We use the same patch at Loadbalancer.org (or something very similar anyway). Most of our customers specifically do not want use a virtual host (for a health check) OR care if the SSL cert is valid.
On 4 December 2013 10:05, Timur I. Bakeyev <ti...@com.bat.ru> wrote: > Have you tried it, Dennis? Did you look into the ldirectord code? You know, > how SSL is working? > > Regards, > Timur. > > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <denni...@conversis.de >> wrote: > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote: >> > Hi guys! >> > >> > I've posted bug report regarding ldirectord, can you please review it and >> > commit, if possible? >> > >> > https://github.com/ClusterLabs/resource-agents/issues/361 >> > >> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS >> sites. >> > Since LWP 6.0 by default it verifies the correspondence of the SSL >> > certificate and the server hostname. In 99.9% of the cases this is the >> VIP >> > hostname and RIP are identified by their internal hostnames or, most >> common >> > - by their IP addresses. >> > >> > That breaks hostname verification and hence - marks HTTPS backends as >> > invalid and kicks them off the pool. This problem did hit me in the >> > production when we've upgraded from Debian squeeze to Debian wheezy, >> which >> > brought newer version of LWP. >> > >> > >> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm >> > >> > Luckily, the fix to the problem is easy: >> > >> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100 >> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100 >> > @@ -2834,7 +2834,7 @@ >> > &ld_debug(2, "check_http: url=\"$$r{url}\" " >> > . "virtualhost=\"$virtualhost\""); >> > >> > - my $ua = new LWP::UserAgent(); >> > + my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0 >> }); >> > >> > my $h = undef; >> > if ($$v{service} eq "http_proxy") { >> > >> > I haven't verified that with older version of LWP, but I believe it >> should >> > just ignore unknown parameters to the constructor. >> >> I don't think that's a bug but you have to specify the virtualhost >> parameter to set the Host header for the realservers. >> >> Regards, >> Dennis >> >> >> _______________________________________________ >> Please read the documentation before posting - it's available at: >> http://www.linuxvirtualserver.org/ >> >> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org >> Send requests to lvs-users-requ...@linuxvirtualserver.org >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users >> > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > Send requests to lvs-users-requ...@linuxvirtualserver.org > or go to http://lists.graemef.net/mailman/listinfo/lvs-users -- Regards, Malcolm Turnbull. Loadbalancer.org Ltd. Phone: +44 (0)870 443 8779 http://www.loadbalancer.org/ _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users
