|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2005
/
2005-06
/
DSLAM IPCop Pound Reverse-Proxy Environment
[
a little hint for zope behind pound / Sascha ... ]
[
Problem with Pound 1.8 and Flash Remoting / ... ]
DSLAM IPCop Pound Reverse-Proxy Environment
"Oakley, Courtney (EXP)" <courtney.oakley(at)lmco.com> |
2005-06-06 18:47:03 |
[ SNIP ]
|
I am stuck trying to configure Pound within my Small Portal Environment.
I have tried crafting a configuration from the example files but without
any luck so far.
HERE IS A DESCRIPTION OF MY ENVIRONMENT
- I have a single external IP Address (62.xx.xx.xx) for a Broadband
Service and THREE Web Housting Platfroms configured for an Orange Zone
(DMZ)
- I am trying to individually access my THREE Web Hosting Platforms from
my single 62.xx.xx.xx address using their HTTP Addresses (i.e.
www.universe.com,
webmail.universe.com and ftp.universe.com)
- I have IPCop with GREEN ZONE (192.168.a.x), ORANGE ZONE (192.168.b.x),
RED ZONE (192.168.c.x) and BLUE ZONE (192.168.d.x)
- My loacl DNS server is within the GREEN ZONE.
- All my addresses resolve to 62.xx.xx.xx, which is my single IP
address.
- I port forward from my external Alcatel address 62.xx.xx.xx to my
internal (RED ZONE) IPCop address.
- I then attempt to port forward from my IPCop Red address 192.168.c.x
to my Pound Server running on Mandrake 9.2 within the GREEN ZONE
(192.168.a.x)
________________________________________________________________________
_____________________________
HERE IS MY OLD CONFIGURATION FILE
ListenHTTP 192.168.a.x, 80
ListenHTTPS 192.168.a.x, 444 /etc/pound/server1.pem
ListenHTTPS 192.168.a.x, 444 /etc/pound/server2.pem
/**** I have two SSL capable Web Housting platforms using port 444. How
do a cater fo them both ??? ***/
ListenHTTP 192.168.a.x, 21
ListenHTTP 192.168.a.x, 25 /*** 192.168.a.x is the IP Address of my
Pound Proxy Server ***/
User pound
Group pound
LogLevel 3 /*** Extreme Logging ***/
Client 1 /*** MS Browser support ****/
UrlGroup ".*"
HeadRequire ".*www.universe.com.*"
BackEnd 192.168.b.x, 80, 1
Session BASIC 300
EndGroup
UrlGroup ".*"
HeadRequire ".*webmail.universe.com.*"
BackEnd 192.168.b.x, 80, 1
Session BASIC 300
EndGroup
UrlGroup ".*"
HeadRequire ".*ftp.universe.com.*"
BackEnd 192.168.b.x, 80,1
Session BASIC 300
EndGroup
________________________________________________________________________
_________________________________
I keep getting (No Backend) which implies that the HeadRequire statement
does not match.
So I get the following www.universe.com 503 1178 [153.56.7.89]
(microsoft Browser details) /*** Originating IP address
***/
HTTP1.1 / no backend
Please help me before I do something I'll regret
Thanks
C.I.R. Oakley
|
|
|
|
|
Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy Environment
Robert Segall <roseg(at)apsis.ch> |
2005-06-06 19:03:58 |
[ SNIP ]
|
On Mon, 06 Jun 2005 17:47:03 +0100 "Oakley, Courtney (EXP)"
<courtney.oakley(at)lmco.com> wrote:
>
> I am stuck trying to configure Pound within my Small Portal
Environment.
> I have tried crafting a configuration from the example files but
without
> any luck so far.
>
> HERE IS A DESCRIPTION OF MY ENVIRONMENT
> - I have a single external IP Address (62.xx.xx.xx) for a Broadband
> Service and THREE Web Housting Platfroms configured for an Orange Zone
> (DMZ)
> - I am trying to individually access my THREE Web Hosting Platforms
from
> my single 62.xx.xx.xx address using their HTTP Addresses (i.e.
> www.universe.com,
> webmail.universe.com and ftp.universe.com)
> - I have IPCop with GREEN ZONE (192.168.a.x), ORANGE ZONE
(192.168.b.x),
> RED ZONE (192.168.c.x) and BLUE ZONE (192.168.d.x)
> - My loacl DNS server is within the GREEN ZONE.
> - All my addresses resolve to 62.xx.xx.xx, which is my single IP
> address.
> - I port forward from my external Alcatel address 62.xx.xx.xx to my
> internal (RED ZONE) IPCop address.
> - I then attempt to port forward from my IPCop Red address 192.168.c.x
> to my Pound Server running on Mandrake 9.2 within the GREEN ZONE
> (192.168.a.x)
So far - nothing to do with Pound. Assuming the requests get to
192.168.a.x (and show the real source address) you're OK.
You may want to check IPCop allows replies to go out somehow. Check also
that Pound can access 192.168.b.x port 80, or it will fail.
>
________________________________________________________________________
> _____________________________
> HERE IS MY OLD CONFIGURATION FILE
>
> ListenHTTP 192.168.a.x, 80
> ListenHTTPS 192.168.a.x, 444 /etc/pound/server1.pem
> ListenHTTPS 192.168.a.x, 444 /etc/pound/server2.pem
>
> /**** I have two SSL capable Web Housting platforms using port 444.
How
> do a cater fo them both ??? ***/
Short answer: you don't. This configuration will NOT work. There is no
virtual hosting with HTTPS - read the Pound web page(or README) for
details.
> ListenHTTP 192.168.a.x, 21
Pound does NOT proxy FTP.
> ListenHTTP 192.168.a.x, 25 /*** 192.168.a.x is the IP Address of my
> Pound Proxy Server ***/
Pound does NOT proxy SMTP.
> User pound
> Group pound
>
>
> LogLevel 3 /*** Extreme Logging ***/
>
> Client 1 /*** MS Browser support ****/
Not a good idea, especially if your DSL is congested. A value of 15
would probably make a better choice.
> UrlGroup ".*"
> HeadRequire ".*www.universe.com.*"
Which Header? Pound will reject this directive outright.
> BackEnd 192.168.b.x, 80, 1
> Session BASIC 300
> EndGroup
>
> UrlGroup ".*"
> HeadRequire ".*webmail.universe.com.*"
> BackEnd 192.168.b.x, 80, 1
> Session BASIC 300
> EndGroup
>
> UrlGroup ".*"
> HeadRequire ".*ftp.universe.com.*"
> BackEnd 192.168.b.x, 80,1
> Session BASIC 300
> EndGroup
>
>
________________________________________________________________________
> _________________________________
>
> I keep getting (No Backend) which implies that the HeadRequire
statement
> does not match.
Not with the config file you show - Pound wouldn't even start.
> So I get the following www.universe.com 503 1178 [153.56.7.89]
> (microsoft Browser details) /*** Originating IP address
> ***/
> HTTP1.1 / no backend
>
> Please help me before I do something I'll regret
> Thanks
>
> C.I.R. Oakley
>
Fix your configuration as indicated and try again.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
|
|
|
RE: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy Environment
"Oakley, Courtney (EXP)" <courtney.oakley(at)lmco.com> |
2005-06-07 13:53:56 |
[ SNIP ]
|
Robert,
Thanks for your advice I am making progress now. I didn't have
my config file, so I tried to produce it from memory, which is why I
left out the "Host" from the HeadRequire statement.
UPDATE
I am trying reverse proxying with one machine (just to get it working).
I now have communication (i.e. the issuing of the login screens from the
backend machine). But then I get.
Pound error: flush buffers xxx.xxx.xxx.xxx
Looking at the other archives, you have indicated that this is caused by
Resourse Allocation problems. So should I now extend my "Client 15" to a
longer timespan? Are there other statements that I should use, such as
"Server xxxx"?
Incidently I am running
Mandrake 9.2 kernel 2.4.22-26
On an old HP 800CT protable PC (48 Mbytes RAM, 166 Mhz Pentium, 1.4GB
Disk)
This machine only runs pound, it does nothing else. I shall upgrade it
(i.e. get a meatier machine) when I've got pound working.
OUTSTANDING QUESTION
Is I descibed previously I have 3 Web Hosting Platforms that are all SSL
capable. You reminded me of the README which states giving reasons why
pound (or any other reverse-proxy) cannot proxy SSL.
So is the right to support SSL on these platforms then to provide them
all with the same Certificate (I am just using self signed for testing
at the moment) and use
ListenHTTPS 192.168.a.x,81 /xxxxxx/xxxx/xx.pem
ListenHTTPS 192.168.a.x,443 /xxxxxx/xxxx/xx.pem
On my Web Hosting Platforms Admin HTTPS uses port 81, but Users HTTPS
use port 443
Thanks for your help
Courtney
-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch]
Sent: 06 June 2005 18:04
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy
Environment
On Mon, 06 Jun 2005 17:47:03 +0100 "Oakley, Courtney (EXP)"
<courtney.oakley(at)lmco.com> wrote:
>
> I am stuck trying to configure Pound within my Small Portal
Environment.
> I have tried crafting a configuration from the example files but
without
> any luck so far.
>
> HERE IS A DESCRIPTION OF MY ENVIRONMENT
> - I have a single external IP Address (62.xx.xx.xx) for a Broadband
> Service and THREE Web Housting Platfroms configured for an Orange Zone
> (DMZ)
> - I am trying to individually access my THREE Web Hosting Platforms
from
> my single 62.xx.xx.xx address using their HTTP Addresses (i.e.
> www.universe.com,
> webmail.universe.com and ftp.universe.com)
> - I have IPCop with GREEN ZONE (192.168.a.x), ORANGE ZONE
(192.168.b.x),
> RED ZONE (192.168.c.x) and BLUE ZONE (192.168.d.x)
> - My loacl DNS server is within the GREEN ZONE.
> - All my addresses resolve to 62.xx.xx.xx, which is my single IP
> address.
> - I port forward from my external Alcatel address 62.xx.xx.xx to my
> internal (RED ZONE) IPCop address.
> - I then attempt to port forward from my IPCop Red address 192.168.c.x
> to my Pound Server running on Mandrake 9.2 within the GREEN ZONE
> (192.168.a.x)
So far - nothing to do with Pound. Assuming the requests get to
192.168.a.x (and show the real source address) you're OK.
You may want to check IPCop allows replies to go out somehow. Check also
that Pound can access 192.168.b.x port 80, or it will fail.
>
________________________________________________________________________
> _____________________________
> HERE IS MY OLD CONFIGURATION FILE
>
> ListenHTTP 192.168.a.x, 80
> ListenHTTPS 192.168.a.x, 444 /etc/pound/server1.pem ListenHTTPS
> 192.168.a.x, 444 /etc/pound/server2.pem
>
> /**** I have two SSL capable Web Housting platforms using port 444.
How
> do a cater fo them both ??? ***/
Short answer: you don't. This configuration will NOT work. There is no
virtual hosting with HTTPS - read the Pound web page(or README) for
details.
> ListenHTTP 192.168.a.x, 21
Pound does NOT proxy FTP.
> ListenHTTP 192.168.a.x, 25 /*** 192.168.a.x is the IP Address of my
> Pound Proxy Server ***/
Pound does NOT proxy SMTP.
> User pound
> Group pound
>
>
> LogLevel 3 /*** Extreme Logging ***/
>
> Client 1 /*** MS Browser support ****/
Not a good idea, especially if your DSL is congested. A value of 15
would probably make a better choice.
> UrlGroup ".*"
> HeadRequire ".*www.universe.com.*"
Which Header? Pound will reject this directive outright.
> BackEnd 192.168.b.x, 80, 1
> Session BASIC 300
> EndGroup
>
> UrlGroup ".*"
> HeadRequire ".*webmail.universe.com.*"
> BackEnd 192.168.b.x, 80, 1
> Session BASIC 300
> EndGroup
>
> UrlGroup ".*"
> HeadRequire ".*ftp.universe.com.*"
> BackEnd 192.168.b.x, 80,1
> Session BASIC 300
> EndGroup
>
>
________________________________________________________________________
> _________________________________
>
> I keep getting (No Backend) which implies that the HeadRequire
statement
> does not match.
Not with the config file you show - Pound wouldn't even start.
> So I get the following www.universe.com 503 1178 [153.56.7.89]
> (microsoft Browser details) /*** Originating IP address
> ***/
> HTTP1.1 / no backend
>
> Please help me before I do something I'll regret Thanks
>
> C.I.R. Oakley
>
Fix your configuration as indicated and try again.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
--
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-06/1118
076423000/1118077438000
|
|
|
Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy Environment
Robert Segall <roseg(at)apsis.ch> |
2005-06-08 15:11:37 |
[ SNIP ]
|
On Tue, 07 Jun 2005 12:53:56 +0100 "Oakley, Courtney (EXP)"
<courtney.oakley(at)lmco.com> wrote:
> Robert,
> Thanks for your advice I am making progress now. I didn't have
> my config file, so I tried to produce it from memory, which is why I
> left out the "Host" from the HeadRequire statement.
>
>
> UPDATE
> I am trying reverse proxying with one machine (just to get it
working).
> I now have communication (i.e. the issuing of the login screens from
the
> backend machine). But then I get.
>
> Pound error: flush buffers xxx.xxx.xxx.xxx
>
> Looking at the other archives, you have indicated that this is caused
by
> Resourse Allocation problems. So should I now extend my "Client 15" to
a
> longer timespan? Are there other statements that I should use, such as
> "Server xxxx"?
No. A "flush" message just means some client closed the connection
before the reply could be fully transmitted. You can safely ignore it.
BTW, the specific message you show appeared in an older Pound version -
you may want to upgrade to the latest Pound.
> Incidently I am running
> Mandrake 9.2 kernel 2.4.22-26
> On an old HP 800CT protable PC (48 Mbytes RAM, 166 Mhz Pentium, 1.4GB
> Disk)
> This machine only runs pound, it does nothing else. I shall upgrade it
> (i.e. get a meatier machine) when I've got pound working.
As long as you run it as a server (no GUI) it should be enough for a
light traffic site. Check your usage.
> OUTSTANDING QUESTION
> Is I descibed previously I have 3 Web Hosting Platforms that are all
SSL
> capable. You reminded me of the README which states giving reasons why
> pound (or any other reverse-proxy) cannot proxy SSL.
Pound can very well proxy SSL - it just can't do virtual hosting over
SSL. These are two separate issues.
> So is the right to support SSL on these platforms then to provide them
> all with the same Certificate (I am just using self signed for testing
> at the moment) and use
>
> ListenHTTPS 192.168.a.x,81 /xxxxxx/xxxx/xx.pem
> ListenHTTPS 192.168.a.x,443 /xxxxxx/xxxx/xx.pem
>
> On my Web Hosting Platforms Admin HTTPS uses port 81, but Users HTTPS
> use port 443
A certificate needs to be connected to the server - the server URL is
embedded in the certificate. Anything else will have the client browser
protesting.
> Thanks for your help
> Courtney
You're welcome.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
|
|
|
RE: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy Environment
"Oakley, Courtney (EXP)" <courtney.oakley(at)lmco.com> |
2005-06-09 19:36:58 |
[ SNIP ]
|
Hi Robert,
Forgive me for being dense, but I want to determine definitively
whether or not I am able to support SSL on 3 different Web Hosting
Servers using one IP address. From our discussion it does not sound like
this is possible. Here
Are my questions.
Is there any way of using pound to support SSL on all three Web Hosting
platforms with one IP address (Yes/No)
If no to the above, can you think of a pound configuration using
multiple IP addresses that would support three Web Hosting platforms all
using SSL. As a reminder, my configuration has an alcatel DSLAM/firewall
port forwading to an IPCop Server, port forwarding to a single instance
of pound.
If yes, please assist by suggesting available options.
Is multiple SSL server support possible with multiple instances of pound
running on the same machine? (If yes please discuss how)
If it is not possible to support more than one SSL capable server for my
configuration, then please assist me by providing the configuration
lines for SSL support on one server, taking account or my configuration
(i.e. Alcatel DSLAM/FW --> IPCop--> pound).
Thanks for your help Robert, and my apologies for being so dense.
Courtney Oakley
-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch]
Sent: 08 June 2005 14:12
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy
Environment
On Tue, 07 Jun 2005 12:53:56 +0100 "Oakley, Courtney (EXP)"
<courtney.oakley(at)lmco.com> wrote:
> Robert,
> Thanks for your advice I am making progress now. I didn't have
my
> config file, so I tried to produce it from memory, which is why I left
> out the "Host" from the HeadRequire statement.
>
>
> UPDATE
> I am trying reverse proxying with one machine (just to get it
working).
> I now have communication (i.e. the issuing of the login screens from
the
> backend machine). But then I get.
>
> Pound error: flush buffers xxx.xxx.xxx.xxx
>
> Looking at the other archives, you have indicated that this is caused
by
> Resourse Allocation problems. So should I now extend my "Client 15" to
a
> longer timespan? Are there other statements that I should use, such as
> "Server xxxx"?
No. A "flush" message just means some client closed the connection
before the reply could be fully transmitted. You can safely ignore it.
BTW, the specific message you show appeared in an older Pound version -
you may want to upgrade to the latest Pound.
> Incidently I am running
> Mandrake 9.2 kernel 2.4.22-26
> On an old HP 800CT protable PC (48 Mbytes RAM, 166 Mhz Pentium, 1.4GB
> Disk)
> This machine only runs pound, it does nothing else. I shall upgrade it
> (i.e. get a meatier machine) when I've got pound working.
As long as you run it as a server (no GUI) it should be enough for a
light traffic site. Check your usage.
> OUTSTANDING QUESTION
> Is I descibed previously I have 3 Web Hosting Platforms that are all
SSL
> capable. You reminded me of the README which states giving reasons why
> pound (or any other reverse-proxy) cannot proxy SSL.
Pound can very well proxy SSL - it just can't do virtual hosting over
SSL. These are two separate issues.
> So is the right to support SSL on these platforms then to provide them
> all with the same Certificate (I am just using self signed for testing
> at the moment) and use
>
> ListenHTTPS 192.168.a.x,81 /xxxxxx/xxxx/xx.pem
> ListenHTTPS 192.168.a.x,443 /xxxxxx/xxxx/xx.pem
>
> On my Web Hosting Platforms Admin HTTPS uses port 81, but Users HTTPS
> use port 443
A certificate needs to be connected to the server - the server URL is
embedded in the certificate. Anything else will have the client browser
protesting.
> Thanks for your help
> Courtney
You're welcome.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
--
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-06/1118
076423000/1118236297000
|
|
|
Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy Environment
Ed R Zahurak <ezahurak(at)atlanticbb.net> |
2005-06-10 02:02:00 |
[ SNIP ]
|
Oakley, Courtney (EXP) wrote:
> Hi Robert,
> Forgive me for being dense, but I want to determine definitively
> whether or not I am able to support SSL on 3 different Web Hosting
> Servers using one IP address. From our discussion it does not sound like
> this is possible. Here
> Are my questions.
>
> Is there any way of using pound to support SSL on all three Web Hosting
> platforms with one IP address (Yes/No)
Using virtual hosting, as you would for straight http:// traffic? No.
There are ways to do it if you:
1. Have one *public* (internet-reachable) IP address for each web site
host name, and
2. Have a firewall/router capable of forwarding port 443 from each of
those to one *private* (internal) ip address, at different ports.
Let's say that you have an external range of 10.0.0.5-7 for your web
servers, and 192.168.4.12 as the internal address of your pound box.
You could configure things at the firewall so that:
external_host/port: forwards_to_internal_host/port:
10.0.0.5:443 192.168.4.12:10443
10.0.0.6:443 192.168.4.12:11443
10.0.0.7:443 192.168.4.12:12443
You would then configure pound (and I *think* you would need multiple
instances of pound, right folks?) to listen on 10443, 11443, 12443 and
forward them to the right backend servers.
You could *also* do this with just *one* external ip address, and using
the non-standard ports:
external_host/port: forwards_to_internal_host/port:
10.0.0.5:10443 192.168.4.12:10443
10.0.0.5:11443 192.168.4.12:11443
10.0.0.5:12443 192.168.4.12:12443
I do this all the time. The only caveat is that you pretty much have to
link to these sites from an insecure one to make it work. Just pointing
the browser at https://somesecurehostname.com/ wouldn't make it work --
you'd have to specify https://somesecurehostname.com:10443/ for example.
Best o' luck,
Ed
> If no to the above, can you think of a pound configuration using
> multiple IP addresses that would support three Web Hosting platforms all
> using SSL. As a reminder, my configuration has an alcatel DSLAM/firewall
> port forwading to an IPCop Server, port forwarding to a single instance
> of pound.
>
> If yes, please assist by suggesting available options.
>
> Is multiple SSL server support possible with multiple instances of pound
> running on the same machine? (If yes please discuss how)
>
> If it is not possible to support more than one SSL capable server for my
> configuration, then please assist me by providing the configuration
> lines for SSL support on one server, taking account or my configuration
> (i.e. Alcatel DSLAM/FW --> IPCop--> pound).
>
> Thanks for your help Robert, and my apologies for being so dense.
>
> Courtney Oakley
>
> -----Original Message-----
> From: Robert Segall [mailto:roseg(at)apsis.ch]
> Sent: 08 June 2005 14:12
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy
> Environment
>
> On Tue, 07 Jun 2005 12:53:56 +0100 "Oakley, Courtney (EXP)"
> <courtney.oakley(at)lmco.com> wrote:
>
>
>>Robert,
>> Thanks for your advice I am making progress now. I didn't have
>
> my
>
>>config file, so I tried to produce it from memory, which is why I left
>
>
>>out the "Host" from the HeadRequire statement.
>>
>>
>>UPDATE
>>I am trying reverse proxying with one machine (just to get it
>
> working).
>
>>I now have communication (i.e. the issuing of the login screens from
>
> the
>
>>backend machine). But then I get.
>>
>>Pound error: flush buffers xxx.xxx.xxx.xxx
>>
>>Looking at the other archives, you have indicated that this is caused
>
> by
>
>>Resourse Allocation problems. So should I now extend my "Client 15" to
>
> a
>
>>longer timespan? Are there other statements that I should use, such as
>
>
>>"Server xxxx"?
>
>
> No. A "flush" message just means some client closed the connection
> before the reply could be fully transmitted. You can safely ignore it.
> BTW, the specific message you show appeared in an older Pound version -
> you may want to upgrade to the latest Pound.
>
>
>>Incidently I am running
>>Mandrake 9.2 kernel 2.4.22-26
>>On an old HP 800CT protable PC (48 Mbytes RAM, 166 Mhz Pentium, 1.4GB
>>Disk)
>>This machine only runs pound, it does nothing else. I shall upgrade it
>
>
>>(i.e. get a meatier machine) when I've got pound working.
>
>
> As long as you run it as a server (no GUI) it should be enough for a
> light traffic site. Check your usage.
>
>
>>OUTSTANDING QUESTION
>>Is I descibed previously I have 3 Web Hosting Platforms that are all
>
> SSL
>
>>capable. You reminded me of the README which states giving reasons why
>
>
>>pound (or any other reverse-proxy) cannot proxy SSL.
>
>
> Pound can very well proxy SSL - it just can't do virtual hosting over
> SSL. These are two separate issues.
>
>
>>So is the right to support SSL on these platforms then to provide them
>
>
>>all with the same Certificate (I am just using self signed for testing
>
>
>>at the moment) and use
>>
>>ListenHTTPS 192.168.a.x,81 /xxxxxx/xxxx/xx.pem
>>ListenHTTPS 192.168.a.x,443 /xxxxxx/xxxx/xx.pem
>>
>>On my Web Hosting Platforms Admin HTTPS uses port 81, but Users HTTPS
>>use port 443
>
>
> A certificate needs to be connected to the server - the server URL is
> embedded in the certificate. Anything else will have the client browser
> protesting.
>
>
>>Thanks for your help
>>Courtney
>
>
> You're welcome.
> --
> Robert Segall
> Apsis GmbH
> Postfach, Uetikon am See, CH-8707
> Tel: +41-44-920 4904
>
> --
> To unsubscribe send an email with subject 'unsubscribe' to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-06/1118
> 076423000/1118236297000
>
>
>
|
|
|
RE: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy Environment
"Oakley, Courtney (EXP)" <courtney.oakley(at)lmco.com> |
2005-06-10 10:56:56 |
[ SNIP ]
|
Hi Ed,
And thanks Ed. I think I am getting somewhere now. I like your
number one option. Number 2 doesn't sound too great though. Sounds like
I now have to go get some IP addresses though.
I've found lots of talk about pound as an SSL Wrapper. Do you think this
is a solution?
I believe lots of users with Web Hosting platforms are using this. I
have still yet to work out all the details though, there is only one
chain on it with 17 messages of which only 5-6 are discernable for the
lay man such as myself.
The pound man page has an SSL Wrapper example also, but I have not had
time to test it.
Thanks Ed
Courtney
-----Original Message-----
From: Ed R Zahurak [mailto:ezahurak(at)atlanticbb.net]
Sent: 10 June 2005 01:02
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy
Environment
Oakley, Courtney (EXP) wrote:
> Hi Robert,
> Forgive me for being dense, but I want to determine definitively
> whether or not I am able to support SSL on 3 different Web Hosting
> Servers using one IP address. From our discussion it does not sound
> like this is possible. Here Are my questions.
>
> Is there any way of using pound to support SSL on all three Web
> Hosting platforms with one IP address (Yes/No)
Using virtual hosting, as you would for straight http:// traffic? No.
There are ways to do it if you:
1. Have one *public* (internet-reachable) IP address for each web site
host name, and 2. Have a firewall/router capable of forwarding port 443
from each of those to one *private* (internal) ip address, at different
ports.
Let's say that you have an external range of 10.0.0.5-7 for your web
servers, and 192.168.4.12 as the internal address of your pound box.
You could configure things at the firewall so that:
external_host/port: forwards_to_internal_host/port:
10.0.0.5:443 192.168.4.12:10443
10.0.0.6:443 192.168.4.12:11443
10.0.0.7:443 192.168.4.12:12443
You would then configure pound (and I *think* you would need multiple
instances of pound, right folks?) to listen on 10443, 11443, 12443 and
forward them to the right backend servers.
You could *also* do this with just *one* external ip address, and using
the non-standard ports:
external_host/port: forwards_to_internal_host/port:
10.0.0.5:10443 192.168.4.12:10443
10.0.0.5:11443 192.168.4.12:11443
10.0.0.5:12443 192.168.4.12:12443
I do this all the time. The only caveat is that you pretty much have to
link to these sites from an insecure one to make it work. Just pointing
the browser at https://somesecurehostname.com/ wouldn't make it work --
you'd have to specify https://somesecurehostname.com:10443/ for example.
Best o' luck,
Ed
> If no to the above, can you think of a pound configuration using
> multiple IP addresses that would support three Web Hosting platforms
> all using SSL. As a reminder, my configuration has an alcatel
> DSLAM/firewall port forwading to an IPCop Server, port forwarding to a
> single instance of pound.
>
> If yes, please assist by suggesting available options.
>
> Is multiple SSL server support possible with multiple instances of
> pound running on the same machine? (If yes please discuss how)
>
> If it is not possible to support more than one SSL capable server for
> my configuration, then please assist me by providing the configuration
> lines for SSL support on one server, taking account or my
> configuration (i.e. Alcatel DSLAM/FW --> IPCop--> pound).
>
> Thanks for your help Robert, and my apologies for being so dense.
>
> Courtney Oakley
>
> -----Original Message-----
> From: Robert Segall [mailto:roseg(at)apsis.ch]
> Sent: 08 June 2005 14:12
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy
> Environment
>
> On Tue, 07 Jun 2005 12:53:56 +0100 "Oakley, Courtney (EXP)"
> <courtney.oakley(at)lmco.com> wrote:
>
>
>>Robert,
>> Thanks for your advice I am making progress now. I didn't have
>
> my
>
>>config file, so I tried to produce it from memory, which is why I left
>
>
>>out the "Host" from the HeadRequire statement.
>>
>>
>>UPDATE
>>I am trying reverse proxying with one machine (just to get it
>
> working).
>
>>I now have communication (i.e. the issuing of the login screens from
>
> the
>
>>backend machine). But then I get.
>>
>>Pound error: flush buffers xxx.xxx.xxx.xxx
>>
>>Looking at the other archives, you have indicated that this is caused
>
> by
>
>>Resourse Allocation problems. So should I now extend my "Client 15" to
>
> a
>
>>longer timespan? Are there other statements that I should use, such as
>
>
>>"Server xxxx"?
>
>
> No. A "flush" message just means some client closed the connection
> before the reply could be fully transmitted. You can safely ignore it.
> BTW, the specific message you show appeared in an older Pound version
> - you may want to upgrade to the latest Pound.
>
>
>>Incidently I am running
>>Mandrake 9.2 kernel 2.4.22-26
>>On an old HP 800CT protable PC (48 Mbytes RAM, 166 Mhz Pentium, 1.4GB
>>Disk)
>>This machine only runs pound, it does nothing else. I shall upgrade it
>
>
>>(i.e. get a meatier machine) when I've got pound working.
>
>
> As long as you run it as a server (no GUI) it should be enough for a
> light traffic site. Check your usage.
>
>
>>OUTSTANDING QUESTION
>>Is I descibed previously I have 3 Web Hosting Platforms that are all
>
> SSL
>
>>capable. You reminded me of the README which states giving reasons why
>
>
>>pound (or any other reverse-proxy) cannot proxy SSL.
>
>
> Pound can very well proxy SSL - it just can't do virtual hosting over
> SSL. These are two separate issues.
>
>
>>So is the right to support SSL on these platforms then to provide them
>
>
>>all with the same Certificate (I am just using self signed for testing
>
>
>>at the moment) and use
>>
>>ListenHTTPS 192.168.a.x,81 /xxxxxx/xxxx/xx.pem
>>ListenHTTPS 192.168.a.x,443 /xxxxxx/xxxx/xx.pem
>>
>>On my Web Hosting Platforms Admin HTTPS uses port 81, but Users HTTPS
>>use port 443
>
>
> A certificate needs to be connected to the server - the server URL is
> embedded in the certificate. Anything else will have the client
> browser protesting.
>
>
>>Thanks for your help
>>Courtney
>
>
> You're welcome.
> --
> Robert Segall
> Apsis GmbH
> Postfach, Uetikon am See, CH-8707
> Tel: +41-44-920 4904
>
> --
> To unsubscribe send an email with subject 'unsubscribe' to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-06/11
> 18
> 076423000/1118236297000
>
>
>
--
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-06/1118
076423000/1118361720000
|
|
|
Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy Environment
Robert Segall <roseg(at)apsis.ch> |
2005-06-10 13:30:34 |
[ SNIP ]
|
On Thu, 09 Jun 2005 18:36:58 +0100 "Oakley, Courtney (EXP)"
<courtney.oakley(at)lmco.com> wrote:
> Hi Robert,
> Forgive me for being dense, but I want to determine definitively
> whether or not I am able to support SSL on 3 different Web Hosting
> Servers using one IP address. From our discussion it does not sound
like
> this is possible. Here
> Are my questions.
>
> Is there any way of using pound to support SSL on all three Web
Hosting
> platforms with one IP address (Yes/No)
As the lawyer asked "Have you stopped beating your wife? Just answer yes
or no!".
There is no one "right" answer here - you'll have to be much more
specific. In general you probably can, but how to do it depends very
much on what exactly you want to achieve.
> If no to the above, can you think of a pound configuration using
> multiple IP addresses that would support three Web Hosting platforms
all
> using SSL. As a reminder, my configuration has an alcatel
DSLAM/firewall
> port forwading to an IPCop Server, port forwarding to a single
instance
> of pound.
>
> If yes, please assist by suggesting available options.
1. Use three separate addresses (addr1:443, addr2:443, addr3:443) and
have threee separate instances of Pound passing this to your servers.
stunnel is probably a better option for this, if the only thing you
want is SSL wrapping.
2. Use three separate ports on your address (addr1:443, addr1:10443,
addr1:11443). Make sure the servers are reachable via some links on
another page, or via redirects.
3. Have a single address (addr1:443) with separate paths
(https://addr1:443/srv1, https://addr1:443/srv2, https://addr1:443/srv3)
and have a single Pound split the requests to the servers as per path.
I'm quite sure that knowing your exact circumstances I could come up
with a few additional ideas.
> Is multiple SSL server support possible with multiple instances of
pound
> running on the same machine? (If yes please discuss how)
Yes - just make sure they listen on separate addresses or ports.
> If it is not possible to support more than one SSL capable server for
my
> configuration, then please assist me by providing the configuration
> lines for SSL support on one server, taking account or my
configuration
> (i.e. Alcatel DSLAM/FW --> IPCop--> pound).
>
> Thanks for your help Robert, and my apologies for being so dense.
No need to apologize, and I'm quite sure this is nothing about being
"dense". I would however suggest you try reading a bit on HTTP and/or
HTTPS so we can use the same terminology.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
|
|
|
RE: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy Environment
"Oakley, Courtney (EXP)" <courtney.oakley(at)lmco.com> |
2005-06-10 16:13:54 |
[ SNIP ]
|
Hi Robert,
Now you're cooking! I like suggestions 1) and 3). Ed Zahurak
also came up with 1) and 2). I am talking to my Broadband provider now
about getting some extra IP addresses to support 1) which is so simple
that I can instantly understand it, but it's going to cost me.
Time for my questions again? (no wife beating this time)
1a) Please can you describe option number 3 in more detail. Would the
user have to enter https://universal:443/server1 to get HTTPS or is
there some way that a simple entry such as https://wapmail.universal:81
can be mapped to the above using pound. I believe you call this URL
rewriting.
So a realistic example might be
https://wapmail.universal:81 ---> https://universal:443/server1
https://www.unuversal:81 ---> https://universal:443/server2
Https://securemail:81 ---> https://universal:443/server3
1b) Then I configure pound to split https://universal:433/server{1,2,3}
to the backend servers using the standard
UrlGroup ".*"
HeadRequire Host ".*universal:443/server1.*"
Backend 192.168.x.x,443,1
EndGroup
Have I got it right? (I think I'm getting the hang of this).
2) What about SSL Wrapper how does that work for my environment (the
documentation is sparse). I know that there is a single pound server
Certificate, but I need abit more explanation and a couple more config
file examples.
MY CONFIGURATION REMINDER
ISP Broadband----(external IP)---DSLAM---Portforward---(RED internal
IP)--IPCOP Server--->
--->Portforward---(GREEN IP)---Pound (SSL Wrapper :443 or :81)------>
Web Hosting Platform 1 (IP Address:444)
|
------>
Web Hosting Platform 2 (IP Address:444)
|
------> Web Hosting Platform 3 (IP Address:444)
Thanks guys.
Courtney Oakley
-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch]
Sent: 10 June 2005 12:31
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy
Environment
On Thu, 09 Jun 2005 18:36:58 +0100 "Oakley, Courtney (EXP)"
<courtney.oakley(at)lmco.com> wrote:
> Hi Robert,
> Forgive me for being dense, but I want to determine definitively
> whether or not I am able to support SSL on 3 different Web Hosting
> Servers using one IP address. From our discussion it does not sound
like
> this is possible. Here
> Are my questions.
>
> Is there any way of using pound to support SSL on all three Web
Hosting
> platforms with one IP address (Yes/No)
As the lawyer asked "Have you stopped beating your wife? Just answer yes
or no!".
There is no one "right" answer here - you'll have to be much more
specific. In general you probably can, but how to do it depends very
much on what exactly you want to achieve.
> If no to the above, can you think of a pound configuration using
> multiple IP addresses that would support three Web Hosting platforms
all
> using SSL. As a reminder, my configuration has an alcatel
DSLAM/firewall
> port forwading to an IPCop Server, port forwarding to a single
instance
> of pound.
>
> If yes, please assist by suggesting available options.
1. Use three separate addresses (addr1:443, addr2:443, addr3:443) and
have threee separate instances of Pound passing this to your servers.
stunnel is probably a better option for this, if the only thing you want
is SSL wrapping.
2. Use three separate ports on your address (addr1:443, addr1:10443,
addr1:11443). Make sure the servers are reachable via some links on
another page, or via redirects.
3. Have a single address (addr1:443) with separate paths
(https://addr1:443/srv1, https://addr1:443/srv2, https://addr1:443/srv3)
and have a single Pound split the requests to the servers as per path.
I'm quite sure that knowing your exact circumstances I could come up
with a few additional ideas.
> Is multiple SSL server support possible with multiple instances of
pound
> running on the same machine? (If yes please discuss how)
Yes - just make sure they listen on separate addresses or ports.
> If it is not possible to support more than one SSL capable server for
my
> configuration, then please assist me by providing the configuration
> lines for SSL support on one server, taking account or my
configuration
> (i.e. Alcatel DSLAM/FW --> IPCop--> pound).
>
> Thanks for your help Robert, and my apologies for being so dense.
No need to apologize, and I'm quite sure this is nothing about being
"dense". I would however suggest you try reading a bit on HTTP and/or
HTTPS so we can use the same terminology.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
--
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-06/1118
076423000/1118403034000
|
|
|
Re: [Pound Mailing List] DSLAM IPCop Pound Reverse-Proxy Environment
Robert Segall <roseg(at)apsis.ch> |
2005-06-10 16:48:45 |
[ SNIP ]
|
On Fri, 10 Jun 2005 15:13:54 +0100 "Oakley, Courtney (EXP)"
<courtney.oakley(at)lmco.com> wrote:
> Hi Robert,
> Now you're cooking! I like suggestions 1) and 3). Ed Zahurak
> also came up with 1) and 2). I am talking to my Broadband provider now
> about getting some extra IP addresses to support 1) which is so simple
> that I can instantly understand it, but it's going to cost me.
Correct, that's why I offered 2 and 3...
> Time for my questions again? (no wife beating this time)
>
> 1a) Please can you describe option number 3 in more detail. Would the
> user have to enter https://universal:443/server1 to get HTTPS or is
> there some way that a simple entry such as
https://wapmail.universal:81
> can be mapped to the above using pound. I believe you call this URL
> rewriting.
Pound does not support URL rewriting. The URL would be
https://universal/path1, https://universal/path2, etc. This would be
split by Pound to go to http://backend1/path1, http://backend2/path2,
etc.
> So a realistic example might be
> https://wapmail.universal:81 ---> https://universal:443/server1
> https://www.unuversal:81 ---> https://universal:443/server2
> Https://securemail:81 ---> https://universal:443/server3
I have no idea why would you want HTTPS on port 81. What redirects you
do is your business. The accepted practice is to have a common entry
page http://www.you.com with links to https://www.you.com/path1 and so
on.
> 1b) Then I configure pound to split
https://universal:433/server{1,2,3}
> to the backend servers using the standard
> UrlGroup ".*"
> HeadRequire Host ".*universal:443/server1.*"
> Backend 192.168.x.x,443,1
> EndGroup
>
> Have I got it right? (I think I'm getting the hang of this).
Not really. What you want is more like
ListenHTTPS 192.168.x.x,443 /path/cert.pem
UrlGroup "/server1/.*"
Backend 192.168.x.x,80,1
# Optional - not really needed in your case
HeadRequire Host ".*www\.universal\.com.*"
EndGroup
Don't forget that Pound will only talk HTTP to the back-ends.
> 2) What about SSL Wrapper how does that work for my environment (the
> documentation is sparse). I know that there is a single pound server
> Certificate, but I need abit more explanation and a couple more config
> file examples.
If you mean stunnel you'll have to look up the docs on that. For Pound
have a look at the README, man page and/or web page - you'll find some
examples there.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
|
|
|
|
