Hi folks, we use Pound to load balance our farm of Zope servers, it's
simplified things considerably; removing apache from the mix in most
cases.

Everything works nicely and we don't have any real problems. I have
however, just been asked to lock down access to a certain section of our
faculty site to internal access only.. normally in Apache I would do
something along the lines of:

RewriteCond   %{REMOTE_HOST}                    !^.+\.ncl\.ac\.uk$
RewriteRule   ^(/internal/.+)
http://oursite.ncl.ac.uk/notallowed.html
[R,L]

I was wondering if the same affect is possible in my pound.cfg for the
site in question. Is it just a case of adding another HeadRequire
directive, presumably something like...

HeadRequire RemoteHost "OUR.NETWORK.ADDRESS.RANGE"

Let me know if I'm on the right track! :-)

----------

The relevant portion of the pound.cfg to the site is posted below:

#Send some static URL's to Apache
UrlGroup "/images/*"
HeadRequire Host    ".*oursite.ncl.ac.uk*"
BackEnd image-server.ac.uk,80,1
EndGroup
...
<More offloading off static content>
...
UrlGroup "/icons/*"
HeadRequire Host    ".*oursite.ncl.ac.uk.*"
BackEnd image-server.ac.uk,80,1
EndGroup

# Live Site - Session data hosted via ZEO for this one
UrlGroup ".*"
HeadRequire Host    ".*oursite.ncl.ac.uk.*"
BackEnd one.ac.uk,60081,5
BackEnd two.ac.uk,60082,5
BackEnd three.ac.uk,60083,5
EndGroup

 John Snowdon - IT Support Specialist
-==========================================-
 School of Medical Education Development 
 Faculty of Medical Sciences Computing
 University of Newcastle

On Fri, 2005-10-07 at 15:35 +0100, John Snowdon wrote:[...]

Not really...

REMOTE_HOST is not a header but an Apache variable, and you won't match
anything at all.

The right way to do this is via your firewall. Have Pound reject all
requests to to /internal (a UrlGroup with no back-ends). Use a second
Pound instance (or direct access to Zope) on a separate port, and
configure your firewall to only accept connections there from your
internal network.[...]

Hi Robert

[...][...][...][...][...][...][...]

A bit overly complex for our purposes I'm afraid - we've already got
multiple apache hosts on there to cope with the Shibboleth
authentication layer for Zope (using the fastcgi approach and it doesn't
work on a per-vhost level) and some rewriting syntax that we couldn't
accomplish with Pound, the firewall and a nice simple pound instant, and
I'm hesitant to add more features to the mix (one reason being I'm the
only one who looks after all this - the easier I make it for myself, the
better!). 

However, we've come up with another solution, using PAS for Zope -
writing a credential extractor based on the HTTP_X_FORWARDED_FOR header
and assigning internal or external roles based on a decision made on the
network class. As the contents of the pages are not sensitive this
should let us generate two different pages based on the two roles. Of
course if the information was sensitive in any way I wouldn't recommend
this approach.

Cheers

-John

On Mon, 2005-10-10 at 08:56 +0100, John Snowdon wrote:[...]

This is a nice solution, but you may want to be careful:

- any client may generate and send any header they wish, inclusive of
X-Forwarded-for. You may want to put a HeadRemove in your Pound
configuration to make sure that doesn't happen.

- if you don't be prepared to deal with multiple headers - the same
header may appear more than once (with different content), or a single
header may have multiple values.[...]

Thanks Robert, will do that to be on the safe side!
[...][...][...][...][...][...][...][...][...]