I'm running FreeBSD 4.7.x
I'm also running IPFilter, Namedb, Postfix, IPNAT..  This is a firewall
box with HEAVY rules in IPFilter (which I didn't write.)
I just updated the ports via CVSUP and installed Pound-1.5 
I wrote a pound.cfg and placed it in the /usr/local/etc/ directory where
BSD is looking for it.
I configured it like so.....
 
ListenHTTP xx.xx.xx.xx,80
ListenHTTPS xx.xx.xx.xx,443 /usr/src/crypto/openssl/apps/server.pem
Alive 10
              UrlGroup ".*"
              #BackEnd 10.4.0.50,80,1
              BackEnd 10.4.0.60,80,5
              EndGroup
 
My expected result here is that Pound would route ALL traffic to
10.4.0.60, just to see if its actually working.   Nonetheless there were
no results.
I check TOP and Pound is running two threads.  No matter what Address I
listen on be it public or private, I get no change in results...   If
you can please suggest some things for me to try. 
 
Thank You Much 
 
Joel Johnston
 
Joel Johnston - Network Engineer / Web Developer 
402 W. Broadway, Suite 770 
San Diego, CA 92101 
Phone: 888-868-1391 Ext.8024
E-mail: j.johnston(at)financialaid.com 
CONFIDENTIALITY NOTICE: This communication and any accompanying
document(s) are privileged and confidential and are intended for the
sole use of the addressee(s). If you have received this transmission in
error, you are advised that any disclosure, copying, distribution, or
the taking of any action in reliance upon it is strictly prohibited.
Moreover, any such inadvertent disclosure shall not compromise or waive
the FinancialAid.com-client privilege as to this communication or
otherwise. If you have received this communication in error, please
immediately delete it and contact us at privacy(at)financialaid.com or by
telephone at 619-400-8000. Thank you. FinancialAid.com LLC

What does /var/log/messages tell you?  I don't know if pound logs much 
by default, but I set a debug level in the config file that dumps a 
bunch of interesting stuff.  If pound is picking up the phone, something 
will be there.  If it's not, you should see startup messages and nothing 
else, so you will know to look at your inbound rules.

Joel Johnston wrote:
[...]

On Friday 21 November 2003 01:14, Joel Johnston wrote:[...]

BSD does not care about it.
[...]

Looks OK.
[...]

1. run netstat and find out if 80 and 443 are really listening on the correct 
address (which also is your real address)
2. lynx 10.4.0.60 to make sure your back-end is accessible
3. look in the back-end log - is it being accessed by Pound?
4. check the ipfilter rules to make sure the ports are not firewalled/rdr
5. add LogLevel 3 and look in the log file to see what Pound did

Finally - what does "there were no results" mean? What happens when you try to 
connect with a browser from the outside world? What do you see?[...]

Thanks for the input. I ran through the suggested troubleshooting
processes including Ian's suggestion.  

1.netstat is shows that I'm listening on the correct IP

2.I didn't do lynx because I'm not really interested in configuring it
on this box.  But I can ping .60 and I've independantly verified from
other lan resources that this box is serving up the websites in the same
manner as its parent. 

3.The back-end log on .60 doesn't show any traffic from the firewall at
all.

4.IPFilter seems to be the source of the headache as practically every
rule there has a quick statement.  While I'm new to IPFilter I know that
these rules are likely directing the traffic away from the firewall
machine before the packets have any chance to be analyzed by pound. This
(so far,) seems to be the hottest point of attention. 

5. I HAVE however enabled LogLevel 3 and am not seeing ANY information
other than the service starting in the message log.  Pound itself is not
telling me anything other than that it is started.  In TOP I see it
running but it's low in priority and using 0.00% at all times.   So it's
practically invisible.

Aside:(Is there a way to point this information to a different log?  I'm
running IPMon and it just filling up that log and making it increasingly
difficult to see anything else happening.)

What I'm trying to achieve is load balancing between two webservers in
the end and it has become a critical issue due to our SSL needs on the
outside.  I REALLY appreciate the attention you all have afforded me on
this issue. 

If you have any other suggestions or details as to how I might approach
this situation, I'm all ears.

Thanks Again,

Joel


-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch] 
Sent: Friday, November 21, 2003 7:02 AM
To: pound(at)apsis.ch
Subject: Re: Startup Problems

On Friday 21 November 2003 01:14, Joel Johnston wrote:[...]
firewall[...]
where[...]

BSD does not care about it.
[...]

Looks OK.
[...]
were[...]
I[...]

1. run netstat and find out if 80 and 443 are really listening on the
correct 
address (which also is your real address)
2. lynx 10.4.0.60 to make sure your back-end is accessible
3. look in the back-end log - is it being accessed by Pound?
4. check the ipfilter rules to make sure the ports are not
firewalled/rdr
5. add LogLevel 3 and look in the log file to see what Pound did

Finally - what does "there were no results" mean? What happens when you
try to 
connect with a browser from the outside world? What do you see?[...]

Here are my thoughts at the moment, the IPF rules point all of our web
requests directly from the outside (after it has been resolved by DNS
via a rdr in IPNAT,) to our local webserver internally.  If I re-direct
my DNS to point directly at the internal NIC on my firewall, then
wouldn't POUND be able to accept the requests and forward the
connectivity to the webserverS?
Is this the intended usage? 

Thanks Again


-----Original Message-----
From: Ian Harding [mailto:iharding(at)tpchd.org] 
Sent: Friday, November 21, 2003 1:55 PM
To: Joel Johnston
Subject: Re: Startup Problems

IPFilter kind of requires a QUICK for rules that will reject, because it

keeps looking and if it finds one later that matches, and the prior rule

wasn't QUICK, it will match and let the traffic through.

That's not clear, of course, but the basic rule is, IPFilter will honor 
the LAST rule that matches, and it won't stop looking until it reaches 
the end, unless you tell it QUICK.

It's confusing.  Since pound is not even picking up the phone, IPFilter 
must be the problem.

Try turning it off.  Seriously, just for a minute to see what's up.

something like /etc/rc.d/ipfilter stop

Then check the logs.

Joel Johnston wrote:
[...]
same[...]
that[...]
This[...]
not[...]
it's[...]
I'm[...]
increasingly[...][...][...][...][...][...][...][...][...][...][...][...][...][...][...]
-[...]
probability is 0 to 1%[...]

On Friday 21 November 2003 23:48, Joel Johnston wrote:[...]

I suspect you confuse DNS resolution with NAT/rdr - the two are VERY diferent 
things.

What you need to do:
- make sure www.yourhost.com resolves to the address Pound runs on.
- make sure the "firewall" does not redirect these requests anywhere else
- make sure the "firewall" allows incoming packets to port 80

If the three conditions are met a request to http://www.yourhost.com would be 
handled by Pound, which in turn would call the back-end servers to do the 
actual processing.[...]

On Friday 21 November 2003 20:58, Joel Johnston wrote:[...]

Good
[...]

Ping is meaningless - it may very well be that you have a rdr rule to send 
traffic to that host/port 80 somewhere else. Run the test.
[...]

Means Pound does not send any request there.
[...]

What they are likely to do is one thing, what actually happens something else. 
Learn IPFilter and check the ruleset. In particular pay attention to rdr 
rules. Quick or not matters little - rdr is another beast (and remember - 
redirection is applied before filtering).
[...]

Use ps if top doesn't show you the process.

If the Pound log shows no activity it means no requests reach it. Possible 
reasons: DNS resolution (use numeric IP address to test) or rdr rules (try 
accessing the server with a browser from the outside and see who responds). 
Try using a local client on the machine running Pound (such as lynx) and see 
if you can access it, and if the access is recorded in the log.
[...]

Pound allows full configuration of the log destination - any syslog facility 
or stdout/stderr (for daemontools usage). See the README/web page for 
installation instructions.
[...]

Sure - answer the original question:
[...]

This might be the most important clue in solving your problem.[...]

I took a long look into the rules in place on this server and (since I'm
new here,) discovered a number of things that were effecting Pound and
its ability to run.  So, it turns out that the IPNAT configuration was
redirecting traffic on 80 to an internal IP (duh!) Hind-site is always
20/20 huh?  

So I got it to "work."  In answer to earlier questions, the "not
working" portion was that I was telling pound to re-direct all port 80
traffic to the backup server (.60) and it wouldn't do so..

So on to my next problem.  After I got pound to re-direct the traffic, I
realized that the HTTPS line pointing to a sample SSL certificate wasn't
going to cut the mustard and as a result all of our HTTPS traffic was
being denied when it went through pound. 

So, I opened a whole new can of worms that I'm unfamiliar with and that
would be how the heck to get our existing certificates over to this
machine and properly configured so that Pound can use them correctly
with the end clients.  I've found plenty of reference material on how to
do this for Apache (which seems easy enough.) But I can't seem to get
Pound to execute with my PEM file.  As I'm POSITIVE other dolts like me
have tried to do this and failed at first, are there any threads or
tutorials that someone could refer me to on how to properly configure
pre-existing Certificates for OPENSSL? I've looked for something
specific to my task but have come up with little to show for it other
than all my keys .crs .crt and private key information are here on my
server now..  

Again THANK YOU for your help and patience with the newb (me).   I'll
certainly pass on any knowledge I can to other newbs in the future.

My problem seems to be my Private Key
I'm getting the  SSL_CTX_use_PrivateKey_file failed - aborted message
everytime I try to start pound.

I've tried using the server.key file that the company has in its
certificates directory AND I've generated my own.   All ends up with the
same result..  In my PEM I have the contents of my csr, 3 crt's, and the
Key file. 

I've only read bits and pieces that suggest that my chain certificates,
my certificate, my key and my csr need to be concatenated into a single
PEM file.  Once that's done though I have no clue what to do.


-----Original Message-----
From: Ian Harding [mailto:iharding(at)tpchd.org] 
Sent: Monday, November 24, 2003 4:45 AM
To: Joel Johnston
Subject: Re: Startup Problems

The thing that bit me with ssl certs is that I had to take off the 
passphrase for mine to work with AOLServer.  I am not using ssl with 
pound though.  It was not very intuitive that this was the problem.

Good luck!

Joel Johnston wrote:
[...]
I'm[...]
I[...]
wasn't[...]
to[...]
-[...]
probability is 0 to 1%[...]

On Monday 24 November 2003 21:54, Joel Johnston wrote:[...]

At a minimum you need the file to contain:

- a PEM-formatted server certificate
- a PEM-formatted private key for the above, NOT password protected

Optionally additional PEM-encoded certificates establishing the links between 
a "known" Certificate Authority and your certificate may also be there (this 
is usually not necessary if you got the certificate from a known CA).

This means the file looks something like

-----BEGIN RSA PRIVATE KEY-----
Axyoidcdsclkdlcmsdlcmslkdc mlkccmsdcmlkdsclkdsmclksmclkdmlüdkopqdeoijoij
dsckjsdcciwefijwckewoiövnhm$KFEKFWÜÄOEKFOPW==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
Axyoidcdsclkdlcmsdlcmslkdc mlkccmsdcmlkdsclkdsmclksmclkdmlüdkopqdeoijoij
dsckjsdcciwefijwckewoiövnhm$KFEKFWÜÄOEKFOPW==
-----END CERTIFICATE-----

except you'll (normally) have more lines of gobledygook.

Following the Apache installation recipe is good - just make sure you generate 
the private key WITHOUT a password (option -nodes on openssl).[...]