Hi,

We provide access to IBM iSeries Hosts (AS/400) via Pound-1.5 proxy. The
first config named 'Web access' is working fine. Now I wanted to add
another server which should be accessible via the same host address from
the internet but on another port. Unfortunately it just doesn't work as I
expected. Pound listens on both ports (443 and 8443) but all requests are
passed to 10.1.6.1,80. See my current config below.
Did I miss something here?

Thanks for any help
Simon


/etc/pound/pound.cfg:
--------------------------------------------------------
User nobody
Group nobody
RootJail /usr/share/pound
ExtendedHTTP 1
LogLevel 2
# This is needed for the Squirrelmail bookmarks plugin
CSqval
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/_.!~*'()+,%-{}|\^[]

# Web Access
ListenHTTPS 10.11.22.33,443 /usr/share/ssl/certs/server01.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
UrlGroup ".*"
HeadRequire Host ".*server01.domain.xx.*"
BackEnd 10.1.6.1,80,1
EndGroup

# 5250 Access
ListenHTTPS 10.11.22.33,8443 /usr/share/ssl/certs/server01.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
UrlGroup ".*"
HeadRequire Host ".*server01.domain.xx.*"
BackEnd 10.1.6.4,2016,1
EndGroup

> Simon,[...]

Hm, I have several other ListenHTTPS with different IP adresses and they
all work fine. It seems to me that Pound separates them only by IP adress
and not by port number.

Simon
[...][...][...]

Simon,

    ListenHTTP(s)? directives, from what I gather, work independently from
URLGroups. They are used strictly during the startup of pound for
determining what sockets to open. For this reason, your proxy listens on
both as it should, however when it parses the URLGroup/HeadRequire lines, it
will always matches the first in the list. To do what you are looking to do,
you may need to run a second copy of pound with the other ListenHTTPS and
URLGroup directives on it.


Corey Sharrah
Chief Systems Specialist I
Internet Commerce Group, Inc.
corey(at)icgcorp.net



----- Original Message -----
From: "Simon Matter" <simon.matter(at)ch.sauter-bc.com>
To: <pound(at)apsis.ch>
Sent: Thursday, November 06, 2003 9:13 AM
Subject: How to separate hosts by listening port?


Hi,

We provide access to IBM iSeries Hosts (AS/400) via Pound-1.5 proxy. The
first config named 'Web access' is working fine. Now I wanted to add
another server which should be accessible via the same host address from
the internet but on another port. Unfortunately it just doesn't work as I
expected. Pound listens on both ports (443 and 8443) but all requests are
passed to 10.1.6.1,80. See my current config below.
Did I miss something here?

Thanks for any help
Simon


/etc/pound/pound.cfg:
--------------------------------------------------------
User nobody
Group nobody
RootJail /usr/share/pound
ExtendedHTTP 1
LogLevel 2
# This is needed for the Squirrelmail bookmarks plugin
CSqval
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/_.!~*'()+,%-{
}|\^[]

# Web Access
ListenHTTPS 10.11.22.33,443 /usr/share/ssl/certs/server01.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
UrlGroup ".*"
HeadRequire Host ".*server01.domain.xx.*"
BackEnd 10.1.6.1,80,1
EndGroup

# 5250 Access
ListenHTTPS 10.11.22.33,8443 /usr/share/ssl/certs/server01.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
UrlGroup ".*"
HeadRequire Host ".*server01.domain.xx.*"
BackEnd 10.1.6.4,2016,1
EndGroup

On Thursday 06 November 2003 17:13, Simon Matter wrote:[...]

You seem to have a slight misunderstanding about how Pound works in these 
cases:

- you may define as many addresses/ports to listen as you wish
- all incoming requests are polled, regardless of where they come in
- the UrlGroup take effect afterwards, on ALL requests

Thus the order in which you define ListenHTTP, ListenHTTPS and UrlGroup has no 
effect whatsoever (the only exception: the various UrlGroup directives are 
matched in the order defined, the first one to match - inclusive of 
HeadRequire/HeadDeny - wins).

If what you want is to send traffic on a certain listening address to a 
specific back-end you need to run separate instances of Pound for each 
end-point. You can combine end-points if you have some other means of 
separating requests, such as the Host header. In your case you could try:

User nobody
Group nobody
RootJail /usr/share/pound
ExtendedHTTP 1
LogLevel 2
# This is needed for the Squirrelmail bookmarks plugin
CSqval 
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/_.!~*'()+,%-{}|\^[]

# Web Access
ListenHTTPS 10.11.22.33,443 /usr/share/ssl/certs/server01.pem 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

# 5250 Access
ListenHTTPS 10.11.22.33,8443 /usr/share/ssl/certs/server01.pem

UrlGroup ".*"
HeadRequire Host ".*server01.domain.xx.*"
BackEnd 10.1.6.1,80,1
EndGroup

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
UrlGroup ".*"
HeadRequire Host ".*server02.domain.xx.*"
BackEnd 10.1.6.4,2016,1
EndGroup

If that doesn't work you'll need separate instances.

We plan on resolving this issue in 2.0 with the introduction of a new 
configuration file language.[...]

> On Thursday 06 November 2003 17:13, Simon Matter wrote:[...][...]
Ah, I see I completely missed the point here. I always assumed that
running just once instance of pound should be enough for what I do. Looks
like I'll change my rpms to make it easy to start several instances, maybe
with a pound.d/ folder.
Another confusion came when I once tested 'HeadRequire' but now I realize
that what I wanted was 'UrlGroup'!
Am I right now that if all content on host 10.1.6.4 is in a subfolder, say
'/webapp/', I should be able to use an 'UrlGroup' directive to send those
requests to 10.1.6.4 and all others to 10.1.6.1?

Simon

On 7/11/2003, at 5:40 AM, Robert Segall wrote:
[...][...][...]

Yet another signature could be the presence of a port in the URL. 8443  
is not a default for browsers so it should be explicit in the URL. In  
that case you could use something like:

HeadRequire Host ".*:8443"

--
Michael

On Thursday 06 November 2003 18:21, Simon Matter wrote:[...]

These are two separate issues: Pound requires matches on both in order to 
select a group. If you match on the URL then UrlGroup ".*/webapp.*" would be 
enough. You can also look for a specific virtual host with HeadRequire (as in 
the previous example), exclude a virtual host via HeadDeny or all of them.[...]

> On Thursday 06 November 2003 18:21, Simon Matter wrote:[...][...]

I have reconfigured all our pound configs today and it works perfect now.

Thanks
Simon