Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Tue Dec 16, 2014 10:57 pm 
Offline
Senior Newbie

Joined: Thu Oct 23, 2014 11:02 pm
Posts: 6
I currently can only test the nodebalancer by modifying my 'hosts' file locally.

My nodebalancer works great with HTTP with the single linode I have behind it.

My websites work great ordinarily over HTTPS, but as soon as I try to use HTTPS through the nodebalancer (TCP protocol), I get the following error in Chrome and a similar one in Firefox:
Code:
Error code: ERR_SSL_PROTOCOL_ERROR


My nodebalancer configuration page:
Code:
Port 443    tcp    source    table    connection    1 up, 0 down
Port 80    http    source    http_cookie    http    1 up, 0 down


Both of nodes on the nodebalancer are using the private IP of the linode with the correct port (192.168.1.1:443) and as you can see above they both say the server is "up".

Why am I getting this SSL protocol error message?

BTW I don't claim to know very much about SSL protocol...

Edit: What a doofus--this doesn't have anything to do with email/SMTP. If I could move it, I would.


Last edited by IntelligentDesign on Wed Dec 17, 2014 1:35 am, edited 1 time in total.

Top
   
PostPosted: Tue Dec 16, 2014 11:03 pm 
Offline
Senior Member

Joined: Mon Jul 05, 2010 5:13 pm
Posts: 392
The only way that port 80 in http mode is working on the NodeBalancer is if the backend server it's talking to is talking HTTP, not HTTPS. As such, if it's talking to port 443 on your backend, your backend is not talking HTTPS. If that's the case, and you route port 443 on the NodeBalancer to 443 on the backend via TCP mode, you'd need to talk to that via HTTP as well, not HTTPS.

Double check whether your backend server is actually using SSL on port 443. If it's not, you're gonna want to turn it on (and make sure it's serving HTTP on port 80, so you can route the NodeBalancer's port 80 traffic there).

- Les


Top
   
PostPosted: Tue Dec 16, 2014 11:19 pm 
Offline
Senior Newbie

Joined: Thu Oct 23, 2014 11:02 pm
Posts: 6
Indeed it is serving SSL on port 443, at least when I'm not using the nodebalancer.

Do I need to check that it's using SSL on port 443 when it's accessed from its network? I might need a pointer how to check that.


Top
   
PostPosted: Tue Dec 16, 2014 11:25 pm 
Offline
Senior Newbie

Joined: Thu Oct 23, 2014 11:02 pm
Posts: 6
Oh and your first comment...I see it's because I wasn't clear in my parenthesized note: (192.168.1.1:443) I only gave that for the one I was having trouble with, but the HTTP one is 192.168.1.1:80. I'm sorry about my poor question asking skills.


Top
   
PostPosted: Tue Dec 16, 2014 11:30 pm 
Offline
Senior Member

Joined: Mon Jul 05, 2010 5:13 pm
Posts: 392
What is your NodeBalancer's actual IP, what is the backend's private IP, and what datacenter are they in?

If by chance you're actually using "192.168.1.1:80" and "192.168.1.1:443": that IP definitely isn't your Linode's private IP, and you should use your real private IP that you find on the Remote Access tab.

- Les


Top
   
PostPosted: Wed Dec 17, 2014 1:22 am 
Offline
Senior Newbie

Joined: Thu Oct 23, 2014 11:02 pm
Posts: 6
NodeBalancer public: 23.92.23.30
Server private: 192.168.182.86
Newark

No I was using the real private IP. I should have denoted the numbers with 192.168.x.x but now what difference can it make.

While we're at giving out specific info, here's the hostname as well that I've been working with: strictlyt.com

I tested it at https://www.ssllabs.com/ssltest/analyze ... com&latest and it pointed out incompatibility with some older browsers that aren't SNI compatible. I'm thinking this might have something to do with that. Perhaps giving this account its own IP would solve the issue because the nodebalancer doesn't support SNI?


Top
   
PostPosted: Wed Dec 17, 2014 1:26 am 
Offline
Senior Member

Joined: Mon Jul 05, 2010 5:13 pm
Posts: 392
The NodeBalancer is never doing an HTTPS handshake with your backend server, so SNI and ciphers play no role.

Your backend server is throwing the error, not the NodeBalancer:

Code:
❯ curl -I https://192.168.182.86
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol


This is because your backend is responding with HTTP on port 443, not HTTPS:

Code:
❯ curl -I http://192.168.182.86:443
HTTP/1.1 302 Found
Date: Wed, 17 Dec 2014 05:25:24 GMT
Server: Apache/2.4.10 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4
Location: http://192.168.182.86:443/cgi-sys/suspendedpage.cgi
Content-Type: text/html; charset=iso-8859-1


As I said, you're going to want to look into that.

- Les


Top
   
PostPosted: Wed Dec 17, 2014 2:23 am 
Offline
Senior Newbie

Joined: Thu Oct 23, 2014 11:02 pm
Posts: 6
Thanks for your help. As it turns out, my vhosts templates did not specify which port to use for the private IP (which I inserted manually into the template), so it was grabbing the first virtualhost specified that happened to be the one without the SSLCertificateFile directives. I specified the ports and bingo: it works.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group