LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] ldirectord fails to test HTTPS real servers.

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] ldirectord fails to test HTTPS real servers.
From: Filipe Cifali <cifali.filipe@xxxxxxxxx>
Date: Wed, 4 Dec 2013 14:13:16 -0200
Yeah the LWP is 6.0.5, but it's working now as intended, probably is
Crypt-SSLeay working then.

But then again, my setup is working now, and I suspect the virtualhost
clause helped, since the SSL I have the same subdomain (*.domain.ext) so
the virtualhost is always valid on my domain.


On Wed, Dec 4, 2013 at 12:43 PM, Timur I. Bakeyev <timur@xxxxxxxxxx> wrote:

> Not sure, how all that mix of SSL modules would work together, but if
> Crypt-SSLeay-0.64-Pc0dMJ took preference then host checks effectively were
> disabled:
>
> NET::HTTPS states in the code:
>
>         if ($cnf->{SSL_verifycn_scheme}) {
>             $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames; either
> install IO::Socket::SSL or turn off verification by setting the
> PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0";
>             return undef;
>         }
>
> In any case, you should verify which version of LWP you are using, as host
> check verification occurred there in 6.x only.
>
> With regards,
> Timur.
>
>
> On Wed, Dec 4, 2013 at 12:48 PM, Filipe Cifali <cifali.filipe@xxxxxxxxx
> >wrote:
>
> > For me to make this work on my setup I had to install some Perl Modules,
> if
> > you use Ldirectord -d to debug you will see a internal error on messages
> > checking SSL
> >
> > My config that works now:
> >
> > virtual = <IP>:443
> >
> >         real = <IP>:443 gate 10
> >
> >         real = <IP>:443 gate 10
> >
> >         real = <IP>:443 gate 10
> >
> >         real = <IP>:443 gate 10
> >
> >         real = <IP>:443 gate 10
> >
> >         real = <IP>:443 gate 10
> >
> >         persistent = 3600
> >
> >         scheduler = wrr
> >
> >         service = https
> >
> > checktype = negotiate
> >
> > checkport = 443
> >
> > request = "server.php"
> >
> > receive = "ok"
> >
> > virtualhost = "<ssl-domain>"
> >
> >
> > The modules I have installed (dunno which worked)
> >
> >
> > Crypt-SSLeay-0.64-Pc0dMJ
> >
> > IO-Socket-SSL-1.953-c7ub4t
> >
> > Net-SSLeay-1.55-8NXQ3I
> >
> >
> > Installed all via cpan.
> >
> >
> > The thing is to always check the debug from ldirectord -d -c
> <config-file>
> > cause it tells you what's failing
> >
> >
> > On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
> > <malcolm@xxxxxxxxxxxxxxxx>wrote:
> >
> > > We use the same patch at Loadbalancer.org (or something very similar
> > > anyway). Most of our customers specifically do not want use a virtual
> > > host (for a health check) OR care if the SSL cert is valid.
> > >
> > >
> > >
> > > On 4 December 2013 10:05, Timur I. Bakeyev <timur@xxxxxxxxxx> wrote:
> > > > Have you tried it, Dennis? Did you look into the ldirectord code? You
> > > know,
> > > > how SSL is working?
> > > >
> > > > Regards,
> > > > Timur.
> > > >
> > > >
> > > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> > > dennisml@xxxxxxxxxxxx
> > > >> wrote:
> > > >
> > > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > > >> > Hi guys!
> > > >> >
> > > >> > I've posted bug report regarding ldirectord, can you please review
> > it
> > > and
> > > >> > commit, if possible?
> > > >> >
> > > >> > https://github.com/ClusterLabs/resource-agents/issues/361
> > > >> >
> > > >> > Ldirectord is using LWP for it's negotiate checks for the
> HTTP/HTTPS
> > > >> sites.
> > > >> > Since LWP 6.0 by default it verifies the correspondence of the SSL
> > > >> > certificate and the server hostname. In 99.9% of the cases this is
> > the
> > > >> VIP
> > > >> > hostname and RIP are identified by their internal hostnames or,
> most
> > > >> common
> > > >> > - by their IP addresses.
> > > >> >
> > > >> > That breaks hostname verification and hence - marks HTTPS backends
> > as
> > > >> > invalid and kicks them off the pool. This problem did hit me in
> the
> > > >> > production when we've upgraded from Debian squeeze to Debian
> wheezy,
> > > >> which
> > > >> > brought newer version of LWP.
> > > >> >
> > > >> >
> > > >>
> > >
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> > > >> >
> > > >> > Luckily, the fix to the problem is easy:
> > > >> >
> > > >> > --- ldirectord.orig     2013-12-03 11:59:11.114983525 +0100
> > > >> > +++ ldirectord  2013-12-03 11:59:34.703026282 +0100
> > > >> > @@ -2834,7 +2834,7 @@
> > > >> >          &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > > >> >                  . "virtualhost=\"$virtualhost\"");
> > > >> >
> > > >> > -       my $ua = new LWP::UserAgent();
> > > >> > +       my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname
> > => 0
> > > >> });
> > > >> >
> > > >> >          my $h = undef;
> > > >> >          if ($$v{service} eq "http_proxy") {
> > > >> >
> > > >> > I haven't verified that with older version of LWP, but I believe
> it
> > > >> should
> > > >> > just ignore unknown parameters to the constructor.
> > > >>
> > > >> I don't think that's a bug but you have to specify the virtualhost
> > > >> parameter to set the Host header for the realservers.
> > > >>
> > > >> Regards,
> > > >>    Dennis
> > > >>
> > > >>
> > > >> _______________________________________________
> > > >> Please read the documentation before posting - it's available at:
> > > >> http://www.linuxvirtualserver.org/
> > > >>
> > > >> LinuxVirtualServer.org mailing list -
> lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > > >> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > >>
> > > > _______________________________________________
> > > > Please read the documentation before posting - it's available at:
> > > > http://www.linuxvirtualserver.org/
> > > >
> > > > LinuxVirtualServer.org mailing list -
> lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > > > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Malcolm Turnbull.
> > >
> > > Loadbalancer.org Ltd.
> > > Phone: +44 (0)870 443 8779
> > > http://www.loadbalancer.org/
> > >
> > > _______________________________________________
> > > Please read the documentation before posting - it's available at:
> > > http://www.linuxvirtualserver.org/
> > >
> > > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >
> >
> >
> >
> > --
> > [ ]'s
> >
> > Filipe Cifali Stangler
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>



-- 
[ ]'s

Filipe Cifali Stangler
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>