Re: [lvs-users] LVS and OCSP Stapling

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: [lvs-users] LVS and OCSP Stapling
From:	Malcolm Turnbull <malcolm@xxxxxxxxxxxxxxxx>
Date:	Wed, 20 Apr 2016 16:34:27 +0100

Brian,

Are you sure you have anything working at all?
LVS never listens to any ports it simply passes traffic to the real
servers who listen on an IP/port so they would be the ones responding
to a telnet command.
I assume your real servers have LVS as the default gateway and the
test clients are on an external subnet? (LVS  nat mode won't work with
internal clients)

Straight after you try and connect what does the connection table show?
ipvsadm -Lnc






On 14 April 2016 at 22:30, Brian Adams <brian@xxxxxxxxxxxxxxxx> wrote:
> I've been searching and trying things all day and can't seem to get OCSP
> stapling working on my web server farm.
>
> I don't believe it is a firewall issue, as I've taken it out of the
> equation and still encounter the same issue. I've also tested this on a
> machine not behind the load balancer and it seems to work (I get a response
> from openssl s_client, though the online ssl testers still show stapling as
> not working).
>
> I am using nginx on several web servers fronted with LVS NAT. LVS is
> listening on both 80 and 443 so that it can redirect the requests back to
> nginx.
>
> I have the appropriate settings/files on all of the web servers, but am
> getting a timeout when testing it (I've tried several variations of this
> command):
>
> openssl s_client -connect mydomain.com:443 -tls1  -tlsextdebug  -status
>
> and I get:
>
> Socket: Connection timed out
> connect:errno=110
>
> I also cannot telnet to mydomain on either 80 or 443. So I'm suspected at
> this point that the LVS server is the culprit. Is there a way to either set
> up a cert on that machine or configure it to pass back to the web servers
> to handle the OCSP/openssl requests?
>
>
> Thanks,
> Brian
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users



-- 
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)330 380 1064
http://www.loadbalancer.org/

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] LVS and OCSP Stapling, Brian Adams Re: [lvs-users] LVS and OCSP Stapling, Malcolm Turnbull <= [lvs-users] Multiport service sending program to get the port, Romero, René

Previous by Date:	[lvs-users] LVS and OCSP Stapling, Brian Adams
Next by Date:	[lvs-users] Multiport service sending program to get the port, Romero, René
Previous by Thread:	[lvs-users] LVS and OCSP Stapling, Brian Adams
Next by Thread:	[lvs-users] Multiport service sending program to get the port, Romero, René
Indexes:	[Date] [Thread] [Top] [All Lists]