Mailing List Archive: [lvs-users] LVS and OCSP Stapling

I've been searching and trying things all day and can't seem to get OCSP
stapling working on my web server farm.

I don't believe it is a firewall issue, as I've taken it out of the
equation and still encounter the same issue. I've also tested this on a
machine not behind the load balancer and it seems to work (I get a response
from openssl s_client, though the online ssl testers still show stapling as
not working).

I am using nginx on several web servers fronted with LVS NAT. LVS is
listening on both 80 and 443 so that it can redirect the requests back to
nginx.

I have the appropriate settings/files on all of the web servers, but am
getting a timeout when testing it (I've tried several variations of this
command):

openssl s_client -connect mydomain.com:443 -tls1 -tlsextdebug -status

and I get:

Socket: Connection timed out
connect:errno=110

I also cannot telnet to mydomain on either 80 or 443. So I'm suspected at
this point that the LVS server is the culprit. Is there a way to either set
up a cert on that machine or configure it to pass back to the web servers
to handle the OCSP/openssl requests?

Thanks,
Brian
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Brian,

Are you sure you have anything working at all?
LVS never listens to any ports it simply passes traffic to the real
servers who listen on an IP/port so they would be the ones responding
to a telnet command.
I assume your real servers have LVS as the default gateway and the
test clients are on an external subnet? (LVS nat mode won't work with
internal clients)

Straight after you try and connect what does the connection table show?
ipvsadm -Lnc

On 14 April 2016 at 22:30, Brian Adams <brian@songmeanings.com> wrote:
> I've been searching and trying things all day and can't seem to get OCSP
> stapling working on my web server farm.
>
> I don't believe it is a firewall issue, as I've taken it out of the
> equation and still encounter the same issue. I've also tested this on a
> machine not behind the load balancer and it seems to work (I get a response
> from openssl s_client, though the online ssl testers still show stapling as
> not working).
>
> I am using nginx on several web servers fronted with LVS NAT. LVS is
> listening on both 80 and 443 so that it can redirect the requests back to
> nginx.
>
> I have the appropriate settings/files on all of the web servers, but am
> getting a timeout when testing it (I've tried several variations of this
> command):
>
> openssl s_client -connect mydomain.com:443 -tls1 -tlsextdebug -status
>
> and I get:
>
> Socket: Connection timed out
> connect:errno=110
>
> I also cannot telnet to mydomain on either 80 or 443. So I'm suspected at
> this point that the LVS server is the culprit. Is there a way to either set
> up a cert on that machine or configure it to pass back to the web servers
> to handle the OCSP/openssl requests?
>
>
> Thanks,
> Brian
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users

--
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)330 380 1064
http://www.loadbalancer.org/

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users