I just always use an external check for HTTP(S) these days anyway. Much more flexibility that way.
On 4 December 2013 11:48, Filipe Cifali <cifali.fil...@gmail.com> wrote: > For me to make this work on my setup I had to install some Perl Modules, if > you use Ldirectord -d to debug you will see a internal error on messages > checking SSL > > My config that works now: > > virtual = <IP>:443 > > real = <IP>:443 gate 10 > > real = <IP>:443 gate 10 > > real = <IP>:443 gate 10 > > real = <IP>:443 gate 10 > > real = <IP>:443 gate 10 > > real = <IP>:443 gate 10 > > persistent = 3600 > > scheduler = wrr > > service = https > > checktype = negotiate > > checkport = 443 > > request = "server.php" > > receive = "ok" > > virtualhost = "<ssl-domain>" > > > The modules I have installed (dunno which worked) > > > Crypt-SSLeay-0.64-Pc0dMJ > > IO-Socket-SSL-1.953-c7ub4t > > Net-SSLeay-1.55-8NXQ3I > > > Installed all via cpan. > > > The thing is to always check the debug from ldirectord -d -c <config-file> > cause it tells you what's failing > > > On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull > <malc...@loadbalancer.org>wrote: > > > We use the same patch at Loadbalancer.org (or something very similar > > anyway). Most of our customers specifically do not want use a virtual > > host (for a health check) OR care if the SSL cert is valid. > > > > > > > > On 4 December 2013 10:05, Timur I. Bakeyev <ti...@com.bat.ru> wrote: > > > Have you tried it, Dennis? Did you look into the ldirectord code? You > > know, > > > how SSL is working? > > > > > > Regards, > > > Timur. > > > > > > > > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn < > > denni...@conversis.de > > >> wrote: > > > > > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote: > > >> > Hi guys! > > >> > > > >> > I've posted bug report regarding ldirectord, can you please review > it > > and > > >> > commit, if possible? > > >> > > > >> > https://github.com/ClusterLabs/resource-agents/issues/361 > > >> > > > >> > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS > > >> sites. > > >> > Since LWP 6.0 by default it verifies the correspondence of the SSL > > >> > certificate and the server hostname. In 99.9% of the cases this is > the > > >> VIP > > >> > hostname and RIP are identified by their internal hostnames or, most > > >> common > > >> > - by their IP addresses. > > >> > > > >> > That breaks hostname verification and hence - marks HTTPS backends > as > > >> > invalid and kicks them off the pool. This problem did hit me in the > > >> > production when we've upgraded from Debian squeeze to Debian wheezy, > > >> which > > >> > brought newer version of LWP. > > >> > > > >> > > > >> > > > http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm > > >> > > > >> > Luckily, the fix to the problem is easy: > > >> > > > >> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100 > > >> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100 > > >> > @@ -2834,7 +2834,7 @@ > > >> > &ld_debug(2, "check_http: url=\"$$r{url}\" " > > >> > . "virtualhost=\"$virtualhost\""); > > >> > > > >> > - my $ua = new LWP::UserAgent(); > > >> > + my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname > => 0 > > >> }); > > >> > > > >> > my $h = undef; > > >> > if ($$v{service} eq "http_proxy") { > > >> > > > >> > I haven't verified that with older version of LWP, but I believe it > > >> should > > >> > just ignore unknown parameters to the constructor. > > >> > > >> I don't think that's a bug but you have to specify the virtualhost > > >> parameter to set the Host header for the realservers. > > >> > > >> Regards, > > >> Dennis > > >> > > >> > > >> _______________________________________________ > > >> Please read the documentation before posting - it's available at: > > >> http://www.linuxvirtualserver.org/ > > >> > > >> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > > >> Send requests to lvs-users-requ...@linuxvirtualserver.org > > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > >> > > > _______________________________________________ > > > Please read the documentation before posting - it's available at: > > > http://www.linuxvirtualserver.org/ > > > > > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > > > Send requests to lvs-users-requ...@linuxvirtualserver.org > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > > > > > > -- > > Regards, > > > > Malcolm Turnbull. > > > > Loadbalancer.org Ltd. > > Phone: +44 (0)870 443 8779 > > http://www.loadbalancer.org/ > > > > _______________________________________________ > > Please read the documentation before posting - it's available at: > > http://www.linuxvirtualserver.org/ > > > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > > Send requests to lvs-users-requ...@linuxvirtualserver.org > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > > > > -- > [ ]'s > > Filipe Cifali Stangler > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > Send requests to lvs-users-requ...@linuxvirtualserver.org > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users
