abc"
>       scheduler=rr
>       #persistent=600
>       netmask=255.255.255.255
>       protocol=tcp
> -------------------------------------
> **No setting on Iptable
> **No firewall
> 
> ===========================================
> The configuration step on Real Server
> 
> ifconfig lo:0 10.0.58.136 netmask 255.255.255.255 broadcast 
> 10.0.58.136 echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > 
> /proc/sys/net/ipv4/conf/all/hidden
> echo 1 > /proc/sys/net/ipv4/conf/lo/hidden 
> /usr/local/apache/bin/apachectl start
> 
> **No setting on Iptable
> **No firewall
> ===========================================
> The Log files
> ------------------------------------------------------
> ipvsadm 
> 
> Prot LocalAddress:Port Scheduler Flags
>   -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
> TCP  10.0.58.136:https rr persistent 600
>           -> 10.0.58.232:https            Route   1      0          0
>           -> 10.0.58.230:https            Route   1      0          0
>   ->  localhost.localdomain:https  Local   0      0          0
> 
> TCP  10.0.58.136:http rr
>   -> 10.0.58.232:http             Route   1      0          0
>   -> 10.0.58.230:http             Route   1      0          0
> ------------------------------------------------------
> 
> ipvsadm -L -c -n
> TCP 00:01  CLOSE       10.0.58.93:1828    10.0.58.136:443    
> 10.0.58.230:443
> TCP 00:05  CLOSE       10.0.58.93:1840    10.0.58.136:443    
> 10.0.58.230:443
> TCP 00:04  CLOSE       10.0.58.93:1833    10.0.58.136:443    
> 10.0.58.232:443
> TCP 00:05  CLOSE       10.0.58.93:1838    10.0.58.136:443    
> 10.0.58.230:443
> TCP 00:03  CLOSE       10.0.58.93:1829    10.0.58.136:443    
> 10.0.58.232:443
> TCP 00:04  CLOSE       10.0.58.93:1834    10.0.58.136:443    
> 10.0.58.230:443
> TCP 00:05  CLOSE       10.0.58.93:1837    10.0.58.136:443    
> 10.0.58.232:443
> TCP 00:04  CLOSE       10.0.58.93:1835    10.0.58.136:443    
> 10.0.58.232:443
> TCP 00:04  CLOSE       10.0.58.93:1832    10.0.58.136:443    
> 10.0.58.230:443
> TCP 01:20  FIN_WAIT    10.0.58.93:1822    10.0.58.136:80     
> 10.0.58.232:80
> TCP 00:04  CLOSE       10.0.58.93:1831    10.0.58.136:443    
> 10.0.58.232:443
> TCP 00:03  CLOSE       10.0.58.93:1830    10.0.58.136:443    
> 10.0.58.230:443
> TCP 00:05  CLOSE       10.0.58.93:1836    10.0.58.136:443    
> 10.0.58.230:443
> TCP 00:05  CLOSE       10.0.58.93:1839    10.0.58.136:443    
> 10.0.58.232:443
> -------------------------------------------------------
> 
> tcpdump -n -i any port 443 on Director 
> tcpdump: WARNING: Promiscuous mode not supported on the "any" device
> tcpdump: listening on any
> 17:29:17.345139 10.0.58.231.41440 > 10.0.58.230.https: S 
> 3329915465:3329915465(0) win 5840 <mss 1460,sackOK,timestamp 
> 866633 0,nop,wscale 0> (DF) 17:29:17.345609 10.0.58.230.https 
> > 10.0.58.231.41440: S 1855908101:1855908101(0) ack 
> 3329915466 win 5792 <mss 1460,sackOK,timestamp 43791285 
> 866633,nop,wscale 0> (DF) 17:29:17.345622 10.0.58.231.41440 > 
> 10.0.58.230.https: . ack 1 win 5840 <nop,nop,timestamp 866633 
> 43791285> (DF) 17:29:17.346450 10.0.58.231.41440 > 
> 10.0.58.230.https: P 1:127(126) ack 1 win 5840 
> <nop,nop,timestamp 866633 43791285> (DF) 17:29:17.347008 
> 10.0.58.230.https > 10.0.58.231.41440: . ack 127 win 5792 
> <nop,nop,timestamp 43791285 866633> (DF) 17:29:17.361403 
> 10.0.58.230.https > 10.0.58.231.41440: . 1:1449(1448) ack 127 
> win 5792 <nop,nop,timestamp 43791286 866633> (DF) 
> 17:29:17.361410 10.0.58.231.41440 > 10.0.58.230.https: . ack 
> 1449 win 8688 <nop,nop,timestamp 866634 43791286> (DF) 
> 17:29:17.361803 10.0.58.230.https > 10.0.58.231.41440: P 
> 1449:1844(395) ack 127 win 5792 <nop,nop,timestamp 43791286 
> 866633> (DF) 17:29:17.361810 10.0.58.231.41440 > 
> 10.0.58.230.https: . ack 1844 win 8688 <nop,nop,timestamp 
> 866634 43791286> (DF)
> ------------------------------------------------------
> tcpdump -n -i any port 443 on Real Server
> tcpdump: listening on any
> 17:30:23.288379 10.0.58.231.41577 > 10.0.58.232.https: S 
> 3414509979:3414509979(0) win 5840 <mss 1460,sackOK,timestamp 
> 874194 0,nop,wscale 0> (DF)
> 17:30:23.288397 10.0.58.232.https > 10.0.58.231.41577: S 
> 3321698202:3321698202(0) ack 3414509980 win 5792 <mss 
> 1460,sackOK,timestamp 69371828 874194,nop,wscale              
>                                 0> (DF)
> 17:30:23.289377 10.0.58.231.41577 > 10.0.58.232.https: . ack 
> 1 win 5840 <nop,nop,timestamp 874194 69371828> (DF) 
> 17:30:23.289627 10.0.58.231.41577 > 10.0.58.232.https: P 
> 1:127(126) ack 1 win 5840 <nop,nop,timestamp 874194 69371828> 
> (DF) 17:30:23.289635 10.0.58.232.https > 10.0.58.231.41577: . 
> ack 127 win 5792 <nop,nop,timestamp 69371828 874194> (DF)
> ------------------------------------------------------
> 
> 
> Do anyone have experience on this issue below?
> 
> Please help me to find out the Problem or How can I narrow  
> the source of problem?
> 
> MANY MANY THANKS
> 
> 
> Louis
> 
> 
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - 
> lvs-users@xxxxxxxxxxxxxxxxxxxxxx Send requests to 
> lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>