Mailing List Archive

Brian,

Don't know the finer details, but I recon LVS would not take the time to follow redirects, and maybe it doesn't even make sense to do so.

I think you should just alter your ldirectord check to make sure it returns HTTP 200 when your web server is up, not 301.

Kind regards,
Samy Ascha


On Jul 20, 2013, at 5:03 PM, Brian <ba221400@gmail.com> wrote:

> I'm trying to redirect all http traffic to https. I am using nginx and LVS
> with http now without any issues.
>
> Using a standard nginx 301 redirect results in LVS setting my real server's
> weight to 0. Here is the configuration:
>
> nginx.conf:
> server {
> listen 80;
> server_name example.com;
> return 301 https://example.com$request_uri;
> }
>
> server {
> listen 443;
> ssl on;
> ssl_certificate server.crt;
> ssl_certificate_key server.key;
> server_name example.com;
>
> # more here
>
> }
>
> ldirectord.cf:
> virtual=VIP:80
> fallback=127.0.0.1:80
> real=10.0.0.7:80 masq 5
> real=10.0.0.8:80 masq 5
> service=http
> request="lvs.htm"
> receive="lvs"
> virtualhost=example.com
> scheduler=wlc
> protocol=tcp
> checktype=negotiate
>
> virtual=VIP:443
> fallback=127.0.0.1:443
> real=10.0.0.7:443 masq 5
> real=10.0.0.8:443 masq 5
> service=https
> request="lvs.htm"
> receive="lvs"
> virtualhost=example.com
> scheduler=wlc
> protocol=tcp
> checktype=negotiate
>
>
> I next tried pointing VIP:80 traffic to RIP:443 which does work to get the
> RIP servers enabled by LVS, but I then get a 400 "The plain HTTP request
> was sent to HTTPS port" error from nginx when hitting the site.
>
> ldirectord.cf:
> virtual=VIP:80
> fallback=127.0.0.1:443
> real=10.0.0.7:443 masq 5
> real=10.0.0.8:443 masq 5
> service=http
> request="lvs.htm"
> receive="lvs"
> virtualhost=example.com
> scheduler=wlc
> protocol=tcp
> checktype=negotiate
>
>
> Does LVS not follow 301 redirects? How can I get my http traffic on 80
> always routed to https on 443 with LVS?
>
>
> Thanks,
> Brian
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Thanks Samy. I am not sure what you mean though--I'm not doing anything
specific to ldirectord with the 301. I'm simply doing a redirect with my
web server to send http to https.

I'm still stuck on this one. Does anyone have experience routing their http
traffic to https with lvs?


On Mon, Jul 22, 2013 at 4:18 AM, Samy Ascha <samy@xel.nl> wrote:

> Brian,
>
> Don't know the finer details, but I recon LVS would not take the time to
> follow redirects, and maybe it doesn't even make sense to do so.
>
> I think you should just alter your ldirectord check to make sure it
> returns HTTP 200 when your web server is up, not 301.
>
> Kind regards,
> Samy Ascha
>
>
> On Jul 20, 2013, at 5:03 PM, Brian <ba221400@gmail.com> wrote:
>
> > I'm trying to redirect all http traffic to https. I am using nginx and
> LVS
> > with http now without any issues.
> >
> > Using a standard nginx 301 redirect results in LVS setting my real
> server's
> > weight to 0. Here is the configuration:
> >
> > nginx.conf:
> > server {
> > listen 80;
> > server_name example.com;
> > return 301 https://example.com$request_uri;
> > }
> >
> > server {
> > listen 443;
> > ssl on;
> > ssl_certificate server.crt;
> > ssl_certificate_key server.key;
> > server_name example.com;
> >
> > # more here
> >
> > }
> >
> > ldirectord.cf:
> > virtual=VIP:80
> > fallback=127.0.0.1:80
> > real=10.0.0.7:80 masq 5
> > real=10.0.0.8:80 masq 5
> > service=http
> > request="lvs.htm"
> > receive="lvs"
> > virtualhost=example.com
> > scheduler=wlc
> > protocol=tcp
> > checktype=negotiate
> >
> > virtual=VIP:443
> > fallback=127.0.0.1:443
> > real=10.0.0.7:443 masq 5
> > real=10.0.0.8:443 masq 5
> > service=https
> > request="lvs.htm"
> > receive="lvs"
> > virtualhost=example.com
> > scheduler=wlc
> > protocol=tcp
> > checktype=negotiate
> >
> >
> > I next tried pointing VIP:80 traffic to RIP:443 which does work to get
> the
> > RIP servers enabled by LVS, but I then get a 400 "The plain HTTP request
> > was sent to HTTPS port" error from nginx when hitting the site.
> >
> > ldirectord.cf:
> > virtual=VIP:80
> > fallback=127.0.0.1:443
> > real=10.0.0.7:443 masq 5
> > real=10.0.0.8:443 masq 5
> > service=http
> > request="lvs.htm"
> > receive="lvs"
> > virtualhost=example.com
> > scheduler=wlc
> > protocol=tcp
> > checktype=negotiate
> >
> >
> > Does LVS not follow 301 redirects? How can I get my http traffic on 80
> > always routed to https on 443 with LVS?
> >
> >
> > Thanks,
> > Brian
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > Send requests to lvs-users-request@LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Brian,

LVS operates at Layer 4 and therefore has no capability to do Layer 7
re-directs.
You would need to use HAProxy (or preferably your application cluster to do it.)




On 24 July 2013 04:36, Brian <ba221400@gmail.com> wrote:
> Thanks Samy. I am not sure what you mean though--I'm not doing anything
> specific to ldirectord with the 301. I'm simply doing a redirect with my
> web server to send http to https.
>
> I'm still stuck on this one. Does anyone have experience routing their http
> traffic to https with lvs?
>




--
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)870 443 8779
http://www.loadbalancer.org/

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Brian,

The simplest solution, and the one I would implement, is to reserve a special URL for the ldirectord HTTP(80) check. This URL should not be matched by your 301 redirect configuration, but rather just return a HTTP 200 response. This would make sure the check knows whether your HTTP-server is online. Then, like you already did, you make a check for HTTPS in the same way.

Now, when director checks your servers, it won't encounter the 301.

> How can I get my http traffic on 80 always routed to https on 443 with LVS?


You should not be doing that. You should let the web server decide where invalid/unwanted request should be redirected. If you are going to route 80 too 443 your in a whole new world of trouble. You don't want to use https://example.com:80/ for your encrypted traffic right? That makes no sense.

Met vriendelijke groet,
Samy Ascha


> Brian,
>
> LVS operates at Layer 4 and therefore has no capability to do Layer 7
> re-directs.
> You would need to use HAProxy (or preferably your application cluster to do it.)
>
>
>
>
> On 24 July 2013 04:36, Brian <ba221400@gmail.com> wrote:
>> Thanks Samy. I am not sure what you mean though--I'm not doing anything
>> specific to ldirectord with the 301. I'm simply doing a redirect with my
>> web server to send http to https.
>>
>> I'm still stuck on this one. Does anyone have experience routing their http
>> traffic to https with lvs?
>>
>
>
>
>
> --
> Regards,
>
> Malcolm Turnbull.
>
> Loadbalancer.org Ltd.
> Phone: +44 (0)870 443 8779
> http://www.loadbalancer.org/
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Hi Brian,

I'm not sure what you mean, and probably some other folks as well :-)

IPVS/LVS works on OSI layers 2-4, depending on what you're exactly looking at:

-Direct Routing: LVS receives a packet from the ethernet, rewrites the
destination MAC address to the address of some realserver and sends the
packet back onto the ethernet.
-Masquerading: LVS receives a packet from the ethernet, rewrites the
destination MAC address and IP address to the address of some realserver
and sends the packet back onto the ethernet.
Using masquerading, any replies need to pass the LVS host, where the
replies are rewritten to match the original incoming request.
-Optional for Masquerading: the udp/tcp port is rewritten as well,
so incoming traffic on port 80 may be dispatched to e.g. port 8080 on
some realserver.

Software like ldirectord or keepalived checks the availability of
realservers and does dynamically reconfigure the current in-kernel
IPVS configuration.

So, that's my short wrapup of IPVS/LVS's capabilities.

>From the current thread, I'm not sure what you're up to.


-According to the subject, you're trying to use IPVS/LVS to redirect
from http to https. While in Masquerading mode, IPVS may send incoming
traffic on port 80 to port 443, this won't help you very much, as both
ports do run different protocols and IPVS doesn't translate protocols.

-According to your config files, you're loadbalancing http traffic to
nginx, who does redirect all incoming requests to a different website
(the SSL-enabled version, in this case).

You're using ldirectord for checking the realserver availability, so
ldirectord simply needs to accept a "301 Redirect" via http
as "server is available". If it wouldn't do so, your realserver would
drop out of the running configuration and receive no requests at all.

According to ldirector's source code, http requests are started
as LWP::UserAgent using this call around code line 2868:

$res = $ua->request($req);

The "request"-call does follow any redirects, so ldirectord in turn
doesn not only check if your http-redirect works, but checks the
availability of the SSL website as well.

Probably you're expecting ldirectord only to check the http return
code (301) and not to follow the redirect. One of the easier ways
to achieve this is patching ldirectord from the sequence above to

$res = $ua->simple_request($req);

-You're trying to proxy from SSL to a Non-SSL-Website (SSL Offloading)
or vice versa (forcing SSL-use for users who can't do SSL).

There are various other possible things as well.

Please do describe what your expectations are
(not, what you've done, but what you're expecting it to do).

Best,

Anders
--
1&1 Internet AG Expert Systems Architect (IT Operations)
Brauerstrasse 50 v://49.721.91374.0
D-76135 Karlsruhe f://49.721.91374.225

Amtsgericht Montabaur HRB 6484
Vorstand: Ralph Dommermuth, Frank Einhellinger, Robert Hoffmann,
Andreas Hofmann, Markus Huhn, Hans-Henning Kettler, Uwe Lamnek,
Jan Oetjen, Christian Würst
Aufsichtsratsvorsitzender: Michael Scheeren

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Have you checked that when you enable the redirect that "lvs.htm" can
still be reached from the directors system using both port 80 and 443?
It looks like you real servers get disabled because the health check
stops working porperly due to the redirect.

Regards,
Dennis

On 20.07.2013 17:03, Brian wrote:
> I'm trying to redirect all http traffic to https. I am using nginx and LVS
> with http now without any issues.
>
> Using a standard nginx 301 redirect results in LVS setting my real server's
> weight to 0. Here is the configuration:
>
> nginx.conf:
> server {
> listen 80;
> server_name example.com;
> return 301 https://example.com$request_uri;
> }
>
> server {
> listen 443;
> ssl on;
> ssl_certificate server.crt;
> ssl_certificate_key server.key;
> server_name example.com;
>
> # more here
>
> }
>
> ldirectord.cf:
> virtual=VIP:80
> fallback=127.0.0.1:80
> real=10.0.0.7:80 masq 5
> real=10.0.0.8:80 masq 5
> service=http
> request="lvs.htm"
> receive="lvs"
> virtualhost=example.com
> scheduler=wlc
> protocol=tcp
> checktype=negotiate
>
> virtual=VIP:443
> fallback=127.0.0.1:443
> real=10.0.0.7:443 masq 5
> real=10.0.0.8:443 masq 5
> service=https
> request="lvs.htm"
> receive="lvs"
> virtualhost=example.com
> scheduler=wlc
> protocol=tcp
> checktype=negotiate
>
>
> I next tried pointing VIP:80 traffic to RIP:443 which does work to get the
> RIP servers enabled by LVS, but I then get a 400 "The plain HTTP request
> was sent to HTTPS port" error from nginx when hitting the site.
>
> ldirectord.cf:
> virtual=VIP:80
> fallback=127.0.0.1:443
> real=10.0.0.7:443 masq 5
> real=10.0.0.8:443 masq 5
> service=http
> request="lvs.htm"
> receive="lvs"
> virtualhost=example.com
> scheduler=wlc
> protocol=tcp
> checktype=negotiate
>
>
> Does LVS not follow 301 redirects? How can I get my http traffic on 80
> always routed to https on 443 with LVS?
>
>
> Thanks,
> Brian
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Thanks for all of the replies. I continued to play around this this and I
was definitely over-thinking it and now have it working. I've updated my
question on Server Fault with more information:

http://serverfault.com/questions/525624/redirect-http-to-https-with-ldirectord-lvs/527476#527476


Brian


On Wed, Jul 24, 2013 at 7:00 AM, Dennis Jacobfeuerborn <
dennisml@conversis.de> wrote:

> Have you checked that when you enable the redirect that "lvs.htm" can
> still be reached from the directors system using both port 80 and 443?
> It looks like you real servers get disabled because the health check
> stops working porperly due to the redirect.
>
> Regards,
> Dennis
>
> On 20.07.2013 17:03, Brian wrote:
> > I'm trying to redirect all http traffic to https. I am using nginx and
> LVS
> > with http now without any issues.
> >
> > Using a standard nginx 301 redirect results in LVS setting my real
> server's
> > weight to 0. Here is the configuration:
> >
> > nginx.conf:
> > server {
> > listen 80;
> > server_name example.com;
> > return 301 https://example.com$request_uri;
> > }
> >
> > server {
> > listen 443;
> > ssl on;
> > ssl_certificate server.crt;
> > ssl_certificate_key server.key;
> > server_name example.com;
> >
> > # more here
> >
> > }
> >
> > ldirectord.cf:
> > virtual=VIP:80
> > fallback=127.0.0.1:80
> > real=10.0.0.7:80 masq 5
> > real=10.0.0.8:80 masq 5
> > service=http
> > request="lvs.htm"
> > receive="lvs"
> > virtualhost=example.com
> > scheduler=wlc
> > protocol=tcp
> > checktype=negotiate
> >
> > virtual=VIP:443
> > fallback=127.0.0.1:443
> > real=10.0.0.7:443 masq 5
> > real=10.0.0.8:443 masq 5
> > service=https
> > request="lvs.htm"
> > receive="lvs"
> > virtualhost=example.com
> > scheduler=wlc
> > protocol=tcp
> > checktype=negotiate
> >
> >
> > I next tried pointing VIP:80 traffic to RIP:443 which does work to get
> the
> > RIP servers enabled by LVS, but I then get a 400 "The plain HTTP request
> > was sent to HTTPS port" error from nginx when hitting the site.
> >
> > ldirectord.cf:
> > virtual=VIP:80
> > fallback=127.0.0.1:443
> > real=10.0.0.7:443 masq 5
> > real=10.0.0.8:443 masq 5
> > service=http
> > request="lvs.htm"
> > receive="lvs"
> > virtualhost=example.com
> > scheduler=wlc
> > protocol=tcp
> > checktype=negotiate
> >
> >
> > Does LVS not follow 301 redirects? How can I get my http traffic on 80
> > always routed to https on 443 with LVS?
> >
> >
> > Thanks,
> > Brian
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > Send requests to lvs-users-request@LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users