Mailing List Archive: Linux Virtual Server: Users

[lvs-users] 443 traffic woes., but port 80 fine.

Index | Next | Previous | View Threaded

brentgclarklist at gmail

Sep 13, 2009, 2:43 PM

Post #1 of 7 (1136 views)
Permalink

[lvs-users] 443 traffic woes., but port 80 fine.

Hiya

Im hoping someone would be kind to help me with my load balancing or
least overlook my configs / setup, as im struggling to loadbalance all
SSL / HTTPS traffic.

I got port 80 load balanced and working. I know cause I use by using

watch ipvsadm -L -n and for i in `seq 100`; do lynx --dump
http://machine; done. (Which allows me to see what machine LVS is now
connecting too.)

,I see under the ActiveConn and / or InActConn, it increments etc.

I think, the SSL problem, is a routing issue.

My setup is, I have two machines that I have heartbeat for failover, and
Im using LVS for loadbalancing for HTTP(S). The each machine has 2 ip
aliases ( eth0:1 and eth0:2), for SSL Apache virtual hosting.

web01:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 41.203.4.4
netmask 255.255.255.224
gateway 41.203.4.3

# FOR HTTPS
auto eth0:1
iface eth0:1 inet static
address 41.203.4.21
netmask 255.255.255.224

auto eth0:2
iface eth0:2 inet static
address 41.203.4.25
netmask 255.255.255.224

# FOR LVS
auto lo:1
iface lo:1 inet static
address 41.203.4.5
netmask 255.255.255.255
pre-up sysctl -p > /dev/null

auto lo:2
iface lo:2 inet static
address 41.203.4.24
netmask 255.255.255.255
pre-up sysctl -p > /dev/null

web01:/etc/ha.d# cat ldirectord.cf
checktimeout=10
checkinterval=10
autoreload=no
logfile="/var/log/ldirectord.log"
quiescent=yes
virtual=41.203.4.5:80
real=41.203.4.4:80 gate
real=41.203.4.7:80 gate
fallback=127.0.0.1:80
service=http
request="ldirector.html"
receive="Test Page"
scheduler=rr
protocol=tcp
checktype=negotiate
virtual=41.203.4.24:443
real=41.203.4.21:443 gate
real=41.203.4.22:443 gate
fallback=127.0.0.1:443
service=https
request="ldirector.html"
receive="Test Page"
scheduler=rr
protocol=tcp
checktype=negotiate

And last but not least

web01:/etc/ha.d# cat haresources
web01.konsoleh.cpt2.host-h.net \
ldirectord::ldirectord.cf \
LVSSyncDaemonSwap::master \
IPaddr2::41.203.4.5/27/eth0/41.203.4.31 \
IPaddr2::41.203.4.24/27/eth0/41.203.4.31

And with all this, I get the following,

web01:/etc/ha.d# ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 41.203.4.5:80 rr
-> 41.203.4.7:80 Route 1 0 0
-> 41.203.4.4:80 Local 1 0 0
TCP 41.203.4.24:443 rr
-> 41.203.4.22:443 Route 1 0 0
-> 41.203.4.21:443 Local 1 0 0

I can ping all the ips, but if I use my browser I get "unable to
connect", for any traffic destined to port 443.

If anyone could help, I would appreciate it.

Kind Regards
Brent Clark

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

jmack at wm7d

Sep 13, 2009, 4:29 PM

Post #2 of 7 (1087 views)
Permalink

Re: [lvs-users] 443 traffic woes., but port 80 fine. [In reply to]

On Sun, 13 Sep 2009, Brent Clark wrote:

> Hiya
>
> Im hoping someone would be kind to help me with my load balancing or
> least overlook my configs / setup, as im struggling to loadbalance all
> SSL / HTTPS traffic.

have you gone through all the standard things for setting up
https under LVS?

http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.services.single-port.html#https

Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

brentgclarklist at gmail

Sep 14, 2009, 10:52 AM

Post #3 of 7 (1082 views)
Permalink

Re: [lvs-users] 443 traffic woes., but port 80 fine. [In reply to]

Joseph Mack NA3T wrote:
> On Sun, 13 Sep 2009, Brent Clark wrote:
>
>> Hiya
>>
>> Im hoping someone would be kind to help me with my load balancing or
>> least overlook my configs / setup, as im struggling to loadbalance all
>> SSL / HTTPS traffic.
>
> have you gone through all the standard things for setting up
> https under LVS?
>
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.services.single-port.html#https
>
> Joe
>

Hiya

Thanks for this. I have re read this document a million times today to get a comprehensive understanding, and ... I think im still lost.

As said port 80 is working, and so if I understand this document correctly. I am to setup my LVS, and then bind apache's https vhost ip to that of my VIP.

If thats the case, then perfect, cause I see that working. But now for my next question, how do I get loadbalancing working. I.e. Send / forward https requests / connections to another machine.

Thanks in advance if someone can help me understand this more.

Kind Regards
Brent Clark

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

graeme at graemef

Sep 14, 2009, 11:28 AM

Post #4 of 7 (1078 views)
Permalink

Re: [lvs-users] 443 traffic woes., but port 80 fine. [In reply to]

On Mon, 2009-09-14 at 19:52 +0200, Brent Clark wrote:
> As said port 80 is working, and so if I understand this document correctly. I am to setup my LVS, and then bind apache's https vhost ip to that of my VIP.

For a -DR ("gate") setup, yes.

> If thats the case, then perfect, cause I see that working. But now for my next question, how do I get loadbalancing working. I.e. Send / forward https requests / connections to another machine.

Well... if you have port 80 working, then you also have a recipe for
port 443. At the TCP level there is nothing to distinguish the two -
they're simply a TCP service.

However, at the application level they are entirely different beasts.

The simplest approach (with one director; we can touch on failover/HA
later), which you can customise to your local variants:

Director has address 1.2.3.4/24 for "management" on eth0
Director has address 5.6.7.1/24 for the VIP on eth0

Realserver has address 1.2.3.10/24 for "management" on eth0
Realserver has address 5.6.7.1/32 for the VIP on lo
Realserver has Apache bound to 1.2.3.10 ports 80, 443 for healthchecks
Realserver has Apache bound to 5.6.7.1 port 80, 443 for client service
Realserver has appropriate sysctls to manage the ARP problem

Director is then configured to load balance (yes, in this example only
to one server!):

virtual=5.6.7.1:80
real=1.2.3.10:80 gate
service=http
virtualhost=your.host.name
request="index.html"
receive="OK"
scheduler=rr
protocol=tcp
checktype=negotiate

virtual=5.6.7.1:443
real=1.2.3.10:443 gate
service=https
virtualhost=your.host.name
request="index.html"
receive="OK"
scheduler=rr
protocol=tcp
checktype=negotiate

That's about as basic as I can make it (and should work). Note however
the use of the "virtualhost" directive to make sure you request
explicitly a test page from a specific vhost rather than the default
(which could change in some circumstances).

Also note, and I apologise if this is teaching you to suck eggs, but
without an expensive multi-domain("SAN", Subject Alternate Name)
certificate you may only have a single SSL vhost bound to a single IP.

Graeme

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

brentgclarklist at gmail

Sep 15, 2009, 2:31 AM

Post #5 of 7 (1071 views)
Permalink

Re: [lvs-users] 443 traffic woes., but port 80 fine. [In reply to]

Graeme Fowler wrote:
> That's about as basic as I can make it (and should work). Note however
> the use of the "virtualhost" directive to make sure you request
> explicitly a test page from a specific vhost rather than the default
> (which could change in some circumstances).

Graeme, THANK YOU.

What a relief. Its working.

Kindest Regards
Brent Clark

P.s If someone has a heart / time and can wiki and / or howtoforge.org loadbalancing for SSL, with LVS, for the community, please do. Im sure theres others out there, that would like to achieve the same. If you google, its just HTTP examples, little or no HTTPS.

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

jmack at wm7d

Sep 15, 2009, 5:28 AM

Post #6 of 7 (1066 views)
Permalink

Re: [lvs-users] 443 traffic woes., but port 80 fine. [In reply to]

On Tue, 15 Sep 2009, Brent Clark wrote:

> Graeme Fowler wrote:
>> That's about as basic as I can make it (and should work). Note however
>> the use of the "virtualhost" directive to make sure you request
>> explicitly a test page from a specific vhost rather than the default
>> (which could change in some circumstances).
>
>
> Graeme, THANK YOU.

I take it this was the solution.

> P.s If someone has a heart / time and can wiki and / or
> howtoforge.org loadbalancing for SSL, with LVS, for the
> community, please do. Im sure theres others out there,
> that would like to achieve the same. If you google, its
> just HTTP examples, little or no HTTPS.

I don't understand what needs to be done here. I'm happy to
update the HOWTO, I just need to know what's missing

Joe
>

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

brentgclarklist at gmail

Sep 15, 2009, 6:28 AM

Post #7 of 7 (1069 views)
Permalink

Re: [lvs-users] 443 traffic woes., but port 80 fine. [In reply to]

Joseph Mack NA3T wrote:
>
> I don't understand what needs to be done here. I'm happy to
> update the HOWTO, I just need to know what's missing
>

Hiya

I have no real answer to this, nor did I mean any disrespect. From my end, I struggled to get an understanding of how it all worked, and, other than austintek.com, and linuxvirtualserver.org, there was no other site I could find that could help (HTTPS Specific).
As said, I meant no disrepect, and I hope you will take my p.s. in the spirit to help others.

Kind Regards
Brent Clark

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads