> This is to announce the release of Pound v2.0b1. This is an
experimental[...]

Hi Robert,

Thanks for the new beta release. I've just tried to update my rpm package
and found some things in 2.0b1:

- ListenHTTPS doesn't work, attached patch fixes it
- the examples in the man page sometimes use 'Server' instead of 'Service'

I like the new config file syntax but as an rpm maintainer, I'm not sure
how to deal with the change. It would be extremely helpful to have some
kind of upgrade program to convert an old style config file to the new
one. Maybe some perl guru can provide this in a one liner, anyone?

For those interested, a first source rpm is here:
http://www.invoca.ch/pub/packages/pound/beta/

Regards,
Simon

On Tue, 2005-11-01 at 13:03 +0100, Simon Matter wrote:[...]

Many thanks - I'll look into it.
[...]

Already fixed...[...]

Robert Segall wrote:
[...]
It would be really nice if there was an option to have pound append to 
x-forwarded-for if the backend is remote.  This would enable improved 
logging/security on the backends rather than those backends seeing the 
hits all coming from the same ip address (pound's ip).

On Tue, 2005-11-01 at 13:25 -0600, FX wrote:[...]

Funny, but I thought Pound sets the X-Forwarded-for with the client
address. Has been doing so since version 0.4 at least.

As a side-note: I can understand logging, but I would never, ever trust
the client address for security stuff.[...]

----- Original Message ----- 
From: "Robert Segall" <roseg(at)apsis.ch>
To: <pound(at)apsis.ch>
Sent: Tuesday, November 01, 2005 12:25 AM
Subject: Re: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and load
balancer - v2.0b1

[...][...][...]
becase in most case ,CRL is changed periodly now it is combined with
Verfifylist 
anotherway ,suggest add a unix SIGNGLE to pound to reload the config and
without interrupt of current service
Another way ,sometimes client certs will be issued by more then 1 CA ,typically
,when a system moved from CA A to CA B.
in order to move smoothly ,it need the certs both CA A and CA B can work
[...][...][...]
Sorry ,I test 2.0b1 ,it can do it
[...][...]
if customer use more than once CA and each CA contains a long certifacte chains

for instance 
    CA A has a chain :  operator CA  , policy CA  ,root CA
     CA B also , I have to combine all 6 CA PEM file to 1 file as a verifylist
 In most commerical product including F5 networks and CICSO ,they use a verify
CApath instead .of couse ,user need prepare the CApath --hash their CA chain
files to XXXX.0

[...]
  CRL is always in changed , so many commerical product use CDP to identify how
to retrieve the lastest CRL files via ldap/url  and etc .
   also  if we meet more CAs which issued the client's cert ,we always prefer
the OCSP solution ,use a standalone OCSPD server to verify the cert's status 


[...]
  just modssl do it ,and many website is optimized for it [...]
[...][...]

Actually ,I am a product manager of a Commerical SSL offloader company ,all
this feature request is based on real demand and feedback from our customers
[...]

Do you consider use XML as config file or make a webgui

thanks and best regards
    eric dai

On Thu, Oct 20, 2005 at 06:52:46PM +0200, Robert Segall wrote:[...]

The regexp for this doesn't cater for the facilities local[0-7]

This is what I changed the line to

regcomp(&LogFacility, "^[ \t]*LogFacility[ \t]+([a-z]+[0-7])[ \t]*$",
REG_ICASE | REG_NEWLINE | REG_EXTENDED)

On Wed, 2005-11-02 at 23:22 +0800, Eric dai wrote:[...]

So? A small script will create it easily.
[...]

Have you looked at past postings? This subject was discussed to death...
[...]

So?
[...]

If you have the directory you can create the file. What's the point in
duplicating the effort?
[...]

OSCP is a nice idea - for the future. Right now it is hardly in what one
would call widespread use.
[...]

So?
[...]

Noted.
[...]

As a product manager I hope you know better than to drop a whole list of
new feature requests on your developers as they try to get a stable beta
out. We released 2.0b1 for community testing in the hope of getting some
useful feedback on it. New features shall be considered once we have a
stable 2.0 release.[...]

Hi Robert and all,

On Thu, 2005-11-03 at 14:41 +0100, Robert Segall wrote:
[...]

Please, go easy on the guy :-) His first language isn't English, you
asked for suggestions, he gave you some. Perhaps they're not what you
were hoping for, but please don't kick his ***, put them in the TODO
file for another day.
[...]

So SSL websites would load faster through Pound if Pound did session
caching? Isn't that a useful improvement to Pound? (otherwise people
might see a performance drop if they start using Pound as an SSL
accelerator to their Apache web servers).
[...]

Yes, and nothing has been done about it yet :-) I'm as guilty as anyone
else, for not contributing the code yet, but perhaps it's useful to be
reminded sometimes that people still want this feature.

By the way, messages from this list seem to have the following footer:
[...]

Perhaps a real address would be more useful than 192.168.1.2?

Cheers, Chris.[...]

On Thu, 2005-11-03 at 14:21 +0000, Chris Wilson wrote:[...]

Sorry about it. I surely didn't intend to kick anybody's. I must admit I
got rather annoyed by it.

In parentheses: I suspect that for a large part of the people on this
list (myself included) English is not the first language. I know it's a
problem, but as long as English is the lingua franca of our business I'd
rather keep it that way.
[...]
[...]

Server sessions are added to the session cache. When a client proposes a
session to be reused, the server looks for the corresponding session in
(first) the internal session cache (unless
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP is set), then (second) in the external
cache if available. If the session is found, the server will try to
reuse the session.  This is the default.

The way I read it it means that server sessions ARE enabled in the
current Pound version...

BTW: I suspect that if you have enough traffic for SSL session caching
to actually make a difference then you are probably better off with
hardware acceleration, which is really quite cheap these days.
[...]

Not forgotten really. As you know this is a big stumbling block and I
really would like to see some more discussion of it, though perhaps not
necessarily in the context of beta-testing a new version.
[...]

Thanks, it's fixed now (I hope).[...]

On Thu, 2005-11-03 at 16:54 +0100, Robert Segall wrote:[...]

And then again, maybe not...[...]

On Thu, 2005-11-03 at 16:54 +0100, Robert Segall wrote:[...]

Hope spring eternal.[...]

Sorry for my bad english 
I try to describe as below:

config client certifact verfiy 
 at 1st ,build a config file maybe named ca.conf or combine with pound.conf 

[CA]
   name =
# the name of this ca ,such as verisign
  chain = oca,pca,rca

#the whole certifacte chain of this CA
# oca ,pca,rca is the certifacte file name 
  verify= 

  #0 - no crl
  #1 - use a static crl file 
  #2 - use a URL to retrieve  CRL 
     URL=http://210.74.41.60/crl/CRLFile.crl
  #3 -directory  based CDP  (crl distibute point)
  #4- OCSP
  File = 
  # if verify=1,use this static file
 URL=
  # if verify=2 ,use this to specify a url to retriev CRLs,for exmples  URL=http://210.74.41.60/crl/CRLFile.crl
  can refer to http://www.openca.org/ocspd/
  LDAP=
  # if verify=3 ,use certifacte CDP and this ldp address to retrieve the CRLs
,LDAP=210.74.41.60:389
  # for CDP based CRL retrieve ,you can refer to 
  http://eaptls.spe.net/
  
  crlupdateinterval= 
  OCSPURL= 
 # specify the OCSP url
  OCSPresponecert=
# ocsp response certifact 

[END]

you can setup more CAs in ca.conf . 
In pound.conf ,now can add a option ClientCAs ,

ClientCAs = ca1,ca2 ....

if you defind 2 CAs in ca.conf as  
[CA]
name=ca1
chain= oca,pca,rca
..................
[END]
[CA]
name=ca2
chain=catest,rca
.....
[END]

now you can combine all 1st certifacts  to build a file  as CAlist 
and combine all certifacts as a verifylist 
so CAList = oca+catest ,verifylist= oca,pca,rca,catest

but if use remove  1 certifact from CAchain ,but verifylist do not changed. it
is not good .

so suggest add a CApath verify option ,use can put all certifaces into the
CApath directory

Actually ,all commerical products have this CApath option. pls see attach file


when pound running ,1st check the ClientCAs process:
1) check the ClientCA's crl verify method
 if it is url based ,now open a separate thread to download the crl from URL
periodly
 
 a client submit their client cerifacts to verify as blow process
1) pound verify the certificate chain
2) verify crl 
     ---read client cerficate ,get the issuer and compare with CAlist ,
     ----find wich CA issue this certifacte 
     --- read this ca crl verify method
     ---for file,url, just simple use crl files to verify
    -- for ocsp ,make request and send it to OCSP server
   -- for CDP ,exactly the CDP from client cert 
      for exmples 
                   CN=CRL31
                    O=CFCA OCA
                    C=CN

    use CDP .LDAP to retrive the crl from LDAPserver 
and verify client certs

   you can import attached  pfx  to see it ,its ldap address is 210.74.41.60


SSL session CACHE can improve the preformance ,so all commerical product do it
.

Sorry for my bad English 
I try to describe as below:

config client certificate verify 
 at 1st ,build a comfit file maybe named ca.conf or combine with pound.conf 

[CA]
   name =
# the name of this ca ,such as verisign
  chain = oca,pca,rca

#the whole certificate chain of this CA
# oca ,pca,rca is the certificate file name 
  verify= 

  #0 - no crl
  #1 - use a static crl file 
  #2 - use a URL to retrieve  CRL 
     URL=http://210.74.41.60/crl/CRLFile.crl
  #3 -directory  based CDP  (crl distribute point)
  #4- OCSP
  File = 
  # if verify=1,use this static file
 URL=
  # if verify=2 ,use this to specify a url to retrieve CRLs,for examples 
URL=http://210.74.41.60/crl/Carlisle.crl
  can refer to http://www.openca.org/ocspd/
  LDAP=
  # if verify=3 ,use certificate CDP and this ldp address to retrieve the CRLs
,LDAP=210.74.41.60:389
  # for CDP based CRL retrieve ,you can refer to 
  http://eaptls.spe.net/
  
  crlupdateinterval= 
  OCSPURL= 
 # specify the OCSP url
  OCSPresponecert=
# ocsp response certificate 

[END]

you can setup more CAs in ca.conf . 
In pound.conf ,now can add a option ClientCAs ,

ClientCAs = ca1,ca2 ....

if you defind 2 CAs in ca.conf as  
[CA]
name=ca1
chain= oca,pca,rca
..................
[END]
[CA]
name=ca2
chain=catest,rca
.....
[END]

now you can combine all 1st certifacts  to build a file  as CAlist 
and combine all certifacts as a verifylist 
so CAList = oca+catest ,verifylist= oca,pca,rca,catest

but if use remove  1 certifact from CAchain ,but verifylist do not changed. it
is not good .

so suggest add a CApath verify option ,use can put all certifaces into the
CApath directory

Actually ,all commerical products have this CApath option. pls see attach file


when pound running ,1st check the ClientCAs process:
1) check the ClientCA's crl verify method
 if it is url based ,now open a separate thread to download the crl from URL
periodly
 
 a client submit their client cerifacts to verify as blow process
1) pound verify the certificate chain
2) verify crl 
     ---read client cerficate ,get the issuer and compare with CAlist ,
     ----find wich CA issue this certifacte 
     --- read this ca crl verify method
     ---for file,url, just simple use crl files to verify
    -- for ocsp ,make request and send it to OCSP server
   -- for CDP ,exactly the CDP from client cert 
      for exmples 
                   CN=CRL31
                    O=CFCA OCA
                    C=CN

    use CDP .LDAP to retrive the crl from LDAPserver 
and verify client certs

   you can import attached  pfx  to see it ,its ldap address is 210.74.41.60


SSL session CACHE can improve the preformance ,so all commerical product do it
.



   











--------------------------------------------------------------------------------






--------------------------------------------------------------------------------

On Mon, Oct 31, 2005 at 05:36:34PM +0100, Robert Segall wrote:[...]

Which extra weight are you referring to ? It seems to me that
implementing a flex/bison parser for Pound would provide a more 
powerful, more extendible and better understood configuration subsystem. 
An added bonus is that flex/bison is a well-tested way of parsing 
configuration files, and would thus reduce the possibility of bugs 
in that subsystem of Pound.

Unless I'm mistaken, the configuration is only read in and parsed once, 
so I have no idea where the extra weight would be ? Do you mean binary size ?

greets,[...]

On Mon, 2005-11-07 at 17:09 +0100, Steven Van Acker wrote:[...]

Binary size is secondary. I meant above all portability: do you write
for lex or flex, and which version? Is it yacc, byacc, bison? On SysV or
BSD? How is a terminal defined? I think you get the idea.

For the time being I think the config parsing is really quite simple,
and we haven't seen any issues with it. Speed is not an issue (it is
only done once, as you rightly remark), and the complexity is minimal.

The bigger picture: we seem to lack a standard for Unix config files (or
perhaps we have too many of them). Until such a standard emerges I think
we can live with the existing parser.[...]

This is to announce the release of Pound v2.0b2. This is an experimental
interim release.

Changes in this version:

- fixed the problem with defining HTTPS listeners.

- you can now define the HAport with an optional address, so that you
can run your health monitor on an arbitrary machine (rather than being
limited to the back-end server address).

The software is at version 2.0b2 (beta-ish quality). A lot of testing
(especially under heavy loads and complex configurations) is still
required - please send us your feedback. Bug reports are of particular
importance; let's try to make a 2.0 release as clean as possible!

Reports that the program works as expected are just as important. Please
let us know.[...]

This is to announce the release of Pound v2.0b3. This is an experimental
interim release.

Changes in this version:

- added a -V flag to print the program version

- fixed a couple of bugs, most notably the segfault related to
HeadRequire definition

The software is at version 2.0b3 (beta-ish quality). A lot of testing
(especially under heavy loads and complex configurations) is still
required - please send us your feedback. Bug reports are of particular
importance; let's try to make a 2.0 release as clean as possible!

Reports that the program works as expected are just as important. Please
let us know.[...]

> This is to announce the release of Pound v2.0b3. This is an
experimental[...]

Updated source rpm is here:

http://www.invoca.ch/pub/packages/pound/beta/

Simon