I am stuck trying to configure Pound within my Small Portal Environment.
I have tried crafting a configuration from the example files but without
any luck so far.

HERE IS A DESCRIPTION OF MY ENVIRONMENT
- I have a single external IP Address (62.xx.xx.xx) for a Broadband
Service and THREE Web Housting Platfroms configured for an Orange Zone
(DMZ)
- I am trying to individually access my THREE Web Hosting Platforms from
my single 62.xx.xx.xx address using their HTTP Addresses (i.e.
www.universe.com, 
  webmail.universe.com and ftp.universe.com)
- I have IPCop with GREEN ZONE (192.168.a.x), ORANGE ZONE (192.168.b.x),
RED ZONE (192.168.c.x) and BLUE ZONE (192.168.d.x)
- My loacl DNS server is within the GREEN ZONE.
- All my addresses resolve to 62.xx.xx.xx, which is my single IP
address.
- I port forward from my external Alcatel address 62.xx.xx.xx to my
internal (RED ZONE) IPCop address. 
- I then attempt to port forward from my IPCop Red address 192.168.c.x
to my Pound Server running on Mandrake 9.2 within the GREEN ZONE
(192.168.a.x)
[...]

On Mon, 06 Jun 2005 17:47:03 +0100 "Oakley, Courtney (EXP)"
<courtney.oakley(at)lmco.com> wrote:
[...]
Environment.[...]
without[...]
from[...]
(192.168.b.x),[...]

So far - nothing to do with Pound. Assuming the requests get to
192.168.a.x (and show the real source address) you're OK.

You may want to check IPCop allows replies to go out somehow. Check also
that Pound can access 192.168.b.x port 80, or it will fail.
[...]
How[...]

Short answer: you don't. This configuration will NOT work. There is no
virtual hosting with HTTPS - read the Pound web page(or README) for
details.
[...]

Pound does NOT proxy FTP.
[...]

Pound does NOT proxy SMTP.
[...]

Not a good idea, especially if your DSL is congested. A value of 15
would probably make a better choice.
[...]

Which Header? Pound will reject this directive outright.
[...]
statement[...]

Not with the config file you show - Pound wouldn't even start.
[...]

Fix your configuration as indicated and try again.[...]

Robert,
	Thanks for your advice I am making progress now. I didn't have
my config file, so I tried to produce it from memory, which is why I
left out the "Host" from the HeadRequire statement.


UPDATE
I am trying reverse proxying with one machine (just to get it working).
I now have communication (i.e. the issuing of the login screens from the
backend machine). But then I get.

Pound error: flush buffers xxx.xxx.xxx.xxx 

Looking at the other archives, you have indicated that this is caused by
Resourse Allocation problems. So should I now extend my "Client 15" to a
longer timespan? Are there other statements that I should use, such as
"Server xxxx"?

Incidently I am running
Mandrake 9.2 kernel 2.4.22-26
On an old HP 800CT protable PC (48 Mbytes RAM, 166 Mhz Pentium, 1.4GB
Disk)
This machine only runs pound, it does nothing else. I shall upgrade it
(i.e. get a meatier machine) when I've got pound working.

OUTSTANDING QUESTION
Is I descibed previously I have 3 Web Hosting Platforms that are all SSL
capable. You reminded me of the README which states giving reasons why
pound (or any other reverse-proxy) cannot proxy SSL.

So is the right to support SSL on these platforms then to provide them
all with the same Certificate (I am just using self signed for testing
at the moment) and use 

ListenHTTPS 192.168.a.x,81    /xxxxxx/xxxx/xx.pem
ListenHTTPS 192.168.a.x,443   /xxxxxx/xxxx/xx.pem

On my Web Hosting Platforms Admin HTTPS uses port 81, but Users HTTPS
use port 443

Thanks for your help
Courtney

-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch] 
Sent: 06 June 2005 18:04
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy
Environment

On Mon, 06 Jun 2005 17:47:03 +0100 "Oakley, Courtney (EXP)"
<courtney.oakley(at)lmco.com> wrote:
[...]
Environment.[...]
without[...]
from[...]
(192.168.b.x),[...]
[...]

So far - nothing to do with Pound. Assuming the requests get to
192.168.a.x (and show the real source address) you're OK.

You may want to check IPCop allows replies to go out somehow. Check also
that Pound can access 192.168.b.x port 80, or it will fail.
[...]
How[...]

Short answer: you don't. This configuration will NOT work. There is no
virtual hosting with HTTPS - read the Pound web page(or README) for
details.
[...]

Pound does NOT proxy FTP.
[...]

Pound does NOT proxy SMTP.
[...]

Not a good idea, especially if your DSL is congested. A value of 15
would probably make a better choice.
[...]

Which Header? Pound will reject this directive outright.
[...]
statement[...]

Not with the config file you show - Pound wouldn't even start.
[...]

Fix your configuration as indicated and try again.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

--
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-06/1118
076423000/1118077438000

On Tue, 07 Jun 2005 12:53:56 +0100 "Oakley, Courtney (EXP)"
<courtney.oakley(at)lmco.com> wrote:
[...]
working).[...]
the[...]
by[...]
a[...]

No. A "flush" message just means some client closed the connection
before the reply could be fully transmitted. You can safely ignore it.
BTW, the specific message you show appeared in an older Pound version -
you may want to upgrade to the latest Pound.
[...]

As long as you run it as a server (no GUI) it should be enough for a
light traffic site. Check your usage.
[...]
SSL[...]

Pound can very well proxy SSL - it just can't do virtual hosting over
SSL. These are two separate issues.
[...]

A certificate needs to be connected to the server - the server URL is
embedded in the certificate. Anything else will have the client browser
protesting.
[...]

You're welcome.[...]

Hi Robert,
	Forgive me for being dense, but I want to determine definitively
whether or not I am able to support SSL on 3 different Web Hosting
Servers using one IP address. From our discussion it does not sound like
this is possible. Here
Are my questions.

Is there any way of using pound to support SSL on all three Web Hosting
platforms with one IP address (Yes/No)

If no to the above, can you think of a pound configuration using
multiple IP addresses that would support three Web Hosting platforms all
using SSL. As a reminder, my configuration has an alcatel DSLAM/firewall
port forwading to an IPCop Server, port forwarding to a single instance
of pound.

If yes, please assist by suggesting available options.

Is multiple SSL server support possible with multiple instances of pound
running on the same machine? (If yes please discuss how)

If it is not possible to support more than one SSL capable server for my
configuration, then please assist me by providing the configuration
lines for SSL support on one server, taking account or my configuration
(i.e. Alcatel DSLAM/FW --> IPCop--> pound).

Thanks for your help Robert, and my apologies for being so dense.

Courtney Oakley

-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch] 
Sent: 08 June 2005 14:12
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy
Environment

On Tue, 07 Jun 2005 12:53:56 +0100 "Oakley, Courtney (EXP)"
<courtney.oakley(at)lmco.com> wrote:
[...]
my [...]
[...]
working).[...]
the[...]
by[...]
a[...]
[...]

No. A "flush" message just means some client closed the connection
before the reply could be fully transmitted. You can safely ignore it.
BTW, the specific message you show appeared in an older Pound version -
you may want to upgrade to the latest Pound.
[...]
[...]

As long as you run it as a server (no GUI) it should be enough for a
light traffic site. Check your usage.
[...]
SSL[...]
[...]

Pound can very well proxy SSL - it just can't do virtual hosting over
SSL. These are two separate issues.
[...]
[...]
[...]

A certificate needs to be connected to the server - the server URL is
embedded in the certificate. Anything else will have the client browser
protesting.
[...]

You're welcome.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

--
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-06/1118
076423000/1118236297000

Oakley, Courtney (EXP) wrote:[...]

Using virtual hosting, as you would for straight http:// traffic? No.

There are ways to do it if you:

1.  Have one *public* (internet-reachable) IP address for each web site 
host name, and
2.  Have a firewall/router capable of forwarding port 443 from each of 
those to one *private* (internal) ip address, at different ports.

Let's say that you have an external range of 10.0.0.5-7 for your web 
servers, and 192.168.4.12 as the internal address of your pound box.

You could configure things at the firewall so that:

  external_host/port:	forwards_to_internal_host/port:
  10.0.0.5:443           192.168.4.12:10443
  10.0.0.6:443		192.168.4.12:11443
  10.0.0.7:443		192.168.4.12:12443

You would then configure pound (and I *think* you would need multiple 
instances of pound, right folks?) to listen on 10443, 11443, 12443 and 
forward them to the right backend servers.

You could *also* do this with just *one* external ip address, and using 
the non-standard ports:

  external_host/port:	forwards_to_internal_host/port:
  10.0.0.5:10443         192.168.4.12:10443
  10.0.0.5:11443		192.168.4.12:11443
  10.0.0.5:12443		192.168.4.12:12443

I do this all the time.  The only caveat is that you pretty much have to 
link to these sites from an insecure one to make it work.  Just pointing 
the browser at https://somesecurehostname.com/
wouldn't make it work -- 
you'd have to specify https://somesecurehostname.com:10443/
for example.

Best o' luck,
Ed
[...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...]

Hi Ed,
	And thanks Ed. I think I am getting somewhere now. I like your
number one option. Number 2 doesn't sound too great though. Sounds like
I now have to go get some IP addresses though. 

I've found lots of talk about pound as an SSL Wrapper. Do you think this
is a solution?

I believe lots of users with Web Hosting platforms are using this. I
have still yet to work out all the details though, there is only one
chain on it with 17 messages of which only 5-6 are discernable for the
lay man such as myself.

The pound man page has an SSL Wrapper example also, but I have not had
time to test it.

Thanks Ed
Courtney 

-----Original Message-----
From: Ed R Zahurak [mailto:ezahurak(at)atlanticbb.net] 
Sent: 10 June 2005 01:02
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy
Environment

Oakley, Courtney (EXP) wrote:[...]
[...]

Using virtual hosting, as you would for straight http:// traffic? No.

There are ways to do it if you:

1.  Have one *public* (internet-reachable) IP address for each web site
host name, and 2.  Have a firewall/router capable of forwarding port 443
from each of those to one *private* (internal) ip address, at different
ports.

Let's say that you have an external range of 10.0.0.5-7 for your web
servers, and 192.168.4.12 as the internal address of your pound box.

You could configure things at the firewall so that:

  external_host/port:	forwards_to_internal_host/port:
  10.0.0.5:443           192.168.4.12:10443
  10.0.0.6:443		192.168.4.12:11443
  10.0.0.7:443		192.168.4.12:12443

You would then configure pound (and I *think* you would need multiple
instances of pound, right folks?) to listen on 10443, 11443, 12443 and
forward them to the right backend servers.

You could *also* do this with just *one* external ip address, and using
the non-standard ports:

  external_host/port:	forwards_to_internal_host/port:
  10.0.0.5:10443         192.168.4.12:10443
  10.0.0.5:11443		192.168.4.12:11443
  10.0.0.5:12443		192.168.4.12:12443

I do this all the time.  The only caveat is that you pretty much have to
link to these sites from an insecure one to make it work.  Just pointing
the browser at https://somesecurehostname.com/
wouldn't make it work --
you'd have to specify https://somesecurehostname.com:10443/
for example.

Best o' luck,
Ed
[...]
[...]
[...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...][...]


--
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-06/1118
076423000/1118361720000

On Thu, 09 Jun 2005 18:36:58 +0100 "Oakley, Courtney (EXP)"
<courtney.oakley(at)lmco.com> wrote:
[...]
like[...]
Hosting[...]

As the lawyer asked "Have you stopped beating your wife? Just answer yes
or no!".

There is no one "right" answer here - you'll have to be much more
specific. In general you probably can, but how to do it depends very
much on what exactly you want to achieve.
[...]
all[...]
DSLAM/firewall[...]
instance[...]

1. Use three separate addresses (addr1:443, addr2:443, addr3:443) and
have threee separate instances of Pound passing this to your servers.
stunnel is probably a better option for this, if the only thing you
want is SSL wrapping.

2. Use three separate ports on your address (addr1:443, addr1:10443,
addr1:11443). Make sure the servers are reachable via some links on
another page, or via redirects.

3. Have a single address (addr1:443) with separate paths
(https://addr1:443/srv1, https://addr1:443/srv2, https://addr1:443/srv3)
and have a single Pound split the requests to the servers as per path.

I'm quite sure that knowing your exact circumstances I could come up
with a few additional ideas.
[...]
pound[...]

Yes - just make sure they listen on separate addresses or ports.
[...]
my[...]
configuration[...]

No need to apologize, and I'm quite sure this is nothing about being
"dense". I would however suggest you try reading a bit on HTTP and/or
HTTPS so we can use the same terminology.[...]

Hi Robert,
	Now you're cooking! I like suggestions 1) and 3). Ed Zahurak
also came up with 1) and 2). I am talking to my Broadband provider now
about getting some extra IP addresses to support 1) which is so simple
that I can instantly understand it, but it's going to cost me.

Time for my questions again? (no wife beating this time)

1a) Please can you describe option number 3 in more detail. Would the
user have to enter https://universal:443/server1 to get
HTTPS or is
there some way that a simple entry such as https://wapmail.universal:81
can be mapped to the above using pound. I believe you call this URL
rewriting.

So a realistic example might be 
https://wapmail.universal:81 --->
https://universal:443/server1
https://www.unuversal:81     ---> https://universal:443/server2
Https://securemail:81        ---> https://universal:443/server3


1b) Then I configure pound to split https://universal:433/server{1,2,3}
to the backend servers using the standard    
UrlGroup    ".*"
HeadRequire Host ".*universal:443/server1.*"
Backend     192.168.x.x,443,1
EndGroup

Have I got it right? (I think I'm getting the hang of this).


2) What about SSL Wrapper how does that work for my environment (the
documentation is sparse). I know that there is a single pound server
Certificate, but I need abit more explanation and a couple more config
file examples.

MY CONFIGURATION REMINDER

ISP Broadband----(external IP)---DSLAM---Portforward---(RED internal
IP)--IPCOP Server--->

--->Portforward---(GREEN IP)---Pound (SSL Wrapper :443 or :81)------>
Web Hosting Platform 1 (IP Address:444)
                                                              |
                                                              ------>
Web Hosting Platform 2 (IP Address:444)
	
| 
 
------> Web Hosting Platform 3 (IP Address:444)


Thanks guys.

Courtney Oakley



-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch] 
Sent: 10 June 2005 12:31
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy
Environment

On Thu, 09 Jun 2005 18:36:58 +0100 "Oakley, Courtney (EXP)"
<courtney.oakley(at)lmco.com> wrote:
[...]
[...]
like[...]
Hosting[...]

As the lawyer asked "Have you stopped beating your wife? Just answer yes
or no!".

There is no one "right" answer here - you'll have to be much more
specific. In general you probably can, but how to do it depends very
much on what exactly you want to achieve.
[...]
all[...]
DSLAM/firewall[...]
instance[...]

1. Use three separate addresses (addr1:443, addr2:443, addr3:443) and
have threee separate instances of Pound passing this to your servers.
stunnel is probably a better option for this, if the only thing you want
is SSL wrapping.

2. Use three separate ports on your address (addr1:443, addr1:10443,
addr1:11443). Make sure the servers are reachable via some links on
another page, or via redirects.

3. Have a single address (addr1:443) with separate paths
(https://addr1:443/srv1, https://addr1:443/srv2, https://addr1:443/srv3)
and have a single Pound split the requests to the servers as per path.

I'm quite sure that knowing your exact circumstances I could come up
with a few additional ideas.
[...]
pound[...]

Yes - just make sure they listen on separate addresses or ports.
[...]
my[...]
configuration[...]

No need to apologize, and I'm quite sure this is nothing about being
"dense". I would however suggest you try reading a bit on HTTP and/or
HTTPS so we can use the same terminology.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

--
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-06/1118
076423000/1118403034000

On Fri, 10 Jun 2005 15:13:54 +0100 "Oakley, Courtney (EXP)"
<courtney.oakley(at)lmco.com> wrote:
[...]

Correct, that's why I offered 2 and 3...
[...]
https://wapmail.universal:81[...]

Pound does not support URL rewriting. The URL would be
https://universal/path1, https://universal/path2, etc. This would be
split by Pound to go to http://backend1/path1, http://backend2/path2,
etc.
[...]

I have no idea why would you want HTTPS on port 81. What redirects you
do is your business. The accepted practice is to have a common entry
page http://www.you.com with links to https://www.you.com/path1 and so
on.
[...]
https://universal:433/server{1,2,3}[...]

Not really. What you want is more like

ListenHTTPS 192.168.x.x,443 /path/cert.pem

UrlGroup    "/server1/.*"
Backend     192.168.x.x,80,1
# Optional - not really needed in your case
HeadRequire Host ".*www\.universal\.com.*"
EndGroup

Don't forget that Pound will only talk HTTP to the back-ends.
[...]

If you mean stunnel you'll have to look up the docs on that. For Pound
have a look at the README, man page and/or web page - you'll find some
examples there.[...]