LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

[lvs-users] ldirectord fails to test HTTPS real servers.

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: [lvs-users] ldirectord fails to test HTTPS real servers.
From: "Timur I. Bakeyev" <timur@xxxxxxxxxx>
Date: Tue, 3 Dec 2013 12:19:40 +0100
Hi guys!

I've posted bug report regarding ldirectord, can you please review it and
commit, if possible?

https://github.com/ClusterLabs/resource-agents/issues/361

Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS sites.
Since LWP 6.0 by default it verifies the correspondence of the SSL
certificate and the server hostname. In 99.9% of the cases this is the VIP
hostname and RIP are identified by their internal hostnames or, most common
- by their IP addresses.

That breaks hostname verification and hence - marks HTTPS backends as
invalid and kicks them off the pool. This problem did hit me in the
production when we've upgraded from Debian squeeze to Debian wheezy, which
brought newer version of LWP.

http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm

Luckily, the fix to the problem is easy:

--- ldirectord.orig     2013-12-03 11:59:11.114983525 +0100
+++ ldirectord  2013-12-03 11:59:34.703026282 +0100
@@ -2834,7 +2834,7 @@
        &ld_debug(2, "check_http: url=\"$$r{url}\" "
                . "virtualhost=\"$virtualhost\"");

-       my $ua = new LWP::UserAgent();
+       my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0 });

        my $h = undef;
        if ($$v{service} eq "http_proxy") {

I haven't verified that with older version of LWP, but I believe it should
just ignore unknown parameters to the constructor.

With best regards,
Timur Bakeyev.
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>