Re: [lvs-users] Redirects http to https

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [lvs-users] Redirects http to https
From: Anders Henke <anders.henke@xxxxxxxx>
Date: Wed, 24 Jul 2013 11:06:50 +0200
Hi Brian,

I'm not sure what you mean, and probably some other folks as well :-)

IPVS/LVS works on OSI layers 2-4, depending on what you're exactly looking at:

-Direct Routing: LVS receives a packet from the ethernet, rewrites the 
 destination MAC address to the address of some realserver and sends the 
 packet back onto the ethernet.
-Masquerading: LVS receives a packet from the ethernet, rewrites the 
 destination MAC address and IP address to the address of some realserver
 and sends the packet back onto the ethernet.
 Using masquerading, any replies need to pass the LVS host, where the 
 replies are rewritten to match the original incoming request.
-Optional for Masquerading: the udp/tcp port is rewritten as well,
 so incoming traffic on port 80 may be dispatched to e.g. port 8080 on
 some realserver.

Software like ldirectord or keepalived checks the availability of
realservers and does dynamically reconfigure the current in-kernel
IPVS configuration.

So, that's my short wrapup of IPVS/LVS's capabilities.

>From the current thread, I'm not sure what you're up to.

-According to the subject, you're trying to use IPVS/LVS to redirect
 from http to https. While in Masquerading mode, IPVS may send incoming 
 traffic on port 80 to port 443, this won't help you very much, as both
 ports do run different protocols and IPVS doesn't translate protocols.

-According to your config files, you're loadbalancing http traffic to 
 nginx, who does redirect all incoming requests to a different website 
 (the SSL-enabled version, in this case).

 You're using ldirectord for checking the realserver availability, so 
 ldirectord simply needs to accept a "301 Redirect" via http 
 as "server is available". If it wouldn't do so, your realserver would
 drop out of the running configuration and receive no requests at all.

 According to ldirector's source code, http requests are started 
 as LWP::UserAgent using this call around code line 2868:

                $res = $ua->request($req);

 The "request"-call does follow any redirects, so ldirectord in turn
 doesn not only check if your http-redirect works, but checks the
 availability of the SSL website as well.

 Probably you're expecting ldirectord only to check the http return
 code (301) and not to follow the redirect. One of the easier ways 
to achieve this is patching ldirectord from the sequence above to

                $res = $ua->simple_request($req);

-You're trying to proxy from SSL to a Non-SSL-Website (SSL Offloading)
 or vice versa (forcing SSL-use for users who can't do SSL).

There are various other possible things as well.

Please do describe what your expectations are
(not, what you've done, but what you're expecting it to do).


1&1 Internet AG              Expert Systems Architect (IT Operations)
Brauerstrasse 50             v://49.721.91374.0
D-76135 Karlsruhe            f://49.721.91374.225

Amtsgericht Montabaur HRB 6484
Vorstand: Ralph Dommermuth, Frank Einhellinger, Robert Hoffmann, 
Andreas Hofmann, Markus Huhn, Hans-Henning Kettler, Uwe Lamnek, 
Jan Oetjen, Christian Würst
Aufsichtsratsvorsitzender: Michael Scheeren

Please read the documentation before posting - it's available at: mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to

<Prev in Thread] Current Thread [Next in Thread>