|
For me to make this work on my setup I had to install some Perl Modules, if
you use Ldirectord -d to debug you will see a internal error on messages
checking SSL
My config that works now:
virtual = <IP>:443
real = <IP>:443 gate 10
real = <IP>:443 gate 10
real = <IP>:443 gate 10
real = <IP>:443 gate 10
real = <IP>:443 gate 10
real = <IP>:443 gate 10
persistent = 3600
scheduler = wrr
service = https
checktype = negotiate
checkport = 443
request = "server.php"
receive = "ok"
virtualhost = "<ssl-domain>"
The modules I have installed (dunno which worked)
Crypt-SSLeay-0.64-Pc0dMJ
IO-Socket-SSL-1.953-c7ub4t
Net-SSLeay-1.55-8NXQ3I
Installed all via cpan.
The thing is to always check the debug from ldirectord -d -c <config-file>
cause it tells you what's failing
On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
<malcolm@xxxxxxxxxxxxxxxx>wrote:
> We use the same patch at Loadbalancer.org (or something very similar
> anyway). Most of our customers specifically do not want use a virtual
> host (for a health check) OR care if the SSL cert is valid.
>
>
>
> On 4 December 2013 10:05, Timur I. Bakeyev <timur@xxxxxxxxxx> wrote:
> > Have you tried it, Dennis? Did you look into the ldirectord code? You
> know,
> > how SSL is working?
> >
> > Regards,
> > Timur.
> >
> >
> > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> dennisml@xxxxxxxxxxxx
> >> wrote:
> >
> >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> >> > Hi guys!
> >> >
> >> > I've posted bug report regarding ldirectord, can you please review it
> and
> >> > commit, if possible?
> >> >
> >> > https://github.com/ClusterLabs/resource-agents/issues/361
> >> >
> >> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS
> >> sites.
> >> > Since LWP 6.0 by default it verifies the correspondence of the SSL
> >> > certificate and the server hostname. In 99.9% of the cases this is the
> >> VIP
> >> > hostname and RIP are identified by their internal hostnames or, most
> >> common
> >> > - by their IP addresses.
> >> >
> >> > That breaks hostname verification and hence - marks HTTPS backends as
> >> > invalid and kicks them off the pool. This problem did hit me in the
> >> > production when we've upgraded from Debian squeeze to Debian wheezy,
> >> which
> >> > brought newer version of LWP.
> >> >
> >> >
> >>
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> >> >
> >> > Luckily, the fix to the problem is easy:
> >> >
> >> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100
> >> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100
> >> > @@ -2834,7 +2834,7 @@
> >> > &ld_debug(2, "check_http: url=\"$$r{url}\" "
> >> > . "virtualhost=\"$virtualhost\"");
> >> >
> >> > - my $ua = new LWP::UserAgent();
> >> > + my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0
> >> });
> >> >
> >> > my $h = undef;
> >> > if ($$v{service} eq "http_proxy") {
> >> >
> >> > I haven't verified that with older version of LWP, but I believe it
> >> should
> >> > just ignore unknown parameters to the constructor.
> >>
> >> I don't think that's a bug but you have to specify the virtualhost
> >> parameter to set the Host header for the realservers.
> >>
> >> Regards,
> >> Dennis
> >>
> >>
> >> _______________________________________________
> >> Please read the documentation before posting - it's available at:
> >> http://www.linuxvirtualserver.org/
> >>
> >> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> >> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >>
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>
>
> --
> Regards,
>
> Malcolm Turnbull.
>
> Loadbalancer.org Ltd.
> Phone: +44 (0)870 443 8779
> http://www.loadbalancer.org/
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
--
[ ]'s
Filipe Cifali Stangler
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
