Have you tried it, Dennis? Did you look into the ldirectord code? You know, how SSL is working?
Regards, Timur. On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn <[email protected] > wrote: > On 03.12.2013 12:19, Timur I. Bakeyev wrote: > > Hi guys! > > > > I've posted bug report regarding ldirectord, can you please review it and > > commit, if possible? > > > > https://github.com/ClusterLabs/resource-agents/issues/361 > > > > Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS > sites. > > Since LWP 6.0 by default it verifies the correspondence of the SSL > > certificate and the server hostname. In 99.9% of the cases this is the > VIP > > hostname and RIP are identified by their internal hostnames or, most > common > > - by their IP addresses. > > > > That breaks hostname verification and hence - marks HTTPS backends as > > invalid and kicks them off the pool. This problem did hit me in the > > production when we've upgraded from Debian squeeze to Debian wheezy, > which > > brought newer version of LWP. > > > > > http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm > > > > Luckily, the fix to the problem is easy: > > > > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100 > > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100 > > @@ -2834,7 +2834,7 @@ > > &ld_debug(2, "check_http: url=\"$$r{url}\" " > > . "virtualhost=\"$virtualhost\""); > > > > - my $ua = new LWP::UserAgent(); > > + my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0 > }); > > > > my $h = undef; > > if ($$v{service} eq "http_proxy") { > > > > I haven't verified that with older version of LWP, but I believe it > should > > just ignore unknown parameters to the constructor. > > I don't think that's a bug but you have to specify the virtualhost > parameter to set the Host header for the realservers. > > Regards, > Dennis > > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - [email protected] > Send requests to [email protected] > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
