LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] ldirectord fails to test HTTPS real servers.

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] ldirectord fails to test HTTPS real servers.
From: Malcolm Turnbull <malcolm@xxxxxxxxxxxxxxxx>
Date: Wed, 4 Dec 2013 10:33:18 +0000
We use the same patch at Loadbalancer.org (or something very similar
anyway). Most of our customers specifically do not want use a virtual
host (for a health check) OR care if the SSL cert is valid.



On 4 December 2013 10:05, Timur I. Bakeyev <timur@xxxxxxxxxx> wrote:
> Have you tried it, Dennis? Did you look into the ldirectord code? You know,
> how SSL is working?
>
> Regards,
> Timur.
>
>
> On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <dennisml@xxxxxxxxxxxx
>> wrote:
>
>> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
>> > Hi guys!
>> >
>> > I've posted bug report regarding ldirectord, can you please review it and
>> > commit, if possible?
>> >
>> > https://github.com/ClusterLabs/resource-agents/issues/361
>> >
>> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS
>> sites.
>> > Since LWP 6.0 by default it verifies the correspondence of the SSL
>> > certificate and the server hostname. In 99.9% of the cases this is the
>> VIP
>> > hostname and RIP are identified by their internal hostnames or, most
>> common
>> > - by their IP addresses.
>> >
>> > That breaks hostname verification and hence - marks HTTPS backends as
>> > invalid and kicks them off the pool. This problem did hit me in the
>> > production when we've upgraded from Debian squeeze to Debian wheezy,
>> which
>> > brought newer version of LWP.
>> >
>> >
>> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
>> >
>> > Luckily, the fix to the problem is easy:
>> >
>> > --- ldirectord.orig     2013-12-03 11:59:11.114983525 +0100
>> > +++ ldirectord  2013-12-03 11:59:34.703026282 +0100
>> > @@ -2834,7 +2834,7 @@
>> >          &ld_debug(2, "check_http: url=\"$$r{url}\" "
>> >                  . "virtualhost=\"$virtualhost\"");
>> >
>> > -       my $ua = new LWP::UserAgent();
>> > +       my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0
>> });
>> >
>> >          my $h = undef;
>> >          if ($$v{service} eq "http_proxy") {
>> >
>> > I haven't verified that with older version of LWP, but I believe it
>> should
>> > just ignore unknown parameters to the constructor.
>>
>> I don't think that's a bug but you have to specify the virtualhost
>> parameter to set the Host header for the realservers.
>>
>> Regards,
>>    Dennis
>>
>>
>> _______________________________________________
>> Please read the documentation before posting - it's available at:
>> http://www.linuxvirtualserver.org/
>>
>> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
>> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users



-- 
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)870 443 8779
http://www.loadbalancer.org/

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>