Hello everyone. Recently I have made it a project to get hoststated running
on my OpenBSD firewalls. Before I had a php script I wrote to accomplish
this task of L7 health checking and let's just say it was less than
efficient.
Anyway I was able to get the whole thing running correctly, but I noticed a
small bug and I was able to alleviate it with a small change to
/usr/src/usr.sbin/hoststated/relay.c
I noticed that the https relay worked great in Firefox and even IE. However,
when I tried to go to the https domain in Opera or IE4 Mac. I got a nice fat
error screen about something screwed up with the security certificate. I
noticed that whenever I hit the page in Opera hoststated -d would spit this
out:
relay acclogic_www_secure, session 45 (1 active), 208.106.57.200 -> :0, SSL
accept timeout
So naturally, I dove into /usr/src/usr.sbin/hoststated/relay.c and found
that error message around line 1978. I tried to figure out exactly what was
going on, but decided to just give this a try:
[Lines 1978 - 1981]
if (event == EV_TIMEOUT) {
//relay_close(con, "SSL accept timeout");
//return;
}
As you can see, all I did was comment out the two lines inside the if
statement. Well, I am happy to report that Opera, FF, IE (Win & Mac) all
work beautifully now and I haven't noticed any other problems. I guess my
question is does anyone know what the long term side effects of this code
change would be? I am guessing that I just completely short circuited all
timeout ability for SSL.
Any feedback would be greatly appreciated.
Thanks,
Mike
Here is my /etc/hoststated.conf file for those that are interested:
# $OpenBSD: hoststated.conf,v 1.6 2007/02/26 20:43:32 reyk Exp $
#
# Macros
#
#ext_addr="192.168.1.1"
#webhost1="10.0.0.1"
#webhost2="10.0.0.2"
#
# Global Options
#
interval 5
# timeout 200
# prefork 5
#
# Each table will be mapped to a pf table.
#
##########################
table era_cluster {
real port http
check http "/" code 200
host "192.168.2.212"
host "192.168.2.213"
host "192.168.2.214"
}
##########################
table acclogic_cluster {
real port http
check http "/" code 200
host "192.168.2.215"
host "192.168.2.216"
host "192.168.2.217"
}
##########################
table trklogic_cluster {
real port http
check http "/" code 200
host "192.168.2.218"
host "192.168.2.219"
host "192.168.2.220"
}
##########################
#table fallback {
# real port http
# check icmp
# host 127.0.0.1
#}
#
# Services will be mapped to a rdr rule.
#
##########################
service era_www {
virtual host 38.101.110.212 port http interface em0
# tag every packet that goes thru the rdr rule with HOSTSTATED
tag HOSTSTATED
table era_cluster
#backup table fallback
}
##########################
service trklogic_www {
virtual host 38.101.110.214 port http interface em0
# tag every packet that goes thru the rdr rule with HOSTSTATED
tag HOSTSTATED
table trklogic_cluster
#backup table fallback
}
service acclogic_www {
virtual host 38.101.110.213 port http interface em0
# tag every packet that goes thru the rdr rule with HOSTSTATED
tag HOSTSTATED
table acclogic_cluster
#backup table fallback
}
##########################
#
# Relays and protocols are used for Layer 7 loadbalancing
#
protocol httpssl {
protocol http
header append "$REMOTE_ADDR" to "X-Forwarded-For"
header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
header change "HTTPS" to "on"
header change "Connection" to "close"
header remove "Keep-Alive"
# Various TCP performance options
tcp { nodelay, sack, socket buffer 65536, backlog 128 }
#tcp { nodelay, socket buffer 65536 }
#ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
#ssl session cache disable
}
relay acclogic_www_secure {
# Run as a SSL accelerator
listen on accounts.logicads.com port 443 ssl
protocol httpssl
# Forward to hosts in the webhosts table using a src/dst hash
table acclogic_cluster loadbalance
}
