hi!
On Thu, Aug 16, 2007 at 03:15:47PM -0700, Michael Taggart wrote:
> Hello everyone. Recently I have made it a project to get hoststated running
> on my OpenBSD firewalls. Before I had a php script I wrote to accomplish
> this task of L7 health checking and let's just say it was less than
> efficient.
>
> Anyway I was able to get the whole thing running correctly, but I noticed a
> small bug and I was able to alleviate it with a small change to
> /usr/src/usr.sbin/hoststated/relay.c
>
> I noticed that the https relay worked great in Firefox and even IE. However,
> when I tried to go to the https domain in Opera or IE4 Mac. I got a nice fat
> error screen about something screwed up with the security certificate. I
> noticed that whenever I hit the page in Opera hoststated -d would spit this
> out:
>
> relay acclogic_www_secure, session 45 (1 active), 208.106.57.200 -> :0, SSL
> accept timeout
>
this is not a bug, it is just a stupid behaviour of opera... (btw. WHY
do you use IE4 Mac???). but you can tweak it, see below...
> So naturally, I dove into /usr/src/usr.sbin/hoststated/relay.c and found
> that error message around line 1978. I tried to figure out exactly what was
> going on, but decided to just give this a try:
>
> [Lines 1978 - 1981]
> if (event == EV_TIMEOUT) {
> //relay_close(con, "SSL accept timeout");
> //return;
> }
>
> As you can see, all I did was comment out the two lines inside the if
> statement. Well, I am happy to report that Opera, FF, IE (Win & Mac) all
> work beautifully now and I haven't noticed any other problems. I guess my
> question is does anyone know what the long term side effects of this code
> change would be? I am guessing that I just completely short circuited all
> timeout ability for SSL.
>
please don't do this, this is just wrong. you cannot ignore the
timeout condition, it will either have some strange side effects or
eat all your ressources... you cannot just disable a timeout handler!
> Any feedback would be greatly appreciated.
>
i admit that the timeout configuration is a little bit confusing.
we're probably going to split the timeout options in different
dedicated values after 4.2.
see comments in your configuration below
> Thanks,
> Mike
>
thanks for you feedback!
reyk
>
> Here is my /etc/hoststated.conf file for those that are interested:
>
> # $OpenBSD: hoststated.conf,v 1.6 2007/02/26 20:43:32 reyk Exp $
> #
> # Macros
> #
> #ext_addr="192.168.1.1"
> #webhost1="10.0.0.1"
> #webhost2="10.0.0.2"
>
> #
> # Global Options
> #
> interval 5
> # timeout 200
the accept timeout is inherited from the global timeout option, and
the default is a little bit low for crappy ssl implementations (see
above) or slow connections, try to set it to
timeout 4000
(it has to be a little bit less than the interval)
> # prefork 5
>
> #
> # Each table will be mapped to a pf table.
> #
> ##########################
> table era_cluster {
> real port http
> check http "/" code 200
> host "192.168.2.212"
> host "192.168.2.213"
> host "192.168.2.214"
> }
>
> ##########################
> table acclogic_cluster {
> real port http
> check http "/" code 200
> host "192.168.2.215"
> host "192.168.2.216"
> host "192.168.2.217"
> }
>
> ##########################
> table trklogic_cluster {
> real port http
> check http "/" code 200
> host "192.168.2.218"
> host "192.168.2.219"
> host "192.168.2.220"
> }
>
> ##########################
>
> #table fallback {
> # real port http
> # check icmp
> # host 127.0.0.1
> #}
>
> #
> # Services will be mapped to a rdr rule.
> #
> ##########################
> service era_www {
> virtual host 38.101.110.212 port http interface em0
>
> # tag every packet that goes thru the rdr rule with HOSTSTATED
> tag HOSTSTATED
>
> table era_cluster
> #backup table fallback
> }
>
> ##########################
> service trklogic_www {
> virtual host 38.101.110.214 port http interface em0
>
> # tag every packet that goes thru the rdr rule with HOSTSTATED
> tag HOSTSTATED
>
> table trklogic_cluster
> #backup table fallback
> }
>
> service acclogic_www {
> virtual host 38.101.110.213 port http interface em0
>
> # tag every packet that goes thru the rdr rule with HOSTSTATED
> tag HOSTSTATED
>
> table acclogic_cluster
> #backup table fallback
> }
>
>
> ##########################
> #
> # Relays and protocols are used for Layer 7 loadbalancing
> #
> protocol httpssl {
> protocol http
> header append "$REMOTE_ADDR" to "X-Forwarded-For"
> header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
> header change "HTTPS" to "on"
> header change "Connection" to "close"
> header remove "Keep-Alive"
>
i figured out that it sometimes is a good idea to allow keep-alives
(hoststated does support keep-alive sessions with multiple requests),
because it reduces the internal load on the webservers. but you can
decrease the timeout to keep the number of concurrent sessions on the
loadbalancer low:
header change "Keep-Alive" to "$TIMEOUT"
$TIMEOUT is the value in seconds as defined below. the typical
keep-alive timeout as used by the browsers is around 300-600 seconds,
which is way too high for busy loadbalancers (you will run out of
sockets/file descriptors).
> # Various TCP performance options
> tcp { nodelay, sack, socket buffer 65536, backlog 128 }
> #tcp { nodelay, socket buffer 65536 }
>
> #ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
> #ssl session cache disable
> }
>
> relay acclogic_www_secure {
> # Run as a SSL accelerator
> listen on accounts.logicads.com port 443 ssl
> protocol httpssl
>
timeout 10
10 seconds seems to be a good choice, but you have to figure out the
best value which works in your environment.
> # Forward to hosts in the webhosts table using a src/dst hash
> table acclogic_cluster loadbalance
> }
