Hi everybody,

here are a few patches against 1.8 you might (or might not) find
usefull:

1. pound-1.8_minor_bugs.patch
- cosmetic: treat e414 like the other e??? strings by assigning NULL in
config.c (not really necessary as a default is assigned in pound.c
anyway)
- call BIO_flush in err_reply. Got SSL errors and browser didn't show
the error message otherwise.
- man page describes different CS* character sets than actually used

2. pound-1.8_check_url.patch
With OWA on Exchange 2003 I noticed some more characters which have
to be accepted by CheckURL to get things running. For CS_segment the
characters {}<>" need to be added and for CS_qval := are required.
I decided to extend the functionality of CheckURL instead of using
compile time switches to define the default character sets:
0: no check
1: strict check
2: old MSDAV with the extensions described above
3: old UNSAFE + MSDAV
The patch will not update the documentation

3. pound-1.8_rewrite.patch
I encountered a problem with an application sending a mixture of the
backend's IP and pound's port in the location header. So I added a value
of 2 for RewriteRedirect which will perform a rewrite regardless of the
ports. The only thing which matters is that the hostnames found in the
host header and in the location header must be the same. As long as
the pound host does not run servers on different ports or you send
redirects to other hosts served by the same pound this should be fine.
Documentation will not be updated by this patch. And the code in is_be()
could be nicer ;-)

4. pound-1.8_auth.patch
This patch adds basic auth to pound. Some people asked for this feature
already and personally I like the idea of having an additional
authentication right before the bad guys in the Internet learn about
the software running on the backends. Please don't start throwing flames
at me if you do not agree. To keep things simple, I decided to spawn
a squid authenticator which does the actual authentication stuff. The
squid authenticators are well tested, quick and support different ways
to verify credentials. Check the man page for information on the new
config file directives.

Enjoy,[...]

> 4. pound-1.8_auth.patch[...]

I like this one. Any chance something like this will go into the main
distribution?

Simon

On Wednesday 09 March 2005 20:13, Simon Matter wrote:[...]

I haven't looked at it yet, but it's not very likely: if you run 
authentication on Pound you loose the possibility of authenticating with a 
back-end. I don't think that is an acceptable trade-off.

In any case I'm a bit swamped now - let me have a look at the various patches 
and I'll get back.[...]

On Thu, Mar 10, 2005 at 07:58:34PM +0100, Robert Segall wrote:[...]

If there is a reasonable amount of interest and you see no major
problems in its code, perhaps you could make the patch available
as a download (as attachments are not available in the mailing list
archive). The code impact is quite low, so even though I'm usually
quite busy, I would try to keep it up to date then.

Anyway, it's an option. My intention was not to make authentication on
the backend superfluous. And sure enough, client certs are superior,
but not always an option. I've talked to some administrators running
OWA on the backend (with forms-based authentication of course) and
they would feel better if there's an additional barrier infront. Of
course users have to accept double authentication (preferably with
different credentials).

To reduce conflicts with backends requiring an HTTP authorization
scheme themselves, an improved patch could make pounds authentication
configurable per group.
[...]