Mailing List Archive: Monitoring an SSL service

Monitoring an SSL service

Jan 24, 2001, 6:48 AM

Post #1 of 6 (1072 views)

Hi,
I've got a problem with a piranha installation but its sort of a generic
problem so maybe someone here can help...

The installation is a RedHat 6.2 "out of the box" LVS setup. No patches to
kernel etc. Everything is running fine and I can support virtual IPs for
both http and ftp. The problem is with https. The web servers are both
running secure servers and I'm happy that I've got https configured
correctly as I can connect to the servers directly if I run a browser on
one of the LVS routers. I can also connect to the servers using oppenssl.

A far as the cluster is concerned, if I run lvs by hand (lvs -n) nanny
reports that it gets no reponse from the server so the service is not made
available. From looking at the source for nanny, nanny sends an ICMP ECHO
REQUEST packet to the requested service port and expects a response. If it
gets a response then the service is available. Thats fine but what happens
for SSL services. Nanny does the ping to the port but nothing comes back as
the port is only "talking" SSL.

My question is, if you send an ICMP packet to an SSL listener, should you
get a response.? If you should then I'll go back to investigating futrher.
However, if you do not then how can you monitor an SSL service?

I'm quite happy to drop piranha and go over to another way of setting up
the cluster. Or hack nanny and make it "talk" SSL. With the various setup
around, if one wants to monitor an SSL service, what would be the best way
of doing it?

Thanks in advance.

Mark Doutre
Ibidlive-Systems Ltd
Glenlister House
14-16 King Street, East Grinstead, West Sussex
RH19 3DJ
tel: 01342 311778

Re: Monitoring an SSL service [ In reply to ]

ja at ssi

Jan 24, 2001, 7:01 AM

Post #2 of 6 (1062 views)

Permalink

Hello,

On Wed, 24 Jan 2001, mark doutre wrote:

> A far as the cluster is concerned, if I run lvs by hand (lvs -n) nanny
> reports that it gets no reponse from the server so the service is not made
> available. From looking at the source for nanny, nanny sends an ICMP ECHO
> REQUEST packet to the requested service port and expects a response. If it
> gets a response then the service is available. Thats fine but what happens
> for SSL services. Nanny does the ping to the port but nothing comes back as
> the port is only "talking" SSL.

Hm, how an ICMP packet can be sent to TCP port? Is this a
dirty ICMP trick? Also ICMP reply to ICMP request is not returned.

> My question is, if you send an ICMP packet to an SSL listener, should you
> get a response.? If you should then I'll go back to investigating futrher.
> However, if you do not then how can you monitor an SSL service?

SSL is on top of TCP. So, a connect() call to a normal or SSL-ed
TCP service will return the same result but ICMP is returned when a
ipchains firewall or other kernel component returns such response. The
TCP stack returns TCP RST packet by default.

> Thanks in advance.
>
> Mark Doutre
> Ibidlive-Systems Ltd
> Glenlister House
> 14-16 King Street, East Grinstead, West Sussex
> RH19 3DJ
> tel: 01342 311778

Regards

--
Julian Anastasov <ja@ssi.bg>

Re: Monitoring an SSL service [ In reply to ]

mack.joseph at epa

Jan 24, 2001, 7:23 AM

Post #3 of 6 (1063 views)

Permalink

mark doutre wrote:
>
> Hi,
> I've got a problem with a piranha installation but its sort of a generic
> problem so maybe someone here can help...

have you tried the piranha list?

> The installation is a RedHat 6.2 "out of the box" LVS setup. No patches to
> kernel etc. Everything is running fine and I can support virtual IPs for
> both http and ftp. The problem is with https. The web servers are both
> running secure servers and I'm happy that I've got https configured
> correctly as I can connect to the servers directly if I run a browser on
> one of the LVS routers. I can also connect to the servers using oppenssl.

are you running VS-NAT, VS-DR? If the latter is your https on the real-server
configured to listen to the VIP and not the RIP? (the VIP is what you need for
VS-DR
see the HOWTO for https.)

Joe

--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA

Re: RE: Monitoring an SSL service [ In reply to ]

lmb at suse

Jan 24, 2001, 8:37 AM

Post #4 of 6 (1065 views)

Permalink

On 2001-01-24T15:38:58,
mark doutre <mark@ibidlive-systems.com> said:

> -----Original Message-----
> From: Joseph Mack [SMTP:mack.joseph@epa.gov]
> Sent: 24 January 2001 14:23

Please, Mark, try to use a more standard way of quoting, as I do in this
message. It makes it easier to read your mails.

> yep, no response. Anyway, I thought this might be a bit more generic
> problem with SSL.

It is not.

ldirectord will monitor https just fine, as will a simple connect() check.

> If its a piranha thing then I'll dump piranha and try something else. Its
> just irritating :(

Potentially it is. LVS has no concept of monitoring embedded into it, that is
handled by userspace tools.

Sincerely,
Lars Marowsky-Brée <lmb@suse.de>

--
Perfection is our goal, excellence will be tolerated. -- J. Yahl

RE: Monitoring an SSL service [ In reply to ]

mark at ibidlive-systems

Jan 24, 2001, 8:38 AM

Post #5 of 6 (1063 views)

Permalink

-----Original Message-----
From: Joseph Mack [SMTP:mack.joseph@epa.gov]
Sent: 24 January 2001 14:23
To: mark@ibidlive-systems.com
Cc: lvs-users@LinuxVirtualServer.org
Subject: Re: Monitoring an SSL service

mark doutre wrote:
>
> Hi,
> I've got a problem with a piranha installation but its sort of a
generic
> problem so maybe someone here can help...

have you tried the piranha list?

yep, no response. Anyway, I thought this might be a bit more generic
problem with SSL.

> The installation is a RedHat 6.2 "out of the box" LVS setup. No
patches to
> kernel etc. Everything is running fine and I can support virtual IPs for
> both http and ftp. The problem is with https. The web servers are both
> running secure servers and I'm happy that I've got https configured
> correctly as I can connect to the servers directly if I run a browser on
> one of the LVS routers. I can also connect to the servers using oppenssl.

are you running VS-NAT, VS-DR? If the latter is your https on the
real-server
configured to listen to the VIP and not the RIP? (the VIP is what you need
for
VS-DR
see the HOWTO for https.)

I think the problem might be a bit lower down than this. However, to answer
the question I've tried combinations of both VS-NAT and VS-DR and with the
web server listening on the RIP, the VIP... Think I've exhausted all the
permutation. I know I can talk to the secure server using openssl and nanny
uses the same IP......

If its a piranha thing then I'll dump piranha and try something else. Its
just irritating :(

Joe

--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA

Re: Monitoring an SSL service [ In reply to ]

mack.joseph at epa

Jan 24, 2001, 8:57 AM

Post #6 of 6 (1064 views)

Permalink

mark doutre wrote:

> If the latter is your https on the
> real-server
> configured to listen to the VIP and not the RIP? (the VIP is what you need
> for
> VS-DR
> see the HOWTO for https.)
>
> I think the problem might be a bit lower down than this. However, to answer
> the question I've tried combinations of both VS-NAT and VS-DR and with the
> web server listening on the RIP, the VIP... Think I've exhausted all the
> permutation. I know I can talk to the secure server using openssl and nanny
> uses the same IP......

yes, but can you connect to the https realserver via the director, ie is the
LVS working? (ie independantly of nanny which is just monitoring the LVS).

Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA