cool. thanks for the info. we're using windows
so i'll try to track down a version.
look like you've nailed the bug? down pretty well.
hopefully, the orion lads will be nice enough to fix
it for the next build.
----- Original Message -----
From: "elephantwalker" <[EMAIL PROTECTED]>
To: "Orion-Interest" <[EMAIL PROTECTED]>
Sent: Friday, June 29, 2001 8:59 AM
Subject: RE: clustering + ssl together
> Greg,
>
> I found a tool that you can use to look at what's going on with ssl and
the
> loadbalancer or orion. If you are using linux, you probably have this
> already, openssl. I am not sure if there is a windows build, though.
>
> at the command line:
>
> openssl s_client -connect loadbalancermachine:443 -state -debug
>
> The result is clear, ssl returns with an ssl handshake failure. If you do
> this on the an instance of orion with ssl:
>
> openssl s_client -connect orionmachine:443 -state -debug
>
> There is no problem.
>
> So that nails the bug down, its got to be the loadbalancer. I will post
this
> in bug 525 for Karl.
>
> Regards,
>
> the elephantwalker
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of elephantwalker
> Sent: Thursday, June 28, 2001 2:22 PM
> To: Orion-Interest
> Subject: RE: clustering + ssl together
>
>
> Greg,
>
> I just tried this...
>
> 1. I assummed that ssl was completely broken for the loadbalancer. So I
> stripped off the secure=true from my loadbalancer on port 443 and all of
my
> secure-web-site.xml's backends'.
>
> 2. I created a new orion instance with only the secure-web-site.xml in the
> server.xml.
>
> 3. I modified the global-web-application.xml so that the only servlet and
> mapping is this:
>
> <servlet>
> <servlet-name>tunnel</servlet-name>
> <servlet-class>com.evermind.server.http.TunnelServlet</servlet-class>
> <init-param>
> <param-name>targetRoot</param-name>
> <param-value>http://loadbalancermachine:443/</param-value>
> </init-param>
> </servlet>
> <servlet-mapping>
> <servlet-name>tunnel</servlet-name>
> <url-pattern>/*</url-pattern>
> </servlet-mapping>
>
> 5. I started the new "proxy" orion instance.
>
> With my browser, I put https://proxymachine/
>
> ...
>
> Voila! it worked!
>
> Its a little slow, so you could probably do this with a reverse-proxy, ssl
> apache to get faster response.
>
> This is only a workaround, since the loadbalancer ssl is broken now.
>
> Regards,
>
> the elephantwalker
>
> .ps the only caveat here is the j2ee j_security_check won't work, but
> otherwise, everything works. I don't understand why, though.
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Greg Matthews
> Sent: Wednesday, June 27, 2001 12:00 AM
> To: Orion-Interest
> Subject: Re: clustering + ssl together
>
>
> ew,
>
> using your example, i have tried the equivalent of
> https://localhost/mysecuresite/login
> which should have gone to port 443.
>
> in the effort to "look under orion's covers".....
>
> i've seen a -Djavax.net.debug=all flag mentioned in a previous post by
> tomas anderson (27.6.01), and gave it a try but no extra output
> appeared in orion. do you know what this is supposed to show?
>
> do you know if there is a way to see where the request is getting up to?
> can we do a netstat or something to see where the request is falling over
> or what processes are listening on what ports?
>
> greg.
>
> ----- Original Message -----
> From: "elephantwalker" <[EMAIL PROTECTED]>
> To: "Orion-Interest" <[EMAIL PROTECTED]>
> Sent: Wednesday, June 27, 2001 2:58 PM
> Subject: RE: clustering + ssl together
>
>
> > Greg,
> >
> > I just tried something which ALMOST worked. I tried the secure
> loadbalancer
> > instance like this in the browser:
> >
> > http://localhost:443/mysecuresite/login.
> >
> > The secure loadbalancer showed a session id, and forwarded the request
to
> > the secure island! Of course the site didn't do anything, since it was
> > looking for a handshake. It looks like the loadbalancer is just not
doing
> > its bit...it is refusing all connections which are secure.
> >
> > regards,
> >
> > the elephantwalker
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Greg Matthews
> > Sent: Tuesday, June 26, 2001 3:00 PM
> > To: Orion-Interest
> > Subject: Re: clustering + ssl together
> >
> >
> >
> > ew,
> >
> > i was trying to run a single secure load balancer
> > with it's own load-balancer.xml.
> >
> > loadbalancer did register the 2 orions i'd set up to appear
> > in the cluster, but after being able to see them appear on
> > the loadbalancer screen, i was still unable to access my
> > web app. the browser just sat there with the little IE
> > symbol spinning, but no joy.
> >
> > all orions and the loadbalancer had their own keystore
> > setup using a test certificate generated from thawte.com
> >
> > loadbalancer => secure and on port 443 (on box1)
> > orion1 => secure and on port 443 (on box2)
> > orion2 => secure and on port 8080 (on box1) !! but only in some
> experiments.
> >
> > i also tried various other configurations of the loadbalancer
> > and cluster machines having secure on/off, etc. and
> > swapping the port numbers around, e.g. when loadbalancer
> > and orion2 were both running, they were both secure="true"
> > but obviously only one can run on port 443 at one time, so
> > i made orion2 run on port 8080 while secure="true" was set.
> >
> > i also had a look at apache for how to setup SSL but it looks
> > like you've got to compile the mod in yourself for win32 so
> > i've given that a miss for the moment.
> >
> > greg.
> >
> > ----- Original Message -----
> > From: "elephantwalker" <[EMAIL PROTECTED]>
> > To: "Orion-Interest" <[EMAIL PROTECTED]>
> > Sent: Wednesday, June 27, 2001 2:48 AM
> > Subject: RE: clustering + ssl together
> >
> >
> > > Here are the <hickups> in the plan so far...see below.
> > >
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of
elephantwalker
> > > Sent: Monday, June 25, 2001 1:29 AM
> > > To: Orion-Interest
> > > Subject: RE: clustering + ssl together
> > >
> > >
> > > Greg,
> > >
> > > I am doing this now, so I will get back to the list when I am
finished.
> > This
> > > is my working plan:
> > >
> > > 1. there are two loadbalancers instances, one for http and one for
> https.
> > > These can be on the same machine or seperate machines.
> > >
> > > <hickup>
> > >
> > > At one level this works, but you have to set the
> > minimumIsland/maximumIsland
> > > so that each respective loadbalancer picks up either the https island
or
> > the
> > > http island. However, https connections do not work. It could be
because
> > of
> > > this blurb in the load-balancer.xml description:
> > >
> > > secure - Whether or not to use SSL. The default is false. SSL is only
> used
> > > when using session (not IP)
> > > based balancing and the backend and the site is using SSL. If you
> > specify
> > > the balancer to use SSL then
> > > the backend servers will not (the balancer converts to HTTP, ie
> > contains
> > > the SSL layer). Note that this
> > > puts the strain of decoding the SSL on the balancer.
> > >
> > > I'm sorry, but does this say that we have the option of NOT using SSL
> for
> > > the balancer, but using it for the backend? Or if we use SSL for the
> > > balancer, SSL isn't used on the backend (and thus we have to strip all
> of
> > > the SSL configuration from the backend)?
> > >
> > > </hickup>
> > >
> > >
> > > 2. the ports for your web-sites can be different from your
> loadbalancer(s)
> > > port. This allows you to have the loadbalancer and an orion instance
on
> > the
> > > same machine, for example. Or the ports can be the same, in which case
> the
> > > loadbalancer(s) has to be on a different machine.
> > >
> > > <hickup>
> > >
> > > Since web-sites are load-balanced (not applications), its important
that
> > > each *web-site.xml which you use have its own island. This is done by
> > > setting the cluster-island attribute in the web-site tag. See above
for
> > > reference to min/max island ids for the loadbalancer. The port bit
seems
> > to
> > > work. That is, the http web-site had a port of 10180, and the http
> > > loadbalancer listened on port 80. This was no problem. So if you want
to
> > > have the loadbalancer and web-site on the same ip address, you will
need
> > to
> > > set the website port to something else so they don't conflict.
> > >
> > > </hickup>
> > > 3. the same rules apply for the loadbalancer as orion for unix
machines.
> > You
> > > need to use some port forwarding, like ipchains, if you want to run
the
> > > loadbalancer on a user account which is not the superuser. This
applies
> > also
> > > for the ssl port. (skip 3 if you are using m$ or don't care)
> > > 4. the ssl setup in the load-balancer.xml (see the ssl-config tag in
the
> > > load-balancer.xml documentation) is the same as the
secure-web-site.xml,
> > but
> > > you will have to set the secure flag in the load-balancer tag.
> Obviously,
> > > this means you will need a keystore for the loadbalancer, and a
keystore
> > for
> > > the backend for total secure communication. I believe that the
> > communication
> > > to the backend is transparant to the user, so you can self certify
that
> > > connection, irregardless of what those guys at verisign say.
> > > 5. you can skip all of this and use apache for ssl (interesting, but
> > slow).
> > > This is what oracle advises, because they can't figure out orion, or
> they
> > > have so much invested in the "apache/oracle" solution.
> > >
> > > <hickup>
> > >
> > > This option is looking better and better.
> > >
> > > </hickup>
> > >
> > > I'm testing this now, as soon as I get through the hickups, I will let
> the
> > > list know.
> > >
> > > regards,
> > >
> > > the elephantwalker
> > >
> > >
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of Greg
Matthews
> > > Sent: Sunday, June 24, 2001 3:02 PM
> > > To: Orion-Interest
> > > Subject: clustering + ssl together
> > >
> > >
> > >
> > > dear all,
> > >
> > > there has been a recent post on this but no solution posted.
> > > i've got some more info on the problem.
> > >
> > > can the developers of orion or anyone else let me know
> > > if anyone has successfully set up an ssl orion cluster?
> > >
> > > i can:
> > > - set up clustering
> > > - set up ssl
> > >
> > > ...but not both together.
> > >
> > > some clues.
> > >
> > > 1. on orionserver.com there is doco for load-balancer.xml that
> > > suggests loadbalancer.jar can be given SSL keystore information.
> > > does this mean that a clustered SSL setup requires loadbalancer
> > > to share the same keystore as each box in the cluster?
> > >
> > > 2. how do you set the web-site.xml for a clustered secure app.
> > >
> > > you can't have both the loadbalancer + your secure app
> > > both running on port 443 on the same box, so what do you
> > > do?
> > > i) run loadbalancer on another port?
> > > ii) run your app on another port?
> > > - the orion doco says that when your app needs to
> > > be made secure you should add a secure="true"
> > > attribute to the web-site element of the web-site.xml
> > > plus remove the port attribute.
> > >
> > > if someone has made this work i'd be grateful for any information,
> > > or if you couldn't be bothered explaining how to do it, just maybe
> > > forward me your server.xml, loadbalancer.xml, web-site.xml and
> > > i'll work it out from that.
> > >
> > > thanks.
> > > greg.
> > >
> > >
> > >
> >
> >
> >
> >
>
>
>
>
>
