Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. mod_backhand>
  3. users
SSL problems
leus at epublish
Sep 10, 2002, 5:10 PM
Post #1 of 6 (2794 views)
Permalink
Hi. It's me again.

I've created a two tier thingie (actually, I believe I have 3 tiers, but
that doesn't matter), but I have a serious problem with ssl.

My system is arranged something like this:
+---------------------------+
| coyotepoint load-balancer |
+---------------------------+
+----------+ +----------+
| server 1 | | server 2 | backhand + mod_ssl
+----------+ +----------+
+----+ +----+ +-----+
| M1 | | M2 | ... | M11 | backhand alone
+----+ +----+ +-----+


Now, when some https request arrives to my server 1, and it decides to
backhand it to another machine (M1-M3), it just fails. I can't deduce
anything from the content that the server gives back; it only shows the
broken image icon (the red X in explorer)

My initial thoughts are that perhaps I've misconfigured my
MulticastStats and AcceptStats directives. Anybody can explain these
things to me (in detail)? Is there anything wrong with this conf snippet?

Server 1 and 2 have this:

<IfModule mod_backhand.c>
BackhandConnectionPools off
UnixSocketDir /var/backhand/backhand
MulticastStats 192.168.10.31:4445,1 # The other machine is .32
AcceptStats 192.168.10.0/24
</IfModule>

Machines 1 to 11 have this:

<IfModule mod_backhand.c>
BackhandConnectionPools off
UnixSocketDir /var/backhand/backhand
MulticastStats 192.168.10.31:4445,1
MulticastStats 192.168.10.32:4445,1
AcceptStats 192.168.10.0/24
</IfModule>

The reason that I have two MulticastStats directives is because I don't
want my moderators to start passing requests to each other, just to the
"workhorses".

Anybody have any clues why my SSL stuff is not working? Please, PLEASE,
I'm in a hurry (we have this setup working for about two weeks, and just
today we realized that SSL is not working!)
--
Leonardo Herrera L.
mailto:leus@epublish.cl
SSL problems [ In reply to ]
jesus at omniti
Sep 10, 2002, 6:42 PM
Post #2 of 6 (2722 views)
Permalink
On Tuesday, September 10, 2002, at 08:10 , Leonardo Herrera wrote:
> Server 1 and 2 have this:
>
> <IfModule mod_backhand.c>
> BackhandConnectionPools off
> UnixSocketDir /var/backhand/backhand
> MulticastStats 192.168.10.31:4445,1 # The other machine is .32

That's not a multicast address. If you don't know how to use multicast
addresses, I suggest using a broadcast address. This line should be the
same on all your servers.

> AcceptStats 192.168.10.0/24
> </IfModule>
>
> Machines 1 to 11 have this:
>
> <IfModule mod_backhand.c>
> BackhandConnectionPools off
> UnixSocketDir /var/backhand/backhand
> MulticastStats 192.168.10.31:4445,1
> MulticastStats 192.168.10.32:4445,1

See above. You shouldn't use more than one multicast stats line unless
you really know what you are doing. This topology definitely doesn't
require two lines... Just one correct one.

> AcceptStats 192.168.10.0/24
> </IfModule>
>
> The reason that I have two MulticastStats directives is because I don't
> want my moderators to start passing requests to each other, just to the
> "workhorses".

If you don't want the ssl servers to redirect to each other, then you
need to exclude them via a candidacy function. Read the ApacheCon
course notes off the website for reference

> Anybody have any clues why my SSL stuff is not working? Please, PLEASE,
> I'm in a hurry (we have this setup working for about two weeks, and
> just today we realized that SSL is not working!)

--
Theo Schlossnagle
Principal Consultant
OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
Phone: +1 301 776 6376 Fax: +1 410 880 4879
1024D/82844984/95FD 30F1 489E 4613 F22E 491A 7E88 364C 8284 4984
2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7
SSL problems [ In reply to ]
sean at chittenden
Sep 10, 2002, 8:59 PM
Post #3 of 6 (2702 views)
Permalink
> >Server 1 and 2 have this:
> >
> ><IfModule mod_backhand.c>
> > BackhandConnectionPools off
> > UnixSocketDir /var/backhand/backhand
> > MulticastStats 192.168.10.31:4445,1 # The other machine is .32
>
> That's not a multicast address. If you don't know how to use multicast
> addresses, I suggest using a broadcast address. This line should be the
> same on all your servers.

If you're using broadcast, I believe you have to use
"192.168.10.255:4445,1". Try using the multicast addresses supplied,
I think you'll be surprised to find that "things just work."

I generally use: 225.220.221.20:4445

The following netblocks are reserved for multi-cast so you can pick
anything in those 15 /8's or class A's.

224-239/8 IANA - Multicast Sep 81

-sc

--
Sean Chittenden
SSL problems [ In reply to ]
leus at epublish
Sep 11, 2002, 7:12 AM
Post #4 of 6 (2713 views)
Permalink
Theo Schlossnagle wrote:
[...]
> See above. You shouldn't use more than one multicast stats line unless
> you really know what you are doing. This topology definitely doesn't
> require two lines... Just one correct one.
>

That's the main problem, I don't really understand what "broadcast" and
"multicast" means. To me, it's just a way to tell the server "hey, I'm
here", but that's all.

[...]
> If you don't want the ssl servers to redirect to each other, then you
> need to exclude them via a candidacy function. Read the ApacheCon
> course notes off the website for reference

I have no problems with candidacy functions, heck, I've even written my
own. My only "grey" area it's related with server configuration
(everything networking-related, really)

Regards,
--
Leonardo Herrera L.
mailto:leus@epublish.cl
SSL problems [ In reply to ]
leus at epublish
Sep 11, 2002, 7:45 AM
Post #5 of 6 (2724 views)
Permalink
Leonardo Herrera wrote:
> Theo Schlossnagle wrote:
> [...]

Oh, sorry for replying myself, but I forgot to point that my main
problem right now is that SSL is broken, everything else is working fine.

Cheers,
--
Leonardo Herrera L.
mailto:leus@epublish.cl
SSL problems [ In reply to ]
leus at epublish
Sep 11, 2002, 9:05 AM
Post #6 of 6 (2700 views)
Permalink
Leonardo Herrera wrote:
> Leonardo Herrera wrote:
[...]

Sorry for replying myself... again. I have more details of my problem.

My setups was working ok. I've tried with some alternatives changing
broadcast addresses (I think now I have a little more accurated idea
about what these things mean) and no, it didn't solved my problem.

The thing is, my CGI program is generating an image, and based in header
info, it's writing a file with data in some specific location. The
problem is, the client itsn't getting the image right (it's a small, 42
bytes GIF).

Now, I've discovered that my program it's handling the request, even
writing the file without problems, but the answer it's not being
received by the browser. Some browsers works, though; Mozilla seems to
get it fine.

I know my english it's not very clear, so I'm going to resume:

1) I have a two tier setup: two moderators, eleven "workhorses".
2) The two moderators have SSL working.
3) When a secure request it's redirected, the answer it's not arriving
to the client, but the request it's processed ok.
4) When the moderator responds (without backhanding), the response it's

ok.
5) Plain http requests are all processed ok.

Thanks in advance,
--
Leonardo Herrera L.
mailto:leus@epublish.cl

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal