|
Have you tried it, Dennis? Did you look into the ldirectord code? You know,
how SSL is working?
Regards,
Timur.
On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <dennisml@xxxxxxxxxxxx
> wrote:
> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > Hi guys!
> >
> > I've posted bug report regarding ldirectord, can you please review it and
> > commit, if possible?
> >
> > https://github.com/ClusterLabs/resource-agents/issues/361
> >
> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS
> sites.
> > Since LWP 6.0 by default it verifies the correspondence of the SSL
> > certificate and the server hostname. In 99.9% of the cases this is the
> VIP
> > hostname and RIP are identified by their internal hostnames or, most
> common
> > - by their IP addresses.
> >
> > That breaks hostname verification and hence - marks HTTPS backends as
> > invalid and kicks them off the pool. This problem did hit me in the
> > production when we've upgraded from Debian squeeze to Debian wheezy,
> which
> > brought newer version of LWP.
> >
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> >
> > Luckily, the fix to the problem is easy:
> >
> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100
> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100
> > @@ -2834,7 +2834,7 @@
> > &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > . "virtualhost=\"$virtualhost\"");
> >
> > - my $ua = new LWP::UserAgent();
> > + my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0
> });
> >
> > my $h = undef;
> > if ($$v{service} eq "http_proxy") {
> >
> > I haven't verified that with older version of LWP, but I believe it
> should
> > just ignore unknown parameters to the constructor.
>
> I don't think that's a bug but you have to specify the virtualhost
> parameter to set the Host header for the realservers.
>
> Regards,
> Dennis
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
