Mailing List Archive: Problem with SSL

Problem with SSL

Jul 16, 2002, 1:06 PM

Post #1 of 4 (3025 views)

Yo,

I have a slight problem using backhand.

I'm using 2 webservers with the IPs
192.168.0.1 and 192.168.0.200 for the testing scenario.
Both run with mod_ssl.

Now when I try to access the Webserver (no matter which one),
it either presents its own webpage (i.e. like normal operation),
or it redirects to the second webserver, as backhand should
do.
But it only uses the https-port doing so, thus making the
request http://192.168.0.1/index.html being redirected to
the webserver 192.168.0.200 over the 443 https port
which of course makes that server reply that it is impossible
to speak with plain HTTP to an ssl-enabled server port.

I'm not using the HTTPRedirectTo directive since it won't work
through a reverse-proxy.

Also when I look at the backhand-status page, if only shows
my webservers on the ports 443 active. No hint about 80.

-- snip
0 tyke.bla.blubb 0 192.168.0.100:443 60 MB 39 MB 0/0 230 [6] 189960 1 0.210/2
0.980
1 spike.bla.blubb 0 192.168.0.1:443 311 MB 281 MB 0/0 0 [0] 667601 1 0.150/2
0.990
-- snap

Anyone out there got a hint for me what went wrong?

- Max

Problem with SSL [ In reply to ]

jesus at omniti

Jul 16, 2002, 1:20 PM

Post #2 of 4 (2949 views)

Permalink

Yo,

Put

Listen 80
Listen 443

and set up 80 to be the same content available of normal HTTP in your
conf file.

This way, when the request is redirected to the other server in the
clear, there is no problem serving it up. It is a local area network
and if it is insecure, you shouldn't be doing this -- as it isn't worth
redirecting if you have to renegotiate SSL sessions.

I have this working at several locations...
As a note: if the hosts still show up as IP:443, then try changing the
conf file to be

Listen 443
Listen 80

Sometimes it reads them backwards... more and more mysteries :-D

Max Ataian wrote:

>Yo,
>
>I have a slight problem using backhand.
>
>I'm using 2 webservers with the IPs
>192.168.0.1 and 192.168.0.200 for the testing scenario.
>Both run with mod_ssl.
>
>Now when I try to access the Webserver (no matter which one),
>it either presents its own webpage (i.e. like normal operation),
>or it redirects to the second webserver, as backhand should
>do.
>But it only uses the https-port doing so, thus making the
>request http://192.168.0.1/index.html being redirected to
>the webserver 192.168.0.200 over the 443 https port
>which of course makes that server reply that it is impossible
>to speak with plain HTTP to an ssl-enabled server port.
>
>I'm not using the HTTPRedirectTo directive since it won't work
>through a reverse-proxy.
>
>Also when I look at the backhand-status page, if only shows
>my webservers on the ports 443 active. No hint about 80.
>
>-- snip
>0 tyke.bla.blubb 0 192.168.0.100:443 60 MB 39 MB 0/0 230 [6] 189960 1 0.210/2
>0.980
>1 spike.bla.blubb 0 192.168.0.1:443 311 MB 281 MB 0/0 0 [0] 667601 1 0.150/2
>0.990
>-- snap
>
>
>Anyone out there got a hint for me what went wrong?
>
>
>- Max
>
>_______________________________________________
>backhand-users mailing list
>backhand-users@lists.backhand.org
>http://lists.backhand.org/mailman/listinfo/backhand-users
>
>
>

--
Theo Schlossnagle
Principal Consultant
OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
Phone: +1 301 776 6376 Fax: +1 410 880 4879
1024D/82844984/95FD 30F1 489E 4613 F22E 491A 7E88 364C 8284 4984
2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7

Problem with SSL [ In reply to ]

max at ataian

Jul 16, 2002, 1:44 PM

Post #3 of 4 (2910 views)

Permalink

> and if it is insecure, you shouldn't be doing this -- as it isn't worth
> redirecting if you have to renegotiate SSL sessions.

Yes, I see the point. Must be the late hours work shutting down
my brain a bit ;-)

My problem is, that I need the balancing most for cgi served
via SSL.
A client should be directed to the less busy server on his first
request and then stay there forever in his session.

I was thinking about something like Round Robin but somehow it
does not convince me.

> As a note: if the hosts still show up as IP:443, then try changing the
> conf file to be
>
> Listen 443
> Listen 80
>
> Sometimes it reads them backwards... more and more mysteries :-D

Yap, exactly this mystery hit me it seems ;-) Thx.

- Max

Problem with SSL [ In reply to ]

jesus at omniti

Jul 16, 2002, 2:01 PM

Post #4 of 4 (2910 views)

Permalink

Max Ataian wrote:

>>and if it is insecure, you shouldn't be doing this -- as it isn't worth
>>redirecting if you have to renegotiate SSL sessions.
>>
>>
>
>Yes, I see the point. Must be the late hours work shutting down
>my brain a bit ;-)
>
>
>My problem is, that I need the balancing most for cgi served
>via SSL.
>
So? I don't see the problem with that. All client connections are over
SSL just fine, it is just server<->server connections that are in the
clear, which should be a problem because if you are running secure
transactions, your local area network better be secure already.

>A client should be directed to the less busy server on his first
>request and then stay there forever in his session.
>
Okay. I would use something like:

Backhand byAge
Backhand bySession SESS=
Backhand byBusyChildren 5

Of course, your application would be responsible for filling out the
needed information for bySession to work. Otherwise, you need to write
your own session stickiness candidacy function -- which isn't too hard.

>I was thinking about something like Round Robin but somehow it
>does not convince me.
>
>

--
Theo Schlossnagle
Principal Consultant
OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
Phone: +1 301 776 6376 Fax: +1 410 880 4879
1024D/82844984/95FD 30F1 489E 4613 F22E 491A 7E88 364C 8284 4984
2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7