Mailing List Archive: [lvs-users] ldirectord fails to test HTTPS real servers.

[lvs-users] ldirectord fails to test HTTPS real servers.

Dec 3, 2013, 3:19 AM

Post #1 of 12 (4593 views)

Hi guys!

I've posted bug report regarding ldirectord, can you please review it and
commit, if possible?

https://github.com/ClusterLabs/resource-agents/issues/361

Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS sites.
Since LWP 6.0 by default it verifies the correspondence of the SSL
certificate and the server hostname. In 99.9% of the cases this is the VIP
hostname and RIP are identified by their internal hostnames or, most common
- by their IP addresses.

That breaks hostname verification and hence - marks HTTPS backends as
invalid and kicks them off the pool. This problem did hit me in the
production when we've upgraded from Debian squeeze to Debian wheezy, which
brought newer version of LWP.

http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm

Luckily, the fix to the problem is easy:

--- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100
+++ ldirectord 2013-12-03 11:59:34.703026282 +0100
@@ -2834,7 +2834,7 @@
&ld_debug(2, "check_http: url=\"$$r{url}\" "
. "virtualhost=\"$virtualhost\"");

- my $ua = new LWP::UserAgent();
+ my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0 });

my $h = undef;
if ($$v{service} eq "http_proxy") {

I haven't verified that with older version of LWP, but I believe it should
just ignore unknown parameters to the constructor.

With best regards,
Timur Bakeyev.
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Re: [lvs-users] ldirectord fails to test HTTPS real servers. [ In reply to ]

dennisml at conversis

Dec 3, 2013, 9:09 PM

Post #2 of 12 (4544 views)

On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> Hi guys!
>
> I've posted bug report regarding ldirectord, can you please review it and
> commit, if possible?
>
> https://github.com/ClusterLabs/resource-agents/issues/361
>
> Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS sites.
> Since LWP 6.0 by default it verifies the correspondence of the SSL
> certificate and the server hostname. In 99.9% of the cases this is the VIP
> hostname and RIP are identified by their internal hostnames or, most common
> - by their IP addresses.
>
> That breaks hostname verification and hence - marks HTTPS backends as
> invalid and kicks them off the pool. This problem did hit me in the
> production when we've upgraded from Debian squeeze to Debian wheezy, which
> brought newer version of LWP.
>
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
>
> Luckily, the fix to the problem is easy:
>
> --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100
> +++ ldirectord 2013-12-03 11:59:34.703026282 +0100
> @@ -2834,7 +2834,7 @@
> &ld_debug(2, "check_http: url=\"$$r{url}\" "
> . "virtualhost=\"$virtualhost\"");
>
> - my $ua = new LWP::UserAgent();
> + my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0 });
>
> my $h = undef;
> if ($$v{service} eq "http_proxy") {
>
> I haven't verified that with older version of LWP, but I believe it should
> just ignore unknown parameters to the constructor.

I don't think that's a bug but you have to specify the virtualhost
parameter to set the Host header for the realservers.

Regards,
Dennis

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Re: [lvs-users] ldirectord fails to test HTTPS real servers. [ In reply to ]

Dec 4, 2013, 2:05 AM

Post #3 of 12 (4547 views)

Have you tried it, Dennis? Did you look into the ldirectord code? You know,
how SSL is working?

Regards,
Timur.

On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <dennisml@conversis.de
> wrote:

> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > Hi guys!
> >
> > I've posted bug report regarding ldirectord, can you please review it and
> > commit, if possible?
> >
> > https://github.com/ClusterLabs/resource-agents/issues/361
> >
> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS
> sites.
> > Since LWP 6.0 by default it verifies the correspondence of the SSL
> > certificate and the server hostname. In 99.9% of the cases this is the
> VIP
> > hostname and RIP are identified by their internal hostnames or, most
> common
> > - by their IP addresses.
> >
> > That breaks hostname verification and hence - marks HTTPS backends as
> > invalid and kicks them off the pool. This problem did hit me in the
> > production when we've upgraded from Debian squeeze to Debian wheezy,
> which
> > brought newer version of LWP.
> >
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> >
> > Luckily, the fix to the problem is easy:
> >
> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100
> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100
> > @@ -2834,7 +2834,7 @@
> > &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > . "virtualhost=\"$virtualhost\"");
> >
> > - my $ua = new LWP::UserAgent();
> > + my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0
> });
> >
> > my $h = undef;
> > if ($$v{service} eq "http_proxy") {
> >
> > I haven't verified that with older version of LWP, but I believe it
> should
> > just ignore unknown parameters to the constructor.
>
> I don't think that's a bug but you have to specify the virtualhost
> parameter to set the Host header for the realservers.
>
> Regards,
> Dennis
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Re: [lvs-users] ldirectord fails to test HTTPS real servers. [ In reply to ]

malcolm at loadbalancer

Dec 4, 2013, 2:33 AM

Post #4 of 12 (4544 views)

We use the same patch at Loadbalancer.org (or something very similar
anyway). Most of our customers specifically do not want use a virtual
host (for a health check) OR care if the SSL cert is valid.

On 4 December 2013 10:05, Timur I. Bakeyev <timur@com.bat.ru> wrote:
> Have you tried it, Dennis? Did you look into the ldirectord code? You know,
> how SSL is working?
>
> Regards,
> Timur.
>
>
> On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <dennisml@conversis.de
>> wrote:
>
>> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
>> > Hi guys!
>> >
>> > I've posted bug report regarding ldirectord, can you please review it and
>> > commit, if possible?
>> >
>> > https://github.com/ClusterLabs/resource-agents/issues/361
>> >
>> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS
>> sites.
>> > Since LWP 6.0 by default it verifies the correspondence of the SSL
>> > certificate and the server hostname. In 99.9% of the cases this is the
>> VIP
>> > hostname and RIP are identified by their internal hostnames or, most
>> common
>> > - by their IP addresses.
>> >
>> > That breaks hostname verification and hence - marks HTTPS backends as
>> > invalid and kicks them off the pool. This problem did hit me in the
>> > production when we've upgraded from Debian squeeze to Debian wheezy,
>> which
>> > brought newer version of LWP.
>> >
>> >
>> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
>> >
>> > Luckily, the fix to the problem is easy:
>> >
>> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100
>> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100
>> > @@ -2834,7 +2834,7 @@
>> > &ld_debug(2, "check_http: url=\"$$r{url}\" "
>> > . "virtualhost=\"$virtualhost\"");
>> >
>> > - my $ua = new LWP::UserAgent();
>> > + my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0
>> });
>> >
>> > my $h = undef;
>> > if ($$v{service} eq "http_proxy") {
>> >
>> > I haven't verified that with older version of LWP, but I believe it
>> should
>> > just ignore unknown parameters to the constructor.
>>
>> I don't think that's a bug but you have to specify the virtualhost
>> parameter to set the Host header for the realservers.
>>
>> Regards,
>> Dennis
>>
>>
>> _______________________________________________
>> Please read the documentation before posting - it's available at:
>> http://www.linuxvirtualserver.org/
>>
>> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
>> Send requests to lvs-users-request@LinuxVirtualServer.org
>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users

--
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)870 443 8779
http://www.loadbalancer.org/

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Re: [lvs-users] ldirectord fails to test HTTPS real servers. [ In reply to ]

cifali.filipe at gmail

Dec 4, 2013, 3:48 AM

Post #5 of 12 (4551 views)

For me to make this work on my setup I had to install some Perl Modules, if
you use Ldirectord -d to debug you will see a internal error on messages
checking SSL

My config that works now:

virtual = <IP>:443

real = <IP>:443 gate 10

real = <IP>:443 gate 10

real = <IP>:443 gate 10

real = <IP>:443 gate 10

real = <IP>:443 gate 10

real = <IP>:443 gate 10

persistent = 3600

scheduler = wrr

service = https

checktype = negotiate

checkport = 443

request = "server.php"

receive = "ok"

virtualhost = "<ssl-domain>"

The modules I have installed (dunno which worked)

Crypt-SSLeay-0.64-Pc0dMJ

IO-Socket-SSL-1.953-c7ub4t

Net-SSLeay-1.55-8NXQ3I

Installed all via cpan.

The thing is to always check the debug from ldirectord -d -c <config-file>
cause it tells you what's failing

On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
<malcolm@loadbalancer.org>wrote:

> We use the same patch at Loadbalancer.org (or something very similar
> anyway). Most of our customers specifically do not want use a virtual
> host (for a health check) OR care if the SSL cert is valid.
>
>
>
> On 4 December 2013 10:05, Timur I. Bakeyev <timur@com.bat.ru> wrote:
> > Have you tried it, Dennis? Did you look into the ldirectord code? You
> know,
> > how SSL is working?
> >
> > Regards,
> > Timur.
> >
> >
> > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> dennisml@conversis.de
> >> wrote:
> >
> >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> >> > Hi guys!
> >> >
> >> > I've posted bug report regarding ldirectord, can you please review it
> and
> >> > commit, if possible?
> >> >
> >> > https://github.com/ClusterLabs/resource-agents/issues/361
> >> >
> >> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS
> >> sites.
> >> > Since LWP 6.0 by default it verifies the correspondence of the SSL
> >> > certificate and the server hostname. In 99.9% of the cases this is the
> >> VIP
> >> > hostname and RIP are identified by their internal hostnames or, most
> >> common
> >> > - by their IP addresses.
> >> >
> >> > That breaks hostname verification and hence - marks HTTPS backends as
> >> > invalid and kicks them off the pool. This problem did hit me in the
> >> > production when we've upgraded from Debian squeeze to Debian wheezy,
> >> which
> >> > brought newer version of LWP.
> >> >
> >> >
> >>
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> >> >
> >> > Luckily, the fix to the problem is easy:
> >> >
> >> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100
> >> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100
> >> > @@ -2834,7 +2834,7 @@
> >> > &ld_debug(2, "check_http: url=\"$$r{url}\" "
> >> > . "virtualhost=\"$virtualhost\"");
> >> >
> >> > - my $ua = new LWP::UserAgent();
> >> > + my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0
> >> });
> >> >
> >> > my $h = undef;
> >> > if ($$v{service} eq "http_proxy") {
> >> >
> >> > I haven't verified that with older version of LWP, but I believe it
> >> should
> >> > just ignore unknown parameters to the constructor.
> >>
> >> I don't think that's a bug but you have to specify the virtualhost
> >> parameter to set the Host header for the realservers.
> >>
> >> Regards,
> >> Dennis
> >>
> >>
> >> _______________________________________________
> >> Please read the documentation before posting - it's available at:
> >> http://www.linuxvirtualserver.org/
> >>
> >> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> >> Send requests to lvs-users-request@LinuxVirtualServer.org
> >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >>
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > Send requests to lvs-users-request@LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>
>
> --
> Regards,
>
> Malcolm Turnbull.
>
> Loadbalancer.org Ltd.
> Phone: +44 (0)870 443 8779
> http://www.loadbalancer.org/
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>

--
[ ]'s

Filipe Cifali Stangler
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Re: [lvs-users] ldirectord fails to test HTTPS real servers. [ In reply to ]

darren.mansell at gmail

Dec 4, 2013, 5:21 AM

Post #6 of 12 (4547 views)

I just always use an external check for HTTP(S) these days anyway. Much
more flexibility that way.

On 4 December 2013 11:48, Filipe Cifali <cifali.filipe@gmail.com> wrote:

> For me to make this work on my setup I had to install some Perl Modules, if
> you use Ldirectord -d to debug you will see a internal error on messages
> checking SSL
>
> My config that works now:
>
> virtual = <IP>:443
>
> real = <IP>:443 gate 10
>
> real = <IP>:443 gate 10
>
> real = <IP>:443 gate 10
>
> real = <IP>:443 gate 10
>
> real = <IP>:443 gate 10
>
> real = <IP>:443 gate 10
>
> persistent = 3600
>
> scheduler = wrr
>
> service = https
>
> checktype = negotiate
>
> checkport = 443
>
> request = "server.php"
>
> receive = "ok"
>
> virtualhost = "<ssl-domain>"
>
>
> The modules I have installed (dunno which worked)
>
>
> Crypt-SSLeay-0.64-Pc0dMJ
>
> IO-Socket-SSL-1.953-c7ub4t
>
> Net-SSLeay-1.55-8NXQ3I
>
>
> Installed all via cpan.
>
>
> The thing is to always check the debug from ldirectord -d -c <config-file>
> cause it tells you what's failing
>
>
> On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
> <malcolm@loadbalancer.org>wrote:
>
> > We use the same patch at Loadbalancer.org (or something very similar
> > anyway). Most of our customers specifically do not want use a virtual
> > host (for a health check) OR care if the SSL cert is valid.
> >
> >
> >
> > On 4 December 2013 10:05, Timur I. Bakeyev <timur@com.bat.ru> wrote:
> > > Have you tried it, Dennis? Did you look into the ldirectord code? You
> > know,
> > > how SSL is working?
> > >
> > > Regards,
> > > Timur.
> > >
> > >
> > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> > dennisml@conversis.de
> > >> wrote:
> > >
> > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > >> > Hi guys!
> > >> >
> > >> > I've posted bug report regarding ldirectord, can you please review
> it
> > and
> > >> > commit, if possible?
> > >> >
> > >> > https://github.com/ClusterLabs/resource-agents/issues/361
> > >> >
> > >> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS
> > >> sites.
> > >> > Since LWP 6.0 by default it verifies the correspondence of the SSL
> > >> > certificate and the server hostname. In 99.9% of the cases this is
> the
> > >> VIP
> > >> > hostname and RIP are identified by their internal hostnames or, most
> > >> common
> > >> > - by their IP addresses.
> > >> >
> > >> > That breaks hostname verification and hence - marks HTTPS backends
> as
> > >> > invalid and kicks them off the pool. This problem did hit me in the
> > >> > production when we've upgraded from Debian squeeze to Debian wheezy,
> > >> which
> > >> > brought newer version of LWP.
> > >> >
> > >> >
> > >>
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> > >> >
> > >> > Luckily, the fix to the problem is easy:
> > >> >
> > >> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100
> > >> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100
> > >> > @@ -2834,7 +2834,7 @@
> > >> > &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > >> > . "virtualhost=\"$virtualhost\"");
> > >> >
> > >> > - my $ua = new LWP::UserAgent();
> > >> > + my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname
> => 0
> > >> });
> > >> >
> > >> > my $h = undef;
> > >> > if ($$v{service} eq "http_proxy") {
> > >> >
> > >> > I haven't verified that with older version of LWP, but I believe it
> > >> should
> > >> > just ignore unknown parameters to the constructor.
> > >>
> > >> I don't think that's a bug but you have to specify the virtualhost
> > >> parameter to set the Host header for the realservers.
> > >>
> > >> Regards,
> > >> Dennis
> > >>
> > >>
> > >> _______________________________________________
> > >> Please read the documentation before posting - it's available at:
> > >> http://www.linuxvirtualserver.org/
> > >>
> > >> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > >> Send requests to lvs-users-request@LinuxVirtualServer.org
> > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >>
> > > _______________________________________________
> > > Please read the documentation before posting - it's available at:
> > > http://www.linuxvirtualserver.org/
> > >
> > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > > Send requests to lvs-users-request@LinuxVirtualServer.org
> > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
> >
> >
> > --
> > Regards,
> >
> > Malcolm Turnbull.
> >
> > Loadbalancer.org Ltd.
> > Phone: +44 (0)870 443 8779
> > http://www.loadbalancer.org/
> >
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > Send requests to lvs-users-request@LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
>
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Re: [lvs-users] ldirectord fails to test HTTPS real servers. [ In reply to ]

Dec 4, 2013, 6:28 AM

Post #7 of 12 (4542 views)

Nice you also use it, Malcolm!

But for the inexperienced user it's kind of frustrating when working
configuration stops working after the upgrade. That's why I'd like this fix
to be in the main source tree :)

I'm afraid, that with the real servers behind VIP validity of the
certificate is almost impossible to verify. Well, unless you trick DNS at
least :)

With best regards,
Timur.

On Wed, Dec 4, 2013 at 11:33 AM, Malcolm Turnbull
<malcolm@loadbalancer.org>wrote:

> We use the same patch at Loadbalancer.org (or something very similar
> anyway). Most of our customers specifically do not want use a virtual
> host (for a health check) OR care if the SSL cert is valid.
>
>
>
> On 4 December 2013 10:05, Timur I. Bakeyev <timur@com.bat.ru> wrote:
> > Have you tried it, Dennis? Did you look into the ldirectord code? You
> know,
> > how SSL is working?
> >
> > Regards,
> > Timur.
> >
> >
> > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> dennisml@conversis.de
> >> wrote:
> >
> >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> >> > Hi guys!
> >> >
> >> > I've posted bug report regarding ldirectord, can you please review it
> and
> >> > commit, if possible?
> >> >
> >> > https://github.com/ClusterLabs/resource-agents/issues/361
> >> >
> >> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS
> >> sites.
> >> > Since LWP 6.0 by default it verifies the correspondence of the SSL
> >> > certificate and the server hostname. In 99.9% of the cases this is the
> >> VIP
> >> > hostname and RIP are identified by their internal hostnames or, most
> >> common
> >> > - by their IP addresses.
> >> >
> >> > That breaks hostname verification and hence - marks HTTPS backends as
> >> > invalid and kicks them off the pool. This problem did hit me in the
> >> > production when we've upgraded from Debian squeeze to Debian wheezy,
> >> which
> >> > brought newer version of LWP.
> >> >
> >> >
> >>
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> >> >
> >> > Luckily, the fix to the problem is easy:
> >> >
> >> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100
> >> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100
> >> > @@ -2834,7 +2834,7 @@
> >> > &ld_debug(2, "check_http: url=\"$$r{url}\" "
> >> > . "virtualhost=\"$virtualhost\"");
> >> >
> >> > - my $ua = new LWP::UserAgent();
> >> > + my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0
> >> });
> >> >
> >> > my $h = undef;
> >> > if ($$v{service} eq "http_proxy") {
> >> >
> >> > I haven't verified that with older version of LWP, but I believe it
> >> should
> >> > just ignore unknown parameters to the constructor.
> >>
> >> I don't think that's a bug but you have to specify the virtualhost
> >> parameter to set the Host header for the realservers.
> >>
> >> Regards,
> >> Dennis
> >>
> >>
> >> _______________________________________________
> >> Please read the documentation before posting - it's available at:
> >> http://www.linuxvirtualserver.org/
> >>
> >> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> >> Send requests to lvs-users-request@LinuxVirtualServer.org
> >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >>
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > Send requests to lvs-users-request@LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>
>
> --
> Regards,
>
> Malcolm Turnbull.
>
> Loadbalancer.org Ltd.
> Phone: +44 (0)870 443 8779
> http://www.loadbalancer.org/
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Re: [lvs-users] ldirectord fails to test HTTPS real servers. [ In reply to ]

Dec 4, 2013, 6:43 AM

Post #8 of 12 (4548 views)

Not sure, how all that mix of SSL modules would work together, but if
Crypt-SSLeay-0.64-Pc0dMJ took preference then host checks effectively were
disabled:

NET::HTTPS states in the code:

if ($cnf->{SSL_verifycn_scheme}) {
$@ = "Net::SSL from Crypt-SSLeay can't verify hostnames; either
install IO::Socket::SSL or turn off verification by setting the
PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0";
return undef;
}

In any case, you should verify which version of LWP you are using, as host
check verification occurred there in 6.x only.

With regards,
Timur.

On Wed, Dec 4, 2013 at 12:48 PM, Filipe Cifali <cifali.filipe@gmail.com>wrote:

> For me to make this work on my setup I had to install some Perl Modules, if
> you use Ldirectord -d to debug you will see a internal error on messages
> checking SSL
>
> My config that works now:
>
> virtual = <IP>:443
>
> real = <IP>:443 gate 10
>
> real = <IP>:443 gate 10
>
> real = <IP>:443 gate 10
>
> real = <IP>:443 gate 10
>
> real = <IP>:443 gate 10
>
> real = <IP>:443 gate 10
>
> persistent = 3600
>
> scheduler = wrr
>
> service = https
>
> checktype = negotiate
>
> checkport = 443
>
> request = "server.php"
>
> receive = "ok"
>
> virtualhost = "<ssl-domain>"
>
>
> The modules I have installed (dunno which worked)
>
>
> Crypt-SSLeay-0.64-Pc0dMJ
>
> IO-Socket-SSL-1.953-c7ub4t
>
> Net-SSLeay-1.55-8NXQ3I
>
>
> Installed all via cpan.
>
>
> The thing is to always check the debug from ldirectord -d -c <config-file>
> cause it tells you what's failing
>
>
> On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
> <malcolm@loadbalancer.org>wrote:
>
> > We use the same patch at Loadbalancer.org (or something very similar
> > anyway). Most of our customers specifically do not want use a virtual
> > host (for a health check) OR care if the SSL cert is valid.
> >
> >
> >
> > On 4 December 2013 10:05, Timur I. Bakeyev <timur@com.bat.ru> wrote:
> > > Have you tried it, Dennis? Did you look into the ldirectord code? You
> > know,
> > > how SSL is working?
> > >
> > > Regards,
> > > Timur.
> > >
> > >
> > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> > dennisml@conversis.de
> > >> wrote:
> > >
> > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > >> > Hi guys!
> > >> >
> > >> > I've posted bug report regarding ldirectord, can you please review
> it
> > and
> > >> > commit, if possible?
> > >> >
> > >> > https://github.com/ClusterLabs/resource-agents/issues/361
> > >> >
> > >> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS
> > >> sites.
> > >> > Since LWP 6.0 by default it verifies the correspondence of the SSL
> > >> > certificate and the server hostname. In 99.9% of the cases this is
> the
> > >> VIP
> > >> > hostname and RIP are identified by their internal hostnames or, most
> > >> common
> > >> > - by their IP addresses.
> > >> >
> > >> > That breaks hostname verification and hence - marks HTTPS backends
> as
> > >> > invalid and kicks them off the pool. This problem did hit me in the
> > >> > production when we've upgraded from Debian squeeze to Debian wheezy,
> > >> which
> > >> > brought newer version of LWP.
> > >> >
> > >> >
> > >>
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> > >> >
> > >> > Luckily, the fix to the problem is easy:
> > >> >
> > >> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100
> > >> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100
> > >> > @@ -2834,7 +2834,7 @@
> > >> > &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > >> > . "virtualhost=\"$virtualhost\"");
> > >> >
> > >> > - my $ua = new LWP::UserAgent();
> > >> > + my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname
> => 0
> > >> });
> > >> >
> > >> > my $h = undef;
> > >> > if ($$v{service} eq "http_proxy") {
> > >> >
> > >> > I haven't verified that with older version of LWP, but I believe it
> > >> should
> > >> > just ignore unknown parameters to the constructor.
> > >>
> > >> I don't think that's a bug but you have to specify the virtualhost
> > >> parameter to set the Host header for the realservers.
> > >>
> > >> Regards,
> > >> Dennis
> > >>
> > >>
> > >> _______________________________________________
> > >> Please read the documentation before posting - it's available at:
> > >> http://www.linuxvirtualserver.org/
> > >>
> > >> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > >> Send requests to lvs-users-request@LinuxVirtualServer.org
> > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >>
> > > _______________________________________________
> > > Please read the documentation before posting - it's available at:
> > > http://www.linuxvirtualserver.org/
> > >
> > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > > Send requests to lvs-users-request@LinuxVirtualServer.org
> > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
> >
> >
> > --
> > Regards,
> >
> > Malcolm Turnbull.
> >
> > Loadbalancer.org Ltd.
> > Phone: +44 (0)870 443 8779
> > http://www.loadbalancer.org/
> >
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > Send requests to lvs-users-request@LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
>
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Re: [lvs-users] ldirectord fails to test HTTPS real servers. [ In reply to ]

Dec 4, 2013, 6:45 AM

Post #9 of 12 (4553 views)

That's were I ended up, but mostly due the use of IPv6. And, using curl for
checks I still need to specify -g to omit host verification for SSL.

With regards,
Timur.

On Wed, Dec 4, 2013 at 2:21 PM, Darren Mansell <darren.mansell@gmail.com>wrote:

> I just always use an external check for HTTP(S) these days anyway. Much
> more flexibility that way.
>
>
> On 4 December 2013 11:48, Filipe Cifali <cifali.filipe@gmail.com> wrote:
>
> > For me to make this work on my setup I had to install some Perl Modules,
> if
> > you use Ldirectord -d to debug you will see a internal error on messages
> > checking SSL
> >
> > My config that works now:
> >
> > virtual = <IP>:443
> >
> > real = <IP>:443 gate 10
> >
> > real = <IP>:443 gate 10
> >
> > real = <IP>:443 gate 10
> >
> > real = <IP>:443 gate 10
> >
> > real = <IP>:443 gate 10
> >
> > real = <IP>:443 gate 10
> >
> > persistent = 3600
> >
> > scheduler = wrr
> >
> > service = https
> >
> > checktype = negotiate
> >
> > checkport = 443
> >
> > request = "server.php"
> >
> > receive = "ok"
> >
> > virtualhost = "<ssl-domain>"
> >
> >
> > The modules I have installed (dunno which worked)
> >
> >
> > Crypt-SSLeay-0.64-Pc0dMJ
> >
> > IO-Socket-SSL-1.953-c7ub4t
> >
> > Net-SSLeay-1.55-8NXQ3I
> >
> >
> > Installed all via cpan.
> >
> >
> > The thing is to always check the debug from ldirectord -d -c
> <config-file>
> > cause it tells you what's failing
> >
> >
> > On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
> > <malcolm@loadbalancer.org>wrote:
> >
> > > We use the same patch at Loadbalancer.org (or something very similar
> > > anyway). Most of our customers specifically do not want use a virtual
> > > host (for a health check) OR care if the SSL cert is valid.
> > >
> > >
> > >
> > > On 4 December 2013 10:05, Timur I. Bakeyev <timur@com.bat.ru> wrote:
> > > > Have you tried it, Dennis? Did you look into the ldirectord code? You
> > > know,
> > > > how SSL is working?
> > > >
> > > > Regards,
> > > > Timur.
> > > >
> > > >
> > > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> > > dennisml@conversis.de
> > > >> wrote:
> > > >
> > > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > > >> > Hi guys!
> > > >> >
> > > >> > I've posted bug report regarding ldirectord, can you please review
> > it
> > > and
> > > >> > commit, if possible?
> > > >> >
> > > >> > https://github.com/ClusterLabs/resource-agents/issues/361
> > > >> >
> > > >> > Ldirectord is using LWP for it's negotiate checks for the
> HTTP/HTTPS
> > > >> sites.
> > > >> > Since LWP 6.0 by default it verifies the correspondence of the SSL
> > > >> > certificate and the server hostname. In 99.9% of the cases this is
> > the
> > > >> VIP
> > > >> > hostname and RIP are identified by their internal hostnames or,
> most
> > > >> common
> > > >> > - by their IP addresses.
> > > >> >
> > > >> > That breaks hostname verification and hence - marks HTTPS backends
> > as
> > > >> > invalid and kicks them off the pool. This problem did hit me in
> the
> > > >> > production when we've upgraded from Debian squeeze to Debian
> wheezy,
> > > >> which
> > > >> > brought newer version of LWP.
> > > >> >
> > > >> >
> > > >>
> > >
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> > > >> >
> > > >> > Luckily, the fix to the problem is easy:
> > > >> >
> > > >> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100
> > > >> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100
> > > >> > @@ -2834,7 +2834,7 @@
> > > >> > &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > > >> > . "virtualhost=\"$virtualhost\"");
> > > >> >
> > > >> > - my $ua = new LWP::UserAgent();
> > > >> > + my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname
> > => 0
> > > >> });
> > > >> >
> > > >> > my $h = undef;
> > > >> > if ($$v{service} eq "http_proxy") {
> > > >> >
> > > >> > I haven't verified that with older version of LWP, but I believe
> it
> > > >> should
> > > >> > just ignore unknown parameters to the constructor.
> > > >>
> > > >> I don't think that's a bug but you have to specify the virtualhost
> > > >> parameter to set the Host header for the realservers.
> > > >>
> > > >> Regards,
> > > >> Dennis
> > > >>
> > > >>
> > > >> _______________________________________________
> > > >> Please read the documentation before posting - it's available at:
> > > >> http://www.linuxvirtualserver.org/
> > > >>
> > > >> LinuxVirtualServer.org mailing list -
> lvs-users@LinuxVirtualServer.org
> > > >> Send requests to lvs-users-request@LinuxVirtualServer.org
> > > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > >>
> > > > _______________________________________________
> > > > Please read the documentation before posting - it's available at:
> > > > http://www.linuxvirtualserver.org/
> > > >
> > > > LinuxVirtualServer.org mailing list -
> lvs-users@LinuxVirtualServer.org
> > > > Send requests to lvs-users-request@LinuxVirtualServer.org
> > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Malcolm Turnbull.
> > >
> > > Loadbalancer.org Ltd.
> > > Phone: +44 (0)870 443 8779
> > > http://www.loadbalancer.org/
> > >
> > > _______________________________________________
> > > Please read the documentation before posting - it's available at:
> > > http://www.linuxvirtualserver.org/
> > >
> > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > > Send requests to lvs-users-request@LinuxVirtualServer.org
> > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >
> >
> >
> >
> > --
> > [ ]'s
> >
> > Filipe Cifali Stangler
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > Send requests to lvs-users-request@LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Re: [lvs-users] ldirectord fails to test HTTPS real servers. [ In reply to ]

cifali.filipe at gmail

Dec 4, 2013, 8:13 AM

Post #10 of 12 (4556 views)

Yeah the LWP is 6.0.5, but it's working now as intended, probably is
Crypt-SSLeay working then.

But then again, my setup is working now, and I suspect the virtualhost
clause helped, since the SSL I have the same subdomain (*.domain.ext) so
the virtualhost is always valid on my domain.

On Wed, Dec 4, 2013 at 12:43 PM, Timur I. Bakeyev <timur@com.bat.ru> wrote:

> Not sure, how all that mix of SSL modules would work together, but if
> Crypt-SSLeay-0.64-Pc0dMJ took preference then host checks effectively were
> disabled:
>
> NET::HTTPS states in the code:
>
> if ($cnf->{SSL_verifycn_scheme}) {
> $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames; either
> install IO::Socket::SSL or turn off verification by setting the
> PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0";
> return undef;
> }
>
> In any case, you should verify which version of LWP you are using, as host
> check verification occurred there in 6.x only.
>
> With regards,
> Timur.
>
>
> On Wed, Dec 4, 2013 at 12:48 PM, Filipe Cifali <cifali.filipe@gmail.com
> >wrote:
>
> > For me to make this work on my setup I had to install some Perl Modules,
> if
> > you use Ldirectord -d to debug you will see a internal error on messages
> > checking SSL
> >
> > My config that works now:
> >
> > virtual = <IP>:443
> >
> > real = <IP>:443 gate 10
> >
> > real = <IP>:443 gate 10
> >
> > real = <IP>:443 gate 10
> >
> > real = <IP>:443 gate 10
> >
> > real = <IP>:443 gate 10
> >
> > real = <IP>:443 gate 10
> >
> > persistent = 3600
> >
> > scheduler = wrr
> >
> > service = https
> >
> > checktype = negotiate
> >
> > checkport = 443
> >
> > request = "server.php"
> >
> > receive = "ok"
> >
> > virtualhost = "<ssl-domain>"
> >
> >
> > The modules I have installed (dunno which worked)
> >
> >
> > Crypt-SSLeay-0.64-Pc0dMJ
> >
> > IO-Socket-SSL-1.953-c7ub4t
> >
> > Net-SSLeay-1.55-8NXQ3I
> >
> >
> > Installed all via cpan.
> >
> >
> > The thing is to always check the debug from ldirectord -d -c
> <config-file>
> > cause it tells you what's failing
> >
> >
> > On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
> > <malcolm@loadbalancer.org>wrote:
> >
> > > We use the same patch at Loadbalancer.org (or something very similar
> > > anyway). Most of our customers specifically do not want use a virtual
> > > host (for a health check) OR care if the SSL cert is valid.
> > >
> > >
> > >
> > > On 4 December 2013 10:05, Timur I. Bakeyev <timur@com.bat.ru> wrote:
> > > > Have you tried it, Dennis? Did you look into the ldirectord code? You
> > > know,
> > > > how SSL is working?
> > > >
> > > > Regards,
> > > > Timur.
> > > >
> > > >
> > > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> > > dennisml@conversis.de
> > > >> wrote:
> > > >
> > > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > > >> > Hi guys!
> > > >> >
> > > >> > I've posted bug report regarding ldirectord, can you please review
> > it
> > > and
> > > >> > commit, if possible?
> > > >> >
> > > >> > https://github.com/ClusterLabs/resource-agents/issues/361
> > > >> >
> > > >> > Ldirectord is using LWP for it's negotiate checks for the
> HTTP/HTTPS
> > > >> sites.
> > > >> > Since LWP 6.0 by default it verifies the correspondence of the SSL
> > > >> > certificate and the server hostname. In 99.9% of the cases this is
> > the
> > > >> VIP
> > > >> > hostname and RIP are identified by their internal hostnames or,
> most
> > > >> common
> > > >> > - by their IP addresses.
> > > >> >
> > > >> > That breaks hostname verification and hence - marks HTTPS backends
> > as
> > > >> > invalid and kicks them off the pool. This problem did hit me in
> the
> > > >> > production when we've upgraded from Debian squeeze to Debian
> wheezy,
> > > >> which
> > > >> > brought newer version of LWP.
> > > >> >
> > > >> >
> > > >>
> > >
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> > > >> >
> > > >> > Luckily, the fix to the problem is easy:
> > > >> >
> > > >> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100
> > > >> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100
> > > >> > @@ -2834,7 +2834,7 @@
> > > >> > &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > > >> > . "virtualhost=\"$virtualhost\"");
> > > >> >
> > > >> > - my $ua = new LWP::UserAgent();
> > > >> > + my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname
> > => 0
> > > >> });
> > > >> >
> > > >> > my $h = undef;
> > > >> > if ($$v{service} eq "http_proxy") {
> > > >> >
> > > >> > I haven't verified that with older version of LWP, but I believe
> it
> > > >> should
> > > >> > just ignore unknown parameters to the constructor.
> > > >>
> > > >> I don't think that's a bug but you have to specify the virtualhost
> > > >> parameter to set the Host header for the realservers.
> > > >>
> > > >> Regards,
> > > >> Dennis
> > > >>
> > > >>
> > > >> _______________________________________________
> > > >> Please read the documentation before posting - it's available at:
> > > >> http://www.linuxvirtualserver.org/
> > > >>
> > > >> LinuxVirtualServer.org mailing list -
> lvs-users@LinuxVirtualServer.org
> > > >> Send requests to lvs-users-request@LinuxVirtualServer.org
> > > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > >>
> > > > _______________________________________________
> > > > Please read the documentation before posting - it's available at:
> > > > http://www.linuxvirtualserver.org/
> > > >
> > > > LinuxVirtualServer.org mailing list -
> lvs-users@LinuxVirtualServer.org
> > > > Send requests to lvs-users-request@LinuxVirtualServer.org
> > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Malcolm Turnbull.
> > >
> > > Loadbalancer.org Ltd.
> > > Phone: +44 (0)870 443 8779
> > > http://www.loadbalancer.org/
> > >
> > > _______________________________________________
> > > Please read the documentation before posting - it's available at:
> > > http://www.linuxvirtualserver.org/
> > >
> > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > > Send requests to lvs-users-request@LinuxVirtualServer.org
> > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >
> >
> >
> >
> > --
> > [ ]'s
> >
> > Filipe Cifali Stangler
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > Send requests to lvs-users-request@LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>

--
[ ]'s

Filipe Cifali Stangler
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Re: [lvs-users] ldirectord fails to test HTTPS real servers. [ In reply to ]

Dec 4, 2013, 9:39 AM

Post #11 of 12 (4549 views)

Well, "virtualhost" wouldn't help anything, as it's part of HTTP protocol
and SSL check happens one(half:)) layer below - during the TCP connection
negotiation. At that point only DNS name of the real server does matter and
it's match to the SSL certificate.

With wildcard certificate if you real servers have their host names from
the same domain.ext - the check will succeed, but for that they have to be
refered by hostname in the ldirectord.conf as well. I believe that SSL
negotiation doesn't do back resolve of the IP addresses.

With regards,
Timur.

On Wed, Dec 4, 2013 at 5:13 PM, Filipe Cifali <cifali.filipe@gmail.com>wrote:

> Yeah the LWP is 6.0.5, but it's working now as intended, probably is
> Crypt-SSLeay working then.
>
> But then again, my setup is working now, and I suspect the virtualhost
> clause helped, since the SSL I have the same subdomain (*.domain.ext) so
> the virtualhost is always valid on my domain.
>
>
> On Wed, Dec 4, 2013 at 12:43 PM, Timur I. Bakeyev <timur@com.bat.ru>
> wrote:
>
> > Not sure, how all that mix of SSL modules would work together, but if
> > Crypt-SSLeay-0.64-Pc0dMJ took preference then host checks effectively
> were
> > disabled:
> >
> > NET::HTTPS states in the code:
> >
> > if ($cnf->{SSL_verifycn_scheme}) {
> > $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames;
> either
> > install IO::Socket::SSL or turn off verification by setting the
> > PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0";
> > return undef;
> > }
> >
> > In any case, you should verify which version of LWP you are using, as
> host
> > check verification occurred there in 6.x only.
> >
> > With regards,
> > Timur.
> >
> >
> > On Wed, Dec 4, 2013 at 12:48 PM, Filipe Cifali <cifali.filipe@gmail.com
> > >wrote:
> >
> > > For me to make this work on my setup I had to install some Perl
> Modules,
> > if
> > > you use Ldirectord -d to debug you will see a internal error on
> messages
> > > checking SSL
> > >
> > > My config that works now:
> > >
> > > virtual = <IP>:443
> > >
> > > real = <IP>:443 gate 10
> > >
> > > real = <IP>:443 gate 10
> > >
> > > real = <IP>:443 gate 10
> > >
> > > real = <IP>:443 gate 10
> > >
> > > real = <IP>:443 gate 10
> > >
> > > real = <IP>:443 gate 10
> > >
> > > persistent = 3600
> > >
> > > scheduler = wrr
> > >
> > > service = https
> > >
> > > checktype = negotiate
> > >
> > > checkport = 443
> > >
> > > request = "server.php"
> > >
> > > receive = "ok"
> > >
> > > virtualhost = "<ssl-domain>"
> > >
> > >
> > > The modules I have installed (dunno which worked)
> > >
> > >
> > > Crypt-SSLeay-0.64-Pc0dMJ
> > >
> > > IO-Socket-SSL-1.953-c7ub4t
> > >
> > > Net-SSLeay-1.55-8NXQ3I
> > >
> > >
> > > Installed all via cpan.
> > >
> > >
> > > The thing is to always check the debug from ldirectord -d -c
> > <config-file>
> > > cause it tells you what's failing
> > >
> > >
> > > On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
> > > <malcolm@loadbalancer.org>wrote:
> > >
> > > > We use the same patch at Loadbalancer.org (or something very similar
> > > > anyway). Most of our customers specifically do not want use a virtual
> > > > host (for a health check) OR care if the SSL cert is valid.
> > > >
> > > >
> > > >
> > > > On 4 December 2013 10:05, Timur I. Bakeyev <timur@com.bat.ru> wrote:
> > > > > Have you tried it, Dennis? Did you look into the ldirectord code?
> You
> > > > know,
> > > > > how SSL is working?
> > > > >
> > > > > Regards,
> > > > > Timur.
> > > > >
> > > > >
> > > > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> > > > dennisml@conversis.de
> > > > >> wrote:
> > > > >
> > > > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > > > >> > Hi guys!
> > > > >> >
> > > > >> > I've posted bug report regarding ldirectord, can you please
> review
> > > it
> > > > and
> > > > >> > commit, if possible?
> > > > >> >
> > > > >> > https://github.com/ClusterLabs/resource-agents/issues/361
> > > > >> >
> > > > >> > Ldirectord is using LWP for it's negotiate checks for the
> > HTTP/HTTPS
> > > > >> sites.
> > > > >> > Since LWP 6.0 by default it verifies the correspondence of the
> SSL
> > > > >> > certificate and the server hostname. In 99.9% of the cases this
> is
> > > the
> > > > >> VIP
> > > > >> > hostname and RIP are identified by their internal hostnames or,
> > most
> > > > >> common
> > > > >> > - by their IP addresses.
> > > > >> >
> > > > >> > That breaks hostname verification and hence - marks HTTPS
> backends
> > > as
> > > > >> > invalid and kicks them off the pool. This problem did hit me in
> > the
> > > > >> > production when we've upgraded from Debian squeeze to Debian
> > wheezy,
> > > > >> which
> > > > >> > brought newer version of LWP.
> > > > >> >
> > > > >> >
> > > > >>
> > > >
> > >
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> > > > >> >
> > > > >> > Luckily, the fix to the problem is easy:
> > > > >> >
> > > > >> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100
> > > > >> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100
> > > > >> > @@ -2834,7 +2834,7 @@
> > > > >> > &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > > > >> > . "virtualhost=\"$virtualhost\"");
> > > > >> >
> > > > >> > - my $ua = new LWP::UserAgent();
> > > > >> > + my $ua = new LWP::UserAgent(ssl_opts => {
> verify_hostname
> > > => 0
> > > > >> });
> > > > >> >
> > > > >> > my $h = undef;
> > > > >> > if ($$v{service} eq "http_proxy") {
> > > > >> >
> > > > >> > I haven't verified that with older version of LWP, but I believe
> > it
> > > > >> should
> > > > >> > just ignore unknown parameters to the constructor.
> > > > >>
> > > > >> I don't think that's a bug but you have to specify the virtualhost
> > > > >> parameter to set the Host header for the realservers.
> > > > >>
> > > > >> Regards,
> > > > >> Dennis
> > > > >>
> > > > >>
> > > > >> _______________________________________________
> > > > >> Please read the documentation before posting - it's available at:
> > > > >> http://www.linuxvirtualserver.org/
> > > > >>
> > > > >> LinuxVirtualServer.org mailing list -
> > lvs-users@LinuxVirtualServer.org
> > > > >> Send requests to lvs-users-request@LinuxVirtualServer.org
> > > > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > > >>
> > > > > _______________________________________________
> > > > > Please read the documentation before posting - it's available at:
> > > > > http://www.linuxvirtualserver.org/
> > > > >
> > > > > LinuxVirtualServer.org mailing list -
> > lvs-users@LinuxVirtualServer.org
> > > > > Send requests to lvs-users-request@LinuxVirtualServer.org
> > > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > >
> > > >
> > > >
> > > > --
> > > > Regards,
> > > >
> > > > Malcolm Turnbull.
> > > >
> > > > Loadbalancer.org Ltd.
> > > > Phone: +44 (0)870 443 8779
> > > > http://www.loadbalancer.org/
> > > >
> > > > _______________________________________________
> > > > Please read the documentation before posting - it's available at:
> > > > http://www.linuxvirtualserver.org/
> > > >
> > > > LinuxVirtualServer.org mailing list -
> lvs-users@LinuxVirtualServer.org
> > > > Send requests to lvs-users-request@LinuxVirtualServer.org
> > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > >
> > >
> > >
> > >
> > > --
> > > [ ]'s
> > >
> > > Filipe Cifali Stangler
> > > _______________________________________________
> > > Please read the documentation before posting - it's available at:
> > > http://www.linuxvirtualserver.org/
> > >
> > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > > Send requests to lvs-users-request@LinuxVirtualServer.org
> > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > Send requests to lvs-users-request@LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
>
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Re: [lvs-users] ldirectord fails to test HTTPS real servers. [ In reply to ]

Dec 4, 2013, 9:43 AM

Post #12 of 12 (4537 views)

To be precise there is a SNI extension to the SSL protocol, that allows
selection of the virtual host during negotiation, but it still not(?)
widely used. At least, I wouldn't suspect LWP in that :)

http://en.wikipedia.org/wiki/Server_Name_Indication

On Wed, Dec 4, 2013 at 5:13 PM, Filipe Cifali <cifali.filipe@gmail.com>wrote:

> Yeah the LWP is 6.0.5, but it's working now as intended, probably is
> Crypt-SSLeay working then.
>
> But then again, my setup is working now, and I suspect the virtualhost
> clause helped, since the SSL I have the same subdomain (*.domain.ext) so
> the virtualhost is always valid on my domain.
>
>
> On Wed, Dec 4, 2013 at 12:43 PM, Timur I. Bakeyev <timur@com.bat.ru>
> wrote:
>
> > Not sure, how all that mix of SSL modules would work together, but if
> > Crypt-SSLeay-0.64-Pc0dMJ took preference then host checks effectively
> were
> > disabled:
> >
> > NET::HTTPS states in the code:
> >
> > if ($cnf->{SSL_verifycn_scheme}) {
> > $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames;
> either
> > install IO::Socket::SSL or turn off verification by setting the
> > PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0";
> > return undef;
> > }
> >
> > In any case, you should verify which version of LWP you are using, as
> host
> > check verification occurred there in 6.x only.
> >
> > With regards,
> > Timur.
> >
> >
> > On Wed, Dec 4, 2013 at 12:48 PM, Filipe Cifali <cifali.filipe@gmail.com
> > >wrote:
> >
> > > For me to make this work on my setup I had to install some Perl
> Modules,
> > if
> > > you use Ldirectord -d to debug you will see a internal error on
> messages
> > > checking SSL
> > >
> > > My config that works now:
> > >
> > > virtual = <IP>:443
> > >
> > > real = <IP>:443 gate 10
> > >
> > > real = <IP>:443 gate 10
> > >
> > > real = <IP>:443 gate 10
> > >
> > > real = <IP>:443 gate 10
> > >
> > > real = <IP>:443 gate 10
> > >
> > > real = <IP>:443 gate 10
> > >
> > > persistent = 3600
> > >
> > > scheduler = wrr
> > >
> > > service = https
> > >
> > > checktype = negotiate
> > >
> > > checkport = 443
> > >
> > > request = "server.php"
> > >
> > > receive = "ok"
> > >
> > > virtualhost = "<ssl-domain>"
> > >
> > >
> > > The modules I have installed (dunno which worked)
> > >
> > >
> > > Crypt-SSLeay-0.64-Pc0dMJ
> > >
> > > IO-Socket-SSL-1.953-c7ub4t
> > >
> > > Net-SSLeay-1.55-8NXQ3I
> > >
> > >
> > > Installed all via cpan.
> > >
> > >
> > > The thing is to always check the debug from ldirectord -d -c
> > <config-file>
> > > cause it tells you what's failing
> > >
> > >
> > > On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull
> > > <malcolm@loadbalancer.org>wrote:
> > >
> > > > We use the same patch at Loadbalancer.org (or something very similar
> > > > anyway). Most of our customers specifically do not want use a virtual
> > > > host (for a health check) OR care if the SSL cert is valid.
> > > >
> > > >
> > > >
> > > > On 4 December 2013 10:05, Timur I. Bakeyev <timur@com.bat.ru> wrote:
> > > > > Have you tried it, Dennis? Did you look into the ldirectord code?
> You
> > > > know,
> > > > > how SSL is working?
> > > > >
> > > > > Regards,
> > > > > Timur.
> > > > >
> > > > >
> > > > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <
> > > > dennisml@conversis.de
> > > > >> wrote:
> > > > >
> > > > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote:
> > > > >> > Hi guys!
> > > > >> >
> > > > >> > I've posted bug report regarding ldirectord, can you please
> review
> > > it
> > > > and
> > > > >> > commit, if possible?
> > > > >> >
> > > > >> > https://github.com/ClusterLabs/resource-agents/issues/361
> > > > >> >
> > > > >> > Ldirectord is using LWP for it's negotiate checks for the
> > HTTP/HTTPS
> > > > >> sites.
> > > > >> > Since LWP 6.0 by default it verifies the correspondence of the
> SSL
> > > > >> > certificate and the server hostname. In 99.9% of the cases this
> is
> > > the
> > > > >> VIP
> > > > >> > hostname and RIP are identified by their internal hostnames or,
> > most
> > > > >> common
> > > > >> > - by their IP addresses.
> > > > >> >
> > > > >> > That breaks hostname verification and hence - marks HTTPS
> backends
> > > as
> > > > >> > invalid and kicks them off the pool. This problem did hit me in
> > the
> > > > >> > production when we've upgraded from Debian squeeze to Debian
> > wheezy,
> > > > >> which
> > > > >> > brought newer version of LWP.
> > > > >> >
> > > > >> >
> > > > >>
> > > >
> > >
> >
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> > > > >> >
> > > > >> > Luckily, the fix to the problem is easy:
> > > > >> >
> > > > >> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100
> > > > >> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100
> > > > >> > @@ -2834,7 +2834,7 @@
> > > > >> > &ld_debug(2, "check_http: url=\"$$r{url}\" "
> > > > >> > . "virtualhost=\"$virtualhost\"");
> > > > >> >
> > > > >> > - my $ua = new LWP::UserAgent();
> > > > >> > + my $ua = new LWP::UserAgent(ssl_opts => {
> verify_hostname
> > > => 0
> > > > >> });
> > > > >> >
> > > > >> > my $h = undef;
> > > > >> > if ($$v{service} eq "http_proxy") {
> > > > >> >
> > > > >> > I haven't verified that with older version of LWP, but I believe
> > it
> > > > >> should
> > > > >> > just ignore unknown parameters to the constructor.
> > > > >>
> > > > >> I don't think that's a bug but you have to specify the virtualhost
> > > > >> parameter to set the Host header for the realservers.
> > > > >>
> > > > >> Regards,
> > > > >> Dennis
> > > > >>
> > > > >>
> > > > >> _______________________________________________
> > > > >> Please read the documentation before posting - it's available at:
> > > > >> http://www.linuxvirtualserver.org/
> > > > >>
> > > > >> LinuxVirtualServer.org mailing list -
> > lvs-users@LinuxVirtualServer.org
> > > > >> Send requests to lvs-users-request@LinuxVirtualServer.org
> > > > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > > >>
> > > > > _______________________________________________
> > > > > Please read the documentation before posting - it's available at:
> > > > > http://www.linuxvirtualserver.org/
> > > > >
> > > > > LinuxVirtualServer.org mailing list -
> > lvs-users@LinuxVirtualServer.org
> > > > > Send requests to lvs-users-request@LinuxVirtualServer.org
> > > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > >
> > > >
> > > >
> > > > --
> > > > Regards,
> > > >
> > > > Malcolm Turnbull.
> > > >
> > > > Loadbalancer.org Ltd.
> > > > Phone: +44 (0)870 443 8779
> > > > http://www.loadbalancer.org/
> > > >
> > > > _______________________________________________
> > > > Please read the documentation before posting - it's available at:
> > > > http://www.linuxvirtualserver.org/
> > > >
> > > > LinuxVirtualServer.org mailing list -
> lvs-users@LinuxVirtualServer.org
> > > > Send requests to lvs-users-request@LinuxVirtualServer.org
> > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > > >
> > >
> > >
> > >
> > > --
> > > [ ]'s
> > >
> > > Filipe Cifali Stangler
> > > _______________________________________________
> > > Please read the documentation before posting - it's available at:
> > > http://www.linuxvirtualserver.org/
> > >
> > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > > Send requests to lvs-users-request@LinuxVirtualServer.org
> > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > Send requests to lvs-users-request@LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
>
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users