hoststated failover for ssl relay problem

Wed, 25 Jul 2007 18:38:02 -0700 

Hi all,

I'm setting up an OpenBSD box as a firewall also handling loadbalancing,
failover, and ssl relaying to a group of application servers. Configuring
hoststated for the http loadbalancing and failover has been straightforward
but I've run into problems with failover for https. The ssl relay works but
won't failover to a backup table (a static web page served by apache bound
to localhost). Running 'hoststatectl show summary' gives me output saying
the backup table is in effect but there's no response from the localhost
server (which is also the backup server for http service- and works fine on
failover). Running 'hoststated -d' to see output, I get the message:
relay_from_table: no active hosts
relay sslaccel, session 1 (1 active), 192.168.1.108 -> :0, session failed
whenever an https request is sent.

I've tried adding a backup table in the "relay" section of
hoststated.confbut syntax for a backup table is not allowed there.
I've created a service
called wwwssl and added that to the "relay" section but the backup table in
the service is ignored. I've swapped addresses and ports and run apache on
different addresses and ports and all other sorts of combinations but to no
avail. Does anyone have any experience or insight to share on this?
hoststated.conf follows.

Otherwise, many thanks to pyr@ and reyk@ for the work on hoststated- it's
made for another OpenBSD entry into a corporate environment (and my job
happier :) ).

Thanks!

-Steve

hoststated.conf:
www1=172.16.1.10
www2=172.16.1.11
wwwbackup=127.0.0.1
interval 1
table wwwhosts {
real port 80
check icmp
host $www1
host $www2
}
table wwwhostsbackup {
real port 80
check icmp
host $wwwbackup
}
service www {
   virtual host 192.168.1.6 port 80 interface bge0
   tag HOSTSTATED
   table wwwhosts
   backup table wwwhostsbackup
}
service wwwssl {
virtual host 192.168.1.7 port 80 #this host ip could be 127.0.0.1 and the
same effect happens
   tag HOSTSTATED
   table wwwhosts
   backup table wwwhostsbackup
}
protocol http_ssl {
protocol http
header append "$REMOTE_ADDR" to "X-Forwarded-For"
header append "$SERVER_ADDR:$SERVER_PORT" to
X-Forwarded-By:$SERVER_ADDR:$SERVER_PORT"
header change "Keep-Alive" to "10"
ssl { sslv3, sslv2, ciphers "ALL" }
}
relay sslaccel {
   listen on 192.168.1.6 port 443 ssl
   protocol http_ssl
   service wwwssl
}

Reply via email to