With the POODLE SSLv3 vulnerability which was found a couple of weeks ago basically everyone turned off SSLv3. So did we.
Unfortunately this caused a few other problems for us.
<im folgenden statt subdomain besser vhost, da das klarer verständlich ist finde ich...prüfs mal für dich, am ende musst dus nicht ändern, ist ja dein text. ich mach nur blöde anmerkungen :D>
We are running multiple Ruby on Rails applications on multiple servers which all listen on the same port but different vhosts.
<VirtualHost *:443> ServerName api.example.com ... </VirtualHost> <VirtualHost *:443> ServerName api-sandbox.example.com ... </VirtualHost>
The server uses the domain to select the correct vhost to then forward the request to the right application.
In front of those servers there is a load balancer which then tries to evenly distribute the requests between each all the servers running instances of the application.
This is a setup which works quite well for us. Multiple requests can come in and in case of too much load we can just deploy an application on another server and add it to the load balancing.
After a successful deployment we run a couple of smoke tests to make sure that the correct version was deployed and responds in the way we would expect it to. All of this is part of our general deployment process and has been automated as far as possible.
When deploying the application on multiple servers at the same time we have to make sure to check that each instance of the application got smoke tests running against it. For that reason we have to bypass the load balancer and make direct requests to each individual server.
For SSLv3 this actually was not much of an issue. We would just make a basic HTTP GET request to the server IP and set the Host header. This would allow the server to correctly pick the application and thus respond as expected.
Since we are doing almost all of our development in Ruby the deployment scripts are written in Ruby (Capistrano and a few custom scripts for the smoke tests). A request which does the trick looks like this:
require 'net/http' require 'uri' require 'openssl' url = "https://10.10.10.10/path" host = "example.com" uri = URI.parse(url) http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE http.ssl_version = :SSLv3 request = Net::HTTP::Get.new(uri.request_uri) request['Host'] = host response = http.request(request)
While having SSLv3 active this works like a charm.
Unfortunately this does not work for TLSv1. So just replacing
:TLSv1 would not do the trick.
It actually took me quite a while to figure out the best way of making the smoke tests work again.
I could not find anything in the Ruby standard library which helped me accomplish calling a very specific application on a specific server (or maybe I just did not look hard enough).
The issue here was that TLSv1 and higher are using SNI which is a TLS extension that requires providing the domain name already during the handshake process.
At first I tried to find a similar approach of calling the IP and providing some kind of HTTP header.
This does not work because the information about which application should be called is not available at the handshake. Since the server cannot select the correct vhost it also does not know which SSL certificate to return.
In order to keep using TLS and avoid having to add a workaround (like a second host specific vhost) another approach was required.
I tried a couple of different Ruby HTTP clients but could not quite get it to work. After a while a colleague pointed out the
--resolve flag for
This actually solved the issue. just call
curl https://example.com/path --resolve "example.com:443:10.10.10.10"
and the request will skip using DNS and just assume that
example.com for requests on port
443 is located at
10.10.10.10. The server will know which virtualhost is called as it does on any normal request which was forwarded by the load balancer, since the domain is actually given in the request uri.
Well, now there is a solution. Running a console command directly from within the Ruby code is usually quite ugly (in my opinion). This is especially the case since I would have to manually parse all of the output and make sure that I get the correct response code, response body and content type.
Therefore I kept looking to find a solution which would integrate well into our existing code.
We are using the Ruby gem Typhoeus a lot and it is even based on libcurl. I figured there should be a way of passing the
resolve flag along and getting the same result as I did using curl. Unfortunately this is not the case or maybe I just did not look hard enough - again.
Either way, in the end I decided to take a look at Ethon. Ethon is the libcurl wrapper which is also used by Typhoeus. I figured, without the abstraction it should be easy to map any
curl request directly to a call with Ethon.
Turns out I was right. I had some issues of figuring out how exactly Ethon wanted the
resolve flag to be passed in though.
My first attempts at just passing a plain string failed miserably. I guess I expected too much abstraction at a wrapper gem which is the basis for another great gem (which usually adds the abstraction and ease of use I like)
e = Ethon::Easy.new(url: "https://example.com/foo", :resolve => "example.com:443:10.10.10")
Ethon::Errors::InvalidValue: The value: example.com:443:10.10.10.10 is invalid for option: resolve
Not being able to figure out how to pass it in right away and not being willing to invest enough time to eventually figure it out on my own, I decided to open up an issue on github and ask the developer directly.
Who better to give you precisely the information you need on how to use a library than the person who probably knows all of the ins and outs?
Well, as it turns out I was right. I got the information I needed to come up with a solution for our smoke tests very quickly.
The following snipped is what I ended up with to just fit right in where I took the
net/http part out.
require 'ethon' require 'ostruct' require 'uri' r = "example.com:443:10.10.10.10" uri = "https://example.com" resolve = Ethon::Curl.slist_append(nil, r) e = Ethon::Easy.new(url: uri, resolve: resolve, timeout: 4) e.perform e.response_headers =~ /^Content-Type: (.*)$/ content_type = $1 response = OpenStruct.new( :body => e.response_body, :code => e.response_code.to_s, :content_type => content_type )
and for POST requests:
require 'ethon' require 'ostruct' require 'uri' r = "example.com:443:10.10.10.10" uri = "https://example.com" resolve = Ethon::Curl.slist_append(nil, r) e = Ethon::Easy.new(timeout: 4, resolve: resolve) b = "" # your post body e.http_request(uri, :post, body: b) e.perform e.response_headers =~ /^Content-Type: (.*)$/ content_type = $1 response = OpenStruct.new( :body => e.response_body, :code => e.response_code.to_s, :content_type => content_type )
resolve flag is actually not just useful for issues with TLS and SNI but rather allows you to make any request on a server despite a specific domain not actually pointing to the server you are trying to call.
This will certainly come in handy for setting up a server and testing the vhosts before updating the DNS records.