Is possibile with Pound v1.4 on linux RedHat 9 to reverse proxy ssl 
client to ssl server?

Before this issue, I've try SSL wrapper feature but unfortunately the 
server is a bad "Lotus Domino", this server with "iNotes" respond with a 
  redirect URL to http protocol. I find in "notes.net" that is a domino 
problem and the only solution, is to convert the server to listen to 
https protocol.

Obviously "SSL wrapper feature" with different web server, working very 
well.

My config file:

ListenHTTPS XXX.XXX.X.X,443 /usr/local/etc/pound/webmail1.pem
User apache
Group apache
LogLevel 2

UrlGroup ".*"
BackEnd 172.24.4.3,443,1
Session IP 300
EndGroup



Error messages log:

Oct  3 15:57:58 reverse pound: error read from XXX.XXX.X.XXX: Success
Oct  3 15:59:06 reverse pound: response error read from 172.24.4.3:443: 
Success


Many thanks in advance.
Stefano Mason

> Is possibile with Pound v1.4 on linux RedHat 9 to reverse proxy ssl
> client to ssl server?
>
> Before this issue, I've try SSL wrapper feature but unfortunately the
> server is a bad "Lotus Domino", this server with "iNotes" respond with a
>   redirect URL to http protocol. I find in "notes.net" that is a domino
> problem and the only solution, is to convert the server to listen to
> https protocol.

Hm, I had a similar problem with Squirrelmail. The only solution I found
was to patch Squirrelmail.

Simon

>
> Obviously "SSL wrapper feature" with different web server, working very
> well.
>
> My config file:
>
> ListenHTTPS XXX.XXX.X.X,443 /usr/local/etc/pound/webmail1.pem
> User apache
> Group apache
> LogLevel 2
>
> UrlGroup ".*"
> BackEnd 172.24.4.3,443,1
> Session IP 300
> EndGroup
>
>
>
> Error messages log:
>
> Oct  3 15:57:58 reverse pound: error read from XXX.XXX.X.XXX: Success
> Oct  3 15:59:06 reverse pound: response error read from 172.24.4.3:443:
> Success
>
>
> Many thanks in advance.
> Stefano Mason
>
>

On Friday 03 October 2003 16:39, Stefano Mason wrote:
> Is possibile with Pound v1.4 on linux RedHat 9 to reverse proxy ssl
> client to ssl server?

No, and there are good reasons for it: you would loose a lot of the features, 
such as session tracking and HTTP validation, or you would loose security.

> Before this issue, I've try SSL wrapper feature but unfortunately the
> server is a bad "Lotus Domino", this server with "iNotes" respond with a
>   redirect URL to http protocol. I find in "notes.net" that is a domino
> problem and the only solution, is to convert the server to listen to
> https protocol.

Try the Pound-current - it has exactly the Location rewriting feature you 
require: if a response from the server is a redirect, Pound changes the 
content of the Location header to be the correct protocol/host.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

Robert Segall wrote:
> 
> On Friday 03 October 2003 16:39, Stefano Mason wrote:
> 
>>Is possibile with Pound v1.4 on linux RedHat 9 to reverse proxy ssl
>>client to ssl server?
> 
> 
> No, and there are good reasons for it: you would loose a lot of the
> features,
> such as session tracking and HTTP validation, or you would loose security.
> 

OK

> 
>>Before this issue, I've try SSL wrapper feature but unfortunately the
>>server is a bad "Lotus Domino", this server with "iNotes" respond with a
>>  redirect URL to http protocol. I find in "notes.net" that is a domino
>>problem and the only solution, is to convert the server to listen to
>>https protocol.
> 
> 
> Try the Pound-current - it has exactly the Location rewriting feature you
> require: if a response from the server is a redirect, Pound changes the
> content of the Location header to be the correct protocol/host.
> --

Unfortunately latest current Pound-current.tgz doesn't resolve the 
redirect problem of domino server with inotes configuration on e-mail db 
files.

Environment: Domino server ver. 5 + Inotes

After authentication popup the URL change to http://. If you manualy 
change to https:// works fine.

There is some thinks can I make for you to help the develop of a patch?
Is only a Domino problem?

Many thanks in advance.

Cheers.

Stefano Mason

On Tuesday 07 October 2003 12:00, Stefano Mason wrote:
> Unfortunately latest current Pound-current.tgz doesn't resolve the
> redirect problem of domino server with inotes configuration on e-mail db
> files.
>
> Environment: Domino server ver. 5 + Inotes
>
> After authentication popup the URL change to http://. If you manualy
> change to https:// works fine.
>
> There is some thinks can I make for you to help the develop of a patch?
> Is only a Domino problem?
>
> Many thanks in advance.
>
> Cheers.
>
> Stefano Mason

Please try tcpwatch between Pound and Notes (to see what is happening there: 
the most importnat part is the Redirect response) and perhaps LiveHeaders on 
Mozilla to see what Pound actually returns. With that information, plus your 
Pound config file, we should be able to fix it.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

HTTPS wrapper feature:

After further analysis executed with my collegue, we have replicated the
behaviour of domino notes in a tomcat server.
We have created a redirect call to the host contained in the "Host:" header:

response.sendRedirect(request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+"/xxx");

This behaviour is common, because if I send to Tomcat a request for a
directory that contains index.html the response constructed by Tomcat is
  equal to the behaviour of domino notes.

The problem is:
Pound change the URL of request but it keeps unchanged the "Host:" header.

If this behaviour is correct, how can we make https wrapper?

Many thanks!

Robert:
Let me know if you need any other informations.

Cheers.

Stefano Mason

On Wednesday 08 October 2003 12:52, Stefano Mason wrote:
> HTTPS wrapper feature:
>
> After further analysis executed with my collegue, we have replicated the
> behaviour of domino notes in a tomcat server.
> We have created a redirect call to the host contained in the "Host:"
> header:
>
> response.sendRedirect(request.getScheme()+"://"+request.getServerName()+":"
>+request.getServerPort()+"/xxx");

And the values of those are?

> This behaviour is common, because if I send to Tomcat a request for a
> directory that contains index.html the response constructed by Tomcat is
>   equal to the behaviour of domino notes.
>
> The problem is:
> Pound change the URL of request but it keeps unchanged the "Host:" header.

That is untrue - Pound NEVER changes the request URL, no matter what the Host 
may be (actually nothing changes in the request; the Location header may be 
changed in the response).

> If this behaviour is correct, how can we make https wrapper?

I'm not sure how the two questions are connected.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

Robert Segall wrote:
> 
> On Wednesday 08 October 2003 12:52, Stefano Mason wrote:
> 
>>HTTPS wrapper feature:
>>
>>After further analysis executed with my collegue, we have replicated the
>>behaviour of domino notes in a tomcat server.
>>We have created a redirect call to the host contained in the "Host:"
>>header:
>>
>>response.sendRedirect(request.getScheme()+"://"+request.getServerName()
> 
> +":"
> 
>>+request.getServerPort()+"/xxx");
> 
> 
> And the values of those are?

request.getScheme() = "http"

request.getServerName() = "webmail1.t-systems.it"

request.getServerPort() = "80"


> 
>>If this behaviour is correct, how can we make https wrapper?
> 
> 
> I'm not sure how the two questions are connected.

My application constructs a redirected location based on Host header 
which is that of the original request; but the port is different, 
because Pound listens (only, for security reason) on 443 and redirects 
requests to 80. Therefore the location constructed by the application is 
http://webmail1.t-systems.it, and Pound doesn't change it, because this 
URL is not recognized to be managed.


Many thanks in advance for your support.

Cheers.

Stefano Mason

On Wednesday 08 October 2003 16:47, Stefano Mason wrote:
> My application constructs a redirected location based on Host header
> which is that of the original request; but the port is different,
> because Pound listens (only, for security reason) on 443 and redirects
> requests to 80. Therefore the location constructed by the application is
> http://webmail1.t-systems.it, and Pound doesn't change it, because this
> URL is not recognized to be managed.

Are you sure this is correct? I believe most servers build their responses 
based upon the request Host contents. Thus if you request

	https://xyz.com:443/abc

Pound passes a request to the backend (via HTTP!)

	GET abc HTTP/1.1
	Host: xyz.com:443

and the back-end should reply with

	HTTP/1.1 302 FOUND
	Location: http://xyz.com:443/new
	Host: xyz.com:443

which would be rewritten by Pound as

	HTTP/1.1 302 FOUND
	Location: https://xyz.com:443/new
	Host: xyz.com:443

thus completing the cycle correctly.

The process you described is different because you do not specify the port. 
If you use default values (no port) the original request becomes

	https://xyz.com/abc

Pound passes a request to the backend (via HTTP!)

	GET abc HTTP/1.1
	Host: xyz.com

and the back-end would reply with

	HTTP/1.1 302 FOUND
	Location: http://xyz.com/new
	Host: xyz.com

which would not be rewritten by Pound, resulting in

	HTTP/1.1 302 FOUND
	Location: http://xyz.com/new
	Host: xyz.com

thus failing.

In order to test this all you would need to do is to issue your original 
request WITH THE EXPLICIT PORT INCLUDED. If it works (which I assume it 
would) we could build a work-around for it by appending the explicit port 
number in the request and stripping it on the reply.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

--On Mittwoch, 8. Oktober 2003 16:47 +0200 Stefano Mason
<stefano.mason(at)t-systems.it> wrote:

> My application constructs a redirected location based on Host header which
> is that of the original request; but the port is different, because Pound
> listens (only, for security reason) on 443 and redirects requests to 80.
> Therefore the location constructed by the application is
> http://webmail1.t-systems.it, and Pound doesn't change it, because this URL
> is not recognized to be managed.

Pound does a gethostbyname() on webmail1.t-systems.it and only
rewrites the location if the ip matches (one of) the backend.

You could change the redirect to https://webmail1.t-systems.it/
or use a hostname which resolves to the same ip as the backend.

Roland

Robert Segall wrote:

> In order to test this all you would need to do is to issue your original
> request WITH THE EXPLICIT PORT INCLUDED. If it works (which I assume it
> would) we could build a work-around for it by appending the explicit port
> number in the request and stripping it on the reply.


EUREKA!!! It works with explicit port number on request:

https://webmail1.t-systems.it:443/

after, in the response, the location URL changes to:

https://webmail1.t-systems.it/etc.

Many thanks, I hope in a work-around when you can make it.
Sorry for our persistence.

Cheers.
Stefano Mason

On Wednesday 08 October 2003 17:39, Stefano Mason wrote:
> EUREKA!!! It works with explicit port number on request:

Good. Try to download the new -current (just finished uploading it) and let 
me know how it works.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

Robert Segall wrote:
> 
> On Wednesday 08 October 2003 17:39, Stefano Mason wrote:
> 
>>EUREKA!!! It works with explicit port number on request:
> 
> 
> Good. Try to download the new -current (just finished uploading it) and let
> me know how it works.
> --

GOOD news for Tomcat users:
Everything works in our test server (Tomcat web application) build for 
replicate redirect of Domino notes behaviour.
Thanks alot.

BAD news:
When we try to production Domino notes web server we fail with the same 
error.
We don't know how the application under Domino builds the location for 
the redirect.
We debug the dialogue between Pound and back-end server using tcpwatch 
and the results are attached in debug.txt.gz file.
It seems that Domino is cutting the port number from the Host header.
I think this isn't a Pound problem, but if you have some ideas they are 
very  welcome.

Many, many, many thanks.

Cheers.

Stefano Mason