Hi,

We provide access to IBM iSeries Hosts (AS/400) via Pound-1.5 proxy. The
first config named 'Web access' is working fine. Now I wanted to add
another server which should be accessible via the same host address from
the internet but on another port. Unfortunately it just doesn't work as I
expected. Pound listens on both ports (443 and 8443) but all requests are
passed to 10.1.6.1,80. See my current config below.
Did I miss something here?

Thanks for any help
Simon


/etc/pound/pound.cfg:
--------------------------------------------------------
User nobody
Group nobody
RootJail /usr/share/pound
ExtendedHTTP 1
LogLevel 2
# This is needed for the Squirrelmail bookmarks plugin
CSqval
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/_.!~*'()+,%-{}|\^[]

# Web Access
ListenHTTPS 10.11.22.33,443 /usr/share/ssl/certs/server01.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
UrlGroup ".*"
HeadRequire Host ".*server01.domain.xx.*"
BackEnd 10.1.6.1,80,1
EndGroup

# 5250 Access
ListenHTTPS 10.11.22.33,8443 /usr/share/ssl/certs/server01.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
UrlGroup ".*"
HeadRequire Host ".*server01.domain.xx.*"
BackEnd 10.1.6.4,2016,1
EndGroup

> Simon,
>
> Unless something has changed in 1.5, I believe the proper
> way of doing this is to have two separate config files, and bring
> up two instances of Pound.... (I believe ListenHTTPS is only
> usable once in a config file)

Hm, I have several other ListenHTTPS with different IP adresses and they
all work fine. It seems to me that Pound separates them only by IP adress
and not by port number.

Simon

>
> -jason
>
> On Thu, Nov 06, 2003 at 05:13:47PM +0100, Simon Matter wrote:
>> Hi,
>>
>> We provide access to IBM iSeries Hosts (AS/400) via Pound-1.5 proxy. The
>> first config named 'Web access' is working fine. Now I wanted to add
>> another server which should be accessible via the same host address from
>> the internet but on another port. Unfortunately it just doesn't work as
>> I
>> expected. Pound listens on both ports (443 and 8443) but all requests
>> are
>> passed to 10.1.6.1,80. See my current config below.
>> Did I miss something here?
>>
>> Thanks for any help
>> Simon
>>
>>
>> /etc/pound/pound.cfg:
>> --------------------------------------------------------
>> User nobody
>> Group nobody
>> RootJail /usr/share/pound
>> ExtendedHTTP 1
>> LogLevel 2
>> # This is needed for the Squirrelmail bookmarks plugin
>> CSqval
>>
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/_.!~*'()+,%-{}|\^[]
>>
>> # Web Access
>> ListenHTTPS 10.11.22.33,443 /usr/share/ssl/certs/server01.pem
>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>> UrlGroup ".*"
>> HeadRequire Host ".*server01.domain.xx.*"
>> BackEnd 10.1.6.1,80,1
>> EndGroup
>>
>> # 5250 Access
>> ListenHTTPS 10.11.22.33,8443 /usr/share/ssl/certs/server01.pem
>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>> UrlGroup ".*"
>> HeadRequire Host ".*server01.domain.xx.*"
>> BackEnd 10.1.6.4,2016,1
>> EndGroup
>
> --
> -------------------------------------------------------------------
> |                              |                                  |
> | Jason Vasquez                | When their numbers dwindled from |
> | jason(at)obiwan.homelinux.org   | 50 to 8, the other dwarves began |
> | http://obiwan.homelinux.org  | to suspect Hungry.               |
> |                              |                                  |
> |------------------------------------------------------------------
> | Public Key: http://obiwan.homelinux.org/~jason/pubkey.txt       |
> -------------------------------------------------------------------
>

Simon,

    ListenHTTP(s)? directives, from what I gather, work independently from
URLGroups. They are used strictly during the startup of pound for
determining what sockets to open. For this reason, your proxy listens on
both as it should, however when it parses the URLGroup/HeadRequire lines, it
will always matches the first in the list. To do what you are looking to do,
you may need to run a second copy of pound with the other ListenHTTPS and
URLGroup directives on it.


Corey Sharrah
Chief Systems Specialist I
Internet Commerce Group, Inc.
corey(at)icgcorp.net



----- Original Message -----
From: "Simon Matter" <simon.matter(at)ch.sauter-bc.com>
To: <pound(at)apsis.ch>
Sent: Thursday, November 06, 2003 9:13 AM
Subject: How to separate hosts by listening port?


Hi,

We provide access to IBM iSeries Hosts (AS/400) via Pound-1.5 proxy. The
first config named 'Web access' is working fine. Now I wanted to add
another server which should be accessible via the same host address from
the internet but on another port. Unfortunately it just doesn't work as I
expected. Pound listens on both ports (443 and 8443) but all requests are
passed to 10.1.6.1,80. See my current config below.
Did I miss something here?

Thanks for any help
Simon


/etc/pound/pound.cfg:
--------------------------------------------------------
User nobody
Group nobody
RootJail /usr/share/pound
ExtendedHTTP 1
LogLevel 2
# This is needed for the Squirrelmail bookmarks plugin
CSqval
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/_.!~*'()+,%-{
}|\^[]

# Web Access
ListenHTTPS 10.11.22.33,443 /usr/share/ssl/certs/server01.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
UrlGroup ".*"
HeadRequire Host ".*server01.domain.xx.*"
BackEnd 10.1.6.1,80,1
EndGroup

# 5250 Access
ListenHTTPS 10.11.22.33,8443 /usr/share/ssl/certs/server01.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
UrlGroup ".*"
HeadRequire Host ".*server01.domain.xx.*"
BackEnd 10.1.6.4,2016,1
EndGroup

On Thursday 06 November 2003 17:13, Simon Matter wrote:
> Hi,
>
> We provide access to IBM iSeries Hosts (AS/400) via Pound-1.5 proxy. The
> first config named 'Web access' is working fine. Now I wanted to add
> another server which should be accessible via the same host address from
> the internet but on another port. Unfortunately it just doesn't work as I
> expected. Pound listens on both ports (443 and 8443) but all requests are
> passed to 10.1.6.1,80. See my current config below.
> Did I miss something here?
>
> Thanks for any help
> Simon

You seem to have a slight misunderstanding about how Pound works in these 
cases:

- you may define as many addresses/ports to listen as you wish
- all incoming requests are polled, regardless of where they come in
- the UrlGroup take effect afterwards, on ALL requests

Thus the order in which you define ListenHTTP, ListenHTTPS and UrlGroup has no 
effect whatsoever (the only exception: the various UrlGroup directives are 
matched in the order defined, the first one to match - inclusive of 
HeadRequire/HeadDeny - wins).

If what you want is to send traffic on a certain listening address to a 
specific back-end you need to run separate instances of Pound for each 
end-point. You can combine end-points if you have some other means of 
separating requests, such as the Host header. In your case you could try:

User nobody
Group nobody
RootJail /usr/share/pound
ExtendedHTTP 1
LogLevel 2
# This is needed for the Squirrelmail bookmarks plugin
CSqval 
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/_.!~*'()+,%-{}|\^[]

# Web Access
ListenHTTPS 10.11.22.33,443 /usr/share/ssl/certs/server01.pem 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

# 5250 Access
ListenHTTPS 10.11.22.33,8443 /usr/share/ssl/certs/server01.pem

UrlGroup ".*"
HeadRequire Host ".*server01.domain.xx.*"
BackEnd 10.1.6.1,80,1
EndGroup

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
UrlGroup ".*"
HeadRequire Host ".*server02.domain.xx.*"
BackEnd 10.1.6.4,2016,1
EndGroup

If that doesn't work you'll need separate instances.

We plan on resolving this issue in 2.0 with the introduction of a new 
configuration file language.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

> On Thursday 06 November 2003 17:13, Simon Matter wrote:
>> Hi,
>>
>> We provide access to IBM iSeries Hosts (AS/400) via Pound-1.5 proxy. The
>> first config named 'Web access' is working fine. Now I wanted to add
>> another server which should be accessible via the same host address from
>> the internet but on another port. Unfortunately it just doesn't work as
>> I
>> expected. Pound listens on both ports (443 and 8443) but all requests
>> are
>> passed to 10.1.6.1,80. See my current config below.
>> Did I miss something here?
>>
>> Thanks for any help
>> Simon
>
> You seem to have a slight misunderstanding about how Pound works in these
> cases:
>
> - you may define as many addresses/ports to listen as you wish
> - all incoming requests are polled, regardless of where they come in
> - the UrlGroup take effect afterwards, on ALL requests
>
> Thus the order in which you define ListenHTTP, ListenHTTPS and UrlGroup
> has no
> effect whatsoever (the only exception: the various UrlGroup directives are
> matched in the order defined, the first one to match - inclusive of
> HeadRequire/HeadDeny - wins).
>
> If what you want is to send traffic on a certain listening address to a
> specific back-end you need to run separate instances of Pound for each
> end-point. You can combine end-points if you have some other means of
> separating requests, such as the Host header. In your case you could try:
>
> User nobody
> Group nobody
> RootJail /usr/share/pound
> ExtendedHTTP 1
> LogLevel 2
> # This is needed for the Squirrelmail bookmarks plugin
> CSqval
>
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/_.!~*'()+,%-{}|\^[]
>
> # Web Access
> ListenHTTPS 10.11.22.33,443 /usr/share/ssl/certs/server01.pem
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> # 5250 Access
> ListenHTTPS 10.11.22.33,8443 /usr/share/ssl/certs/server01.pem
>
> UrlGroup ".*"
> HeadRequire Host ".*server01.domain.xx.*"
> BackEnd 10.1.6.1,80,1
> EndGroup
>
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> UrlGroup ".*"
> HeadRequire Host ".*server02.domain.xx.*"
> BackEnd 10.1.6.4,2016,1
> EndGroup
>

Ah, I see I completely missed the point here. I always assumed that
running just once instance of pound should be enough for what I do. Looks
like I'll change my rpms to make it easy to start several instances, maybe
with a pound.d/ folder.
Another confusion came when I once tested 'HeadRequire' but now I realize
that what I wanted was 'UrlGroup'!
Am I right now that if all content on host 10.1.6.4 is in a subfolder, say
'/webapp/', I should be able to use an 'UrlGroup' directive to send those
requests to 10.1.6.4 and all others to 10.1.6.1?

Simon

On 7/11/2003, at 5:40 AM, Robert Segall wrote:

> On Thursday 06 November 2003 17:13, Simon Matter wrote:
>> Hi,
>>
>> We provide access to IBM iSeries Hosts (AS/400) via Pound-1.5 proxy.  
>> The
>> first config named 'Web access' is working fine. Now I wanted to add
>> another server which should be accessible via the same host address  
>> from
>> the internet but on another port. Unfortunately it just doesn't work  
>> as I
>> expected. Pound listens on both ports (443 and 8443) but all requests  
>> are
>> passed to 10.1.6.1,80. See my current config below.
>> Did I miss something here?
>>
>> Thanks for any help
>> Simon
>
> You seem to have a slight misunderstanding about how Pound works in  
> these
> cases:
>
> - you may define as many addresses/ports to listen as you wish
> - all incoming requests are polled, regardless of where they come in
> - the UrlGroup take effect afterwards, on ALL requests
>
> Thus the order in which you define ListenHTTP, ListenHTTPS and  
> UrlGroup has no
> effect whatsoever (the only exception: the various UrlGroup directives  
> are
> matched in the order defined, the first one to match - inclusive of
> HeadRequire/HeadDeny - wins).
>
> If what you want is to send traffic on a certain listening address to a
> specific back-end you need to run separate instances of Pound for each
> end-point. You can combine end-points if you have some other means of
> separating requests, such as the Host header. In your case you could  
> try:
>
> User nobody
> Group nobody
> RootJail /usr/share/pound
> ExtendedHTTP 1
> LogLevel 2
> # This is needed for the Squirrelmail bookmarks plugin
> CSqval
> ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/_.! 
> ~*'()+,%-{}|\^[]
>
> # Web Access
> ListenHTTPS 10.11.22.33,443 /usr/share/ssl/certs/server01.pem
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> # 5250 Access
> ListenHTTPS 10.11.22.33,8443 /usr/share/ssl/certs/server01.pem
>
> UrlGroup ".*"
> HeadRequire Host ".*server01.domain.xx.*"
> BackEnd 10.1.6.1,80,1
> EndGroup
>
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> UrlGroup ".*"
> HeadRequire Host ".*server02.domain.xx.*"
> BackEnd 10.1.6.4,2016,1
> EndGroup
>
> If that doesn't work you'll need separate instances.

Yet another signature could be the presence of a port in the URL. 8443  
is not a default for browsers so it should be explicit in the URL. In  
that case you could use something like:

HeadRequire Host ".*:8443"

--
Michael

On Thursday 06 November 2003 18:21, Simon Matter wrote:
> Another confusion came when I once tested 'HeadRequire' but now I realize
> that what I wanted was 'UrlGroup'!
> Am I right now that if all content on host 10.1.6.4 is in a subfolder, say
> '/webapp/', I should be able to use an 'UrlGroup' directive to send those
> requests to 10.1.6.4 and all others to 10.1.6.1?
>
> Simon

These are two separate issues: Pound requires matches on both in order to 
select a group. If you match on the URL then UrlGroup ".*/webapp.*" would be 
enough. You can also look for a specific virtual host with HeadRequire (as in 
the previous example), exclude a virtual host via HeadDeny or all of them.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

> On Thursday 06 November 2003 18:21, Simon Matter wrote:
>> Another confusion came when I once tested 'HeadRequire' but now I
>> realize
>> that what I wanted was 'UrlGroup'!
>> Am I right now that if all content on host 10.1.6.4 is in a subfolder,
>> say
>> '/webapp/', I should be able to use an 'UrlGroup' directive to send
>> those
>> requests to 10.1.6.4 and all others to 10.1.6.1?
>>
>> Simon
>
> These are two separate issues: Pound requires matches on both in order to
> select a group. If you match on the URL then UrlGroup ".*/webapp.*" would
> be
> enough. You can also look for a specific virtual host with HeadRequire (as
> in
> the previous example), exclude a virtual host via HeadDeny or all of them.

I have reconfigured all our pound configs today and it works perfect now.

Thanks
Simon