|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2005
/
2005-11
/
[Pound Mailing List] Pound - v2.0b1
[
PROPFIND 501 Not Implemented - after upgrading ... ]
[
[patch] Stop pound from connecting to itself ... ]
[Pound Mailing List] Pound - v2.0b1
"MW Mike Weiner (5028)" <MWeiner(at)ag.com> |
2005-11-03 17:27:20 |
[ FULL ]
|
I noticed the format of the config file has changed from 1.x to 2.0b1.
Is this documented anywhere? I am eager to see If the v2 will help me in
my virtual SSL hosts.
Michael Weiner
|
|
|
Re: [Pound Mailing List] Lost sessions
Russell Valentine <russ(at)altec.org> |
2005-11-07 18:55:25 |
[ FULL ]
|
Thanks for everyone's help. Thanks for the AOL tip as well. I found out
its the backends that are overloading.
Example:
Backend 3 gets overloaded, now more requests get sent to the other
backends because it isn't responding. Those other backends eventually
get overloaded and it continues. Every time one backend overloads that
is when I am losing the sessions. At some point the first backend
becomes responsive again before all of them fail. So basically I need to
make more backends.
Russell Valentine
Joe Gooch said the following on 10/31/2005 09:25
AM:[...][...][...][...][...][...][...]
>>>only mention this because your key problem seems to be with session
>>>affinity - and pound offers several types...
>>>
>>>Personally I would think that a session type of "IP" (because
a[...]
>>>lookup should be the fastest) would be a reasonable compromise
for[...]
>>>performance against equal balance in order handle peak loads
the[...]
>>>a modest server.
>>>
>>>The drawback is "if" you have lot of users from a single IP,
then[...]
>>>cluster will not be 'perfectly' balanced. i.e. some backend
servers[...]
>>>have to handle more load than others.
>>>
>>>We have 10 times your traffic _average_ by the way on a _very_[...]
>>>(single CPU) server and no problems whatsover :-)
>>>
>>>/David
>>>
>>>
>>>On 10/28/05, *Russell Valentine* <russ(at)altec.org
>>><mailto:russ(at)altec.org>> wrote:
>>>
>>> Hi, I've been using pound for about two years, thanks for
the[...]
>>> program. I have a question concerning sessions. I've been[...]
>>> during our busiest times it seems after a certain point
pound[...]
>>> remember new sessions anymore, so new sessions cannot
be[...][...]
>>>
>>> 1) User hits pound
>>> 2) pound sends request to certain backend
>>> 3) session gets made on backend
>>> 4) user hits pound again
>>> 5) pound sends request to a different backend, now backend
has[...][...]
>>>
>>> I only see this problem during times when we have most of
our[...]
>>>
>>> I tried to see if we were perhaps maxing on threads or
file[...][...]
>>> counted those periodically in a cron job.
>>>
>>> Max I see from lsof: ~200
>>> Max # of threads I see is ~100
>>>
>>> These are no where near the limit as shown in ulimit.
>>> I'm using pound v1.9 on Linux 2.4 kernel. Does anyone have[...]
>>>
>>> Russell Valentine
>>>
>>> --
>>> To unsubscribe send an email with subject 'unsubscribe' to
>>> pound(at)apsis.ch <mailto:pound(at)apsis.ch>.
>>> Please contact roseg(at)apsis.ch
<mailto:roseg(at)apsis.ch> for[...]
>>> http://192.168.1.2:8080/Apsis/pound/pound_list/manage_mailboxer
>>>
>>>
>>>
>>>
>>>--
>>>Regards,
>>>David Walters[...]
|
|
|
Re: [Pound Mailing List] Version 2
Chris Withers <chris(at)simplistix.co.uk> |
2005-11-16 17:42:43 |
[ FULL ]
|
Hi Robert,
Robert Segall wrote:[...]
Nice to hear from you. Any comment on the mail I posted to this list
last week about segfaults from pound 1.5?
I'd be interested in trialing 2.x if you could give me any kind of
indication that these problems are solved...
Chris
[...]
|
|
|
Re: [Pound Mailing List] Version 2
Robert Segall <roseg(at)apsis.ch> |
2005-11-16 18:17:36 |
[ FULL ]
|
On Wed, 2005-11-16 at 16:42 +0000, Chris Withers wrote:[...]
I must admit I have no idea why you get such problems on 1.5 - maybe
some strange library mix-up? I was hoping someone else could help.
In any case, that is not a version you should use (known security
problem). Try at least to upgrade to the latest 1.9, which fixes quite a
few issues...
I would be grateful if you tried 2.x, though I can't in all honesty call
it production-ready. A bit of chicken-and-egg situation here - it won't
be production-ready until more people test it, and it doesn't get tested
until it's production-ready.[...]
|
|
|
Re: [Pound Mailing List] Version 2
"Simon Matter" <simon.matter(at)ch.sauter-bc.com> |
2005-11-17 10:14:24 |
[ FULL ]
|
> I have yet to see any reaction to the 2.x series. Could anybody
confirm[...]
I have built rpms of the 2.x here but according to the logs, nobody has
tried them so far.
http://www.invoca.ch/pub/packages/pound/beta/
I have tested 2.0b2 on a very low traffic box without any problems.
However, my situation is too simple to tell much about possible issues.
For me, it just works.
Thanks for the good work!
Simon
|
|
|
Re: [Pound Mailing List] Version 2
Andrew Taylor <andrew.taylor(at)rentokil-initial.com> |
2005-11-17 16:16:14 |
[ FULL ]
|
Robert,
[...]
I'm doing some testing of version 2 at the moment and will see if I can
get some load through it, although as you state, it's a bit of a
catch-22 - we may not be happy to run this in production until it's
stable and it won't go stable without some testing!
Anyway, we currently use Pound in conjunction with this patch -
http://www.apsis.ch/pound/pound_list/archive/2005/2005-04/1113404051000
You stated at the time you may look into integrating this into Pound -
any progress on this? It's unlikely we would be prepared to upgrade to
v2 unless it has this functionality (either built in or as a patch - and
I don't think we have the knowledge to patch it ourselves).
If Pound 2 had built in support for failover back ends like this, we
would definitely be encouraged to progress testing and put into
production. I imagine, from past mailing list posts, others would be in
a similar situation.
Finally, looking at the source, the comments etc all still refer to v1.9
(I thought I'd downloaded the wrong version to start with!). Perhaps
this needs tidying to make it clear for anyone looking through the
source and testing that it's v2 - although I appreciate we're still in
the beta stage.
I'll get back to you with any progress we make in testing.
Regards,
Andrew Taylor
Technical Development
Corporate Information Technology
Rentokil Initial
Tel: 01342 327 171 x247
Fax: 01342 332 551
|
|
|
Re: [Pound Mailing List] Pound - v2.0b1
Andrew Taylor <andrew.taylor(at)rentokil-initial.com> |
2005-11-17 16:23:50 |
[ FULL ]
|
Hi,
[...]
The config format has indeed changed, it's now much clearer and easier
to manage.
The new format is described in 'man pound', with examples - also
available here:
http://www.andrewtaylor.me.uk/gnu/pound/manual.txt
[...]
Not sure what you mean by Virtual SSL Hosts, but if you mean multiple
SSL sites on one IP address, then this isn't something that can be done,
and it's not a restriction of Pound. You can put multiple SSL sites on
one IP, but different ports. One HTTP listener can't deal with multiple
sites as there's no Host header to read.
Regards,
Andrew Taylor
Technical Development
Corporate Information Technology
Rentokil Initial
Tel: 01342 327 171 x247
Fax: 01342 332 551
|
|
|
Re: [Pound Mailing List] Pound - v2.0b1
Ximon Eighteen <ximon.eighteen(at)int.greenpeace.org> |
2005-11-17 16:35:57 |
[ FULL ]
|
[...]
Please excuse my complete lack of understanding of HTTPS, but *if* Pound
needs the Host header to determine which key/certificate/whatever to
decrypt the SSL data, can't it just try each that it knows about in turn?
Not clever for a production system, but perhaps someone else can see a
way of improving the performance. Just wondered if, theoretically, this
would work.
|
|
|
Re: [Pound Mailing List] Pound - v2.0b1
Dave Hinton <dah(at)thereaction.co.uk> |
2005-11-17 17:07:51 |
[ FULL ]
|
On 17 Nov 2005, at 3:35pm, Ximon Eighteen wrote:
[...][...][...]
No, it can’t.
The web browser will complain (either show a warning to its user, or
flatly refuse to show the page, depending on how it’s configured) as
soon as it is shown a certificate that does not match the web address
it asked for.
[...]
It’s not possible with the SSL protocol in its current state.
|
|
|
Re: [Pound Mailing List] Pound - v2.0b1
Ximon Eighteen <ximon.eighteen(at)int.greenpeace.org> |
2005-11-17 17:10:07 |
[ FULL ]
|
> Please excuse my complete lack of understanding of HTTPS, but *if*
Pound[...]
Sorry, let me rephrase that.
If pound needs to be told which key/certificate/whatever to use to
decrypt SSL traffic, and cannot pick the correct one if it has several
because it has no Host header to help it choose, can it not just try
every one it has?
|
|
|
Re: [Pound Mailing List] Pound - v2.0b1
Sam Johnston <samjie(at)gmail.com> |
2005-11-18 11:00:48 |
[ FULL ]
|
On 11/17/05, Ximon Eighteen <ximon.eighteen(at)int.greenpeace.org>
wrote:[...]
RTFRFC :-)
It has to send the certificate first. Wildcard certs can be used to
work around this issue in some sites.
And yes, the lack of 'overloading' in this fashion is a bit of a
problem, but it probably stems from the fact that SSL/TLS is a generic
protocol rather than HTTP specific (it's used, for example, in ssh). I
can only assume that people who know better than I do considered this
when they formulated the specifications (even if only the more recent
ones - eg TLS), and that if it could be done sensibly, securely and in
a backwards compatible fashion then it would have been.
- samj
|
|
|
Re: [Pound Mailing List] Pound - v2.0b1
Yusuf Goolamabbas <yusufg(at)outblaze.com> |
2005-11-18 11:50:02 |
[ FULL ]
|
Re: [Pound Mailing List] Version 2
Andrew Taylor <andrew.taylor(at)rentokil-initial.com> |
2005-11-18 12:12:42 |
[ FULL ]
|
Hi,
As promised, results of testing thus far:
Using very simple config files is fine so far. However we use Pound to
distibute requests to seperate servers depending on the host header.
Thus, a sample config would be:
----------------------------------------
User "nobody"
Group "nobody"
RootJail "/var/jailroot/pound"
LogFacility local1
LogLevel 1
ListenHTTP
Address 10.0.0.2
Port 80
End
Service
HeadRequire "Host:.*www.website.com.*"
BackEnd
Address 192.168.0.81
Port 80
End
End
----------------------------------------
Without the HeadRequire parameter Pound starts and runs fine, but with
it, we get:
Starting Pound
/etc/rc.d/init.d/pound: line 33: 6274 Segmentation fault "$(at)"
[FAILED]
'pound -f /usr/local/etc/pound.cfg' results in 'Segmentation fault'
All we get in the log file /var/log/messages is:
Nov 18 10:56:40 smsserver pound: starting...
Is this a mis-configuration my end or a potential bug? Anything more I
can do to track the fault?
Regards,
Andrew Taylor
Technical Development
Corporate Information Technology
Rentokil Initial
Tel: 01342 327 171 x247
Fax: 01342 332 551
|
|
|
Re: [Pound Mailing List] Version 2
Robert Segall <roseg(at)apsis.ch> |
2005-11-18 13:32:11 |
[ FULL ]
|
On Thu, 2005-11-17 at 15:16 +0000, Andrew Taylor wrote:[...]
That is one of the two enhancements planned for 2.0 (along with Redirect
"rewrite" - aka the ability to redirect to a URL dependant on the
original request path). However we won't even get started with the
enhancements until we are confident of the reliability of the existing
code-base.[...]
|
|
|
Re: [Pound Mailing List] Pound 2 cfg
Andrew Taylor <andrew.taylor(at)rentokil-initial.com> |
2005-11-18 17:30:06 |
[ FULL ]
|
Hi,
[...]
My post earlier on today gave the sample config below, which should give
you an idea of what's required.
The key line is the HeadRequire one, slightly different position and
syntax to version 1.x:
----------------------------------------
User "nobody"
Group "nobody"
RootJail "/var/jailroot/pound"
LogFacility local1
LogLevel 1
ListenHTTP
Address 10.0.0.2
Port 80
End
Service
HeadRequire "Host:.*www.website.com.*"
BackEnd
Address 192.168.0.81
Port 80
End
End
----------------------------------------
Thus your new config file would be something like:
----------------------------------------
Service
BackEnd
HeadRequire "Host:.*intranet.ag.com.*"
Address 10.10.240.201
Port 8082
End
End
----------------------------------------
HTH
Regards,
Andrew Taylor
Technical Development
Corporate Information Technology
Rentokil Initial
Tel: 01342 327 171 x247
Fax: 01342 332 551
|
|
|
RE: [Pound Mailing List] Pound 2 cfg
"MW Mike Weiner (5028)" <MWeiner(at)ag.com> |
2005-11-18 18:12:54 |
[ FULL ]
|
-----Original Message-----
From: Andrew Taylor [mailto:andrew.taylor(at)rentokil-initial.com]
Sent: Friday, November 18, 2005 11:30 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Pound 2 cfg
Hi,
[...]
My post earlier on today gave the sample config below, which should give
you an idea of what's required.
The key line is the HeadRequire one, slightly different position and
syntax to version 1.x:
----------------------------------------
User "nobody"
Group "nobody"
RootJail "/var/jailroot/pound"
LogFacility local1
LogLevel 1
ListenHTTP
Address 10.0.0.2
Port 80
End
Service
HeadRequire "Host:.*www.website.com.*"
BackEnd
Address 192.168.0.81
Port 80
End
End
----------------------------------------
Thus your new config file would be something like:
----------------------------------------
Service
BackEnd
HeadRequire "Host:.*intranet.ag.com.*"
Address 10.10.240.201
Port 8082
End
End
----------------------------------------
Thank you Andrew, that was a huge help - sorry if I missed the earlier
email regarding the syntactical change in the configuration file.
Again, thank you for your assist!
Michael Weiner
|
|
|
RE: [Pound Mailing List] Version 2
"MW Mike Weiner (5028)" <MWeiner(at)ag.com> |
2005-11-18 21:29:19 |
[ FULL ]
|
OK, I have migrated my older pound config to the newer format, and have
been running some tests, and all looks good so far. Now my next step is
to get SSL working as well, as we have sign-in and join pages for each
domain so it would be great if the virthost SSL problems were not an
issue in v2. So far, I have the following for my configuration:
------------------------------------------------------------------------
-------------
User "apache"
Group "apache"
RootJail "/usr/share/pound"
LogFacility local1
LogLevel 3
# Main listening ports
ListenHTTP
Address 10.10.240.201
Port 80
xHTTP 1
End
ListenHTTPS
Address 10.10.240.201
Port 443
Cert "/usr/share/ssl/certs/pound.pem"
Ciphers
"ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
xHTTP 1
End
Service
HeadRequire "Host:.*intranet.ag.com.*"
BackEnd
Address 10.10.240.201
Port 8082
End
End
Service
HeadRequire "Host:.*intranet2.ag.com.*"
BackEnd
Address 10.10.232.70
Port 8080
End
End
Service
HeadRequire "Host:.*dev.remind.americangreetings.com.*"
BackEnd
Address 10.10.240.201
Port 89
End
End
Service
HeadRequire "Host:.*dev.remind.bluemountain.com.*"
BackEnd
Address 10.10.240.201
Port 91
End
End
Service
HeadRequire "Host:.*dev.passport.bmamessenger.com.*"
BackEnd
Address 10.10.240.201
Port 10080
End
End
Service
HeadRequire "Host:.*dev.passport.mypersonalexpression.com.*"
BackEnd
Address 10.10.240.201
Port 10080
End
End
Service
HeadRequire "Host:.*dev.jp.mypersonalexpression.com.*"
BackEnd
Address 10.10.240.201
Port 35080
End
End
Service
HeadRequire "Host:.*dev.cn.mypersonalexpression.com.*"
BackEnd
Address 10.10.240.201
Port 35080
End
End
Service
HeadRequire "Host:.*dev.kr.mypersonalexpression.com.*"
BackEnd
Address 10.10.240.201
Port 35080
End
End
Service
HeadRequire "Host:.*dev.greetings.aol.com.*"
BackEnd
Address 10.10.232.226
Port 8092
End
End
Service
HeadRequire "Host:.*dev.911memorialquilt.com.*"
BackEnd
Address 10.10.240.201
Port 8083
End
BackEnd
Address 10.10.240.101
Port 80
End
End
Service
HeadRequire "Host:.*dev.americangreetings.com.*"
BackEnd
Address 10.10.240.101
Port 80
End
BackEnd
Address 10.10.240.201
Port 81
End
End
Service
HeadRequire "Host:.*dev.agmobile.com.*"
BackEnd
Address 10.10.240.123
Port 80
End
BackEnd
Address 10.10.240.201
Port 19080
End
End
Service
HeadRequire "Host:.*dev.beatgreets.com.*"
BackEnd
Address 10.10.240.103
Port 80
End
BackEnd
Address 10.10.240.201
Port 13380
End
End
Service
HeadRequire "Host:.*dev.bluemountain.com.*"
BackEnd
Address 10.10.240.124
Port 80
End
BackEnd
Address 10.10.240.201
Port 16080
End
End
Service
HeadRequire "Host:.*dev.bluemountaincards.co.uk.*"
BackEnd
Address 10.10.240.121
Port 80
End
BackEnd
Address 10.10.240.201
Port 22880
End
End
Service
HeadRequire "Host:.*dev.msn.bluemountaincards.co.uk.*"
BackEnd
Address 10.10.240.121
Port 80
End
BackEnd
Address 10.10.240.201
Port 22880
End
End
Service
HeadRequire "Host:.*dev.ninemsn.bluemountaincards.com.au.*"
BackEnd
Address 10.10.240.125
Port 80
End
BackEnd
Address 10.10.240.201
Port 23080
End
End
Service
HeadRequire "Host:.*dev.aol.bluemountaincards.com.au.*"
BackEnd
Address 10.10.240.125
Port 80
End
BackEnd
Address 10.10.240.201
Port 23080
End
End
Service
HeadRequire "Host:.*dev.bmamessenger.com.*"
BackEnd
Address 10.10.240.126
Port 80
End
BackEnd
Address 10.10.240.201
Port 25080
End
End
Service
HeadRequire "Host:.*dev.cme4.americangreetings.com.*"
BackEnd
Address 10.10.240.201
Port 8084
End
End
Service
HeadRequire "Host:.*dev.createandprint.com.*"
BackEnd
Address 10.10.240.110
Port 80
End
BackEnd
Address 10.10.240.201
Port 81
End
End
Service
HeadRequire "Host:.*duus.americangreetings.com.*"
BackEnd
Address 10.10.240.201
Port 82
End
End
Service
HeadRequire "Host:.*dev.egreetings.com.*"
BackEnd
Address 10.10.240.102
Port 80
End
BackEnd
Address 10.10.240.201
Port 12380
End
End
Service
HeadRequire "Host:.*dev.ffje.com.*"
BackEnd
Address 10.10.240.118
Port 80
End
BackEnd
Address 10.10.240.201
Port 22480
End
End
Service
HeadRequire "Host:.*dev.img.adsag.com.*"
BackEnd
Address 10.10.240.117
Port 80
End
BackEnd
Address 10.10.240.201
Port 21080
End
End
Service
HeadRequire "Host:.*dev.imgag.com.*"
BackEnd
Address 10.10.240.111
Port 80
End
BackEnd
Address 10.10.240.201
Port 12880
End
End
Service
HeadRequire "Host:.*dev.jazzymail.com.*"
BackEnd
Address 10.10.240.122
Port 80
End
BackEnd
Address 10.10.240.201
Port 18080
End
End
Service
HeadRequire "Host:.*dev.kidzonks.com.*"
BackEnd
Address 10.10.240.104
Port 80
End
BackEnd
Address 10.10.240.201
Port 9780
End
End
Service
HeadRequire "Host:.*dev.milexch.americangreetings.com.*"
BackEnd
Address 10.10.240.108
Port 80
End
BackEnd
Address 10.10.240.201
Port 13280
End
End
Service
HeadRequire "Host:.*dev.msn.americangreetings.com.*"
BackEnd
Address 10.10.240.101
Port 80
End
BackEnd
Address 10.10.240.201
Port 22180
End
End
Service
HeadRequire "Host:.*dev.nickgreetings.com.*"
BackEnd
Address 10.10.240.116
Port 80
End
BackEnd
Address 10.10.240.201
Port 22280
End
End
Service
HeadRequire "Host:.*dev.oms.americangreetings.com.*"
BackEnd
Address 10.10.240.115
Port 80
End
BackEnd
Address 10.10.240.201
Port 23080
End
End
Service
HeadRequire "Host:.*dev.pdb.americangreetings.com.*"
BackEnd
Address 10.10.240.113
Port 80
End
BackEnd
Address 10.10.240.201
Port 22080
End
End
Service
HeadRequire "Host:.*dev.aim.americangreetings.com.*"
BackEnd
Address 10.10.240.131
Port 80
End
BackEnd
Address 10.10.240.201
Port 28080
End
End
Service
HeadRequire "Host:.*dev.compuserve.americangreetings.com.*"
BackEnd
Address 10.10.240.101
Port 80
End
BackEnd
Address 10.10.240.201
Port 81
End
End
Service
HeadRequire
"Host:.*dev.digitalcity.americangreetings.com.*"
BackEnd
Address 10.10.240.101
Port 80
End
BackEnd
Address 10.10.240.201
Port 81
End
End
Service
HeadRequire "Host:.*dev.icq.americangreetings.com.*"
BackEnd
Address 10.10.240.101
Port 80
End
BackEnd
Address 10.10.240.201
Port 81
End
End
Service
HeadRequire "Host:.*dev.netscape.americangreetings.com.*"
BackEnd
Address 10.10.240.101
Port 80
End
BackEnd
Address 10.10.240.201
Port 81
End
End
Service
HeadRequire "Host:.*dev.yahoo.americangreetings.com.*"
BackEnd
Address 10.10.240.109
Port 80
End
BackEnd
Address 10.10.240.201
Port 17080
End
End
Service
HeadRequire "Host:.*dev.passitarond.com.*"
BackEnd
Address 10.10.240.201
Port 13180
End
End
Service
HeadRequire "Host:.*dev.ucsmaint.americangreetings.com.*"
BackEnd
Address 10.10.240.105
Port 80
End
BackEnd
Address 10.10.240.201
Port 1081
End
End
Service
HeadRequire "Host:.*dev.ucsserv.americangreetings.com.*"
BackEnd
Address 10.10.240.106
Port 80
End
BackEnd
Address 10.10.240.201
Port 1080
End
End
Service
HeadRequire "Host:.*dev.wbwebcards.com.*"
BackEnd
Address 10.10.240.107
Port 80
End
BackEnd
Address 10.10.240.201
Port 11980
End
End
Service
HeadRequire "Host:.*dev.intractive.ag.com.*"
BackEnd
Address 10.10.240.129
Port 80
End
BackEnd
Address 10.10.240.201
Port 27080
End
End
Service
HeadRequire "Host:.*dev.lipservice.defjammobile.com.*"
BackEnd
Address 10.10.240.130
Port 80
End
BackEnd
Address 10.10.240.201
Port 29080
End
End
Service
HeadRequire "Host:.*dev.bmahelp.com.*"
BackEnd
Address 10.10.240.128
Port 80
End
BackEnd
Address 10.10.240.201
Port 26080
End
End
Service
HeadRequire "Host:.*dev.hatterchatter.com.*"
BackEnd
Address 10.10.240.137
Port 80
End
BackEnd
Address 10.10.240.201
Port 31080
End
End
Service
HeadRequire "Host:.*dev.bloombyag.com.*"
BackEnd
Address 10.10.240.138
Port 80
End
BackEnd
Address 10.10.240.201
Port 32080
End
End
Service
HeadRequire "Host:.*dev.target.americangreetings.com.*"
BackEnd
Address 10.10.240.142
Port 80
End
BackEnd
Address 10.10.240.201
Port 34080
End
End
------------------------------------------------------------------------
-------------
But I have a few questions,
1) is it possible to collapse all the "service" stanzas into 1 basically
monolithic stanza so as not to have to repeat it so often as in the
above?
2) how would I get SSL for these to work? Maintain a separate pound.cfg
for the SSL versions of these?
3) does the issues with ealier releases of Pound revolving around the
virtual hosts mod_ssl issues still exist? As I run secures on all the
above, same Ips as their non-secure side, just a secure port.
Thanks in advance
Michael Weiner
|
|
|
Re: [Pound Mailing List] Version 2
Ted Dunning <tdunning(at)veoh.com> |
2005-11-18 22:54:39 |
[ FULL ]
|
MW Mike Weiner (5028) wrote:
[...]
example so people might not have seen it)
Did you want to have multiple alternatives for the HeadRequire in a
single stanza?
Or did you want to have a default stanza that everything below would
inherit addresses from?
[...]
something that just isn't possible with SSL.
Are you asking to have a single IP/port address to handle multiple
SSL'ed hosts? If so, have you seen the previous traffic that explained
how this just isn't possible?
Or are you asking how to set up multiple SSL listeners, each on a
different port?
[...]
|
|
|
RE: [Pound Mailing List] Version 2
"MW Mike Weiner (5028)" <MWeiner(at)ag.com> |
2005-11-20 02:07:15 |
[ FULL ]
|
-----Original Message-----
From: Ted Dunning [mailto:tdunning(at)veoh.com]
Sent: Friday, November 18, 2005 4:55 PM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Version 2
MW Mike Weiner (5028) wrote:
[...]
[...]
example so [...]
[...]
single stanza?[...]
inherit [...]
I apologize for any confusion, but my question seemed to be can I have
multiple HeadRequires within a single service stanza?
[...]
pound.cfg [...]
something [...]
[...]
SSL'ed hosts? [...]
isn't [...]
[...]
different port?
Multiple listeners, each on a different port.
Michael Weiner
|
|
|
Re: [Pound Mailing List] Version 2
Chris Withers <chris(at)simplistix.co.uk> |
2005-11-21 10:14:37 |
[ FULL ]
|
Robert Segall wrote:[...][...]
>>>if they tested it, and what the results were?[...][...]
Well, how can I get more info than the rather useless "signal 11"
message in the logs?
[...]
OK, I'll recommend to the appropriate people that we do that...
[...]
I'm afraid, by the sounds of it, we're more likely either to move to
Netscalar or LVS :-S
cheers,
Chris
[...]
|
|
|
Re: [Pound Mailing List] Version 2
Andrew Taylor <andrew.taylor(at)rentokil-initial.com> |
2005-11-21 11:00:35 |
[ FULL ]
|
> I apologize for any confusion, but my question seemed to be can I
have[...]
No, the HeadRequire statements are AND'd, so it would have to fulfil all
the requirements to match. So you'll probably need all your service
stanzas. Without knowing your environment I wouldn't like to guess at a
more efficient config, though it may be possible..
[...]
This is simply done by adding multiple ListenHTTPS stanzas with
different ports, e.g.:
ListenHTTPS
Address 1.2.3.4
Port 443
Cert "/etc/pound/pound1.pem"
End
ListenHTTPS
Address 1.2.3.4
Port 444
Cert "/etc/pound/pound2.pem"
End
You should then put the Service for the specific listener into the
Listen stanza, e.g.:
ListenHTTPS
Address 1.2.3.4
Port 443
Cert "/etc/pound/pound1.pem"
Service
BackEnd
Address 2.3.4.5
Port 443
End
End
End
This ensures that only that service will respond on that listener,
keeping it tidy and without confusion.
Regards,
Andrew Taylor
Technical Development
Corporate Information Technology
Rentokil Initial
Tel: 01342 327 171 x247
Fax: 01342 332 551
|
|
|
RE: [Pound Mailing List] Version 2
"MW Mike Weiner (5028)" <MWeiner(at)ag.com> |
2005-11-21 12:48:23 |
[ FULL ]
|
-----Original Message-----
From: Andrew Taylor [mailto:andrew.taylor(at)rentokil-initial.com]
Sent: Monday, November 21, 2005 5:01 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Version 2
[...]
[...]
No, the HeadRequire statements are AND'd, so it would have to fulfil all
the requirements to match. So you'll probably need all your service
stanzas. Without knowing your environment I wouldn't like to guess at a
more efficient config, though it may be possible..
[...]
This is simply done by adding multiple ListenHTTPS stanzas with
different ports, e.g.:
ListenHTTPS
Address 1.2.3.4
Port 443
Cert "/etc/pound/pound1.pem"
End
ListenHTTPS
Address 1.2.3.4
Port 444
Cert "/etc/pound/pound2.pem"
End
You should then put the Service for the specific listener into the
Listen stanza, e.g.:
ListenHTTPS
Address 1.2.3.4
Port 443
Cert "/etc/pound/pound1.pem"
Service
BackEnd
Address 2.3.4.5
Port 443
End
End
End
This ensures that only that service will respond on that listener,
keeping it tidy and without confusion.
--
Thanks for your response Andrew, I will slap the configuration around
today and see how things come out.
Thanks again
Michael Weiner
|
|
|
Re: [Pound Mailing List] Version 2
Rune Saetre <rune.saetre(at)netcom-gsm.no> |
2005-11-21 15:46:56 |
[ FULL ]
|
Hi
[...][...]
I haven't tried this out, but since regular expression matching is used
you should be able to match different host headers in the same HeadRequire
rule, like this:
HeadRequire "^Host: (host-a\.website\.com)|(otherhost\.org)(:.*)*$"
or
HeadRequire "^Host: (host-a)|(otherhost)|(www)\.website\.com(:.*)*$"
Regards
Rune
---
Rune Sætre <rune.saetre(at)netcom-gsm.no>
NetCom as, Infrastructure
..
|
|
|
Re: [Pound Mailing List] Version 2
Ondra Kudlik <kepi(at)orthank.net> |
2005-11-21 15:59:42 |
[ FULL ]
|
Po, lis 21, 2005 ve 03:46:56 +0100, Rune Saetre napsal:[...]
My idea was the same some time ago, but you must have one section
per one host, instead there will be problems with including files
from one site in other (in same section), linking and redirecting...
|
|
|
Re: [Pound Mailing List] Version 2
Robert Segall <roseg(at)apsis.ch> |
2005-11-22 09:06:44 |
[ FULL ]
|
On Mon, 2005-11-21 at 09:14 +0000, Chris Withers wrote:[...]
Use a debugger? As the segmentation violation occurs a program can't
very well give you an error message.
I still suspect you have a mix-up in your libraries - perhaps you
upgraded some DLLs and the old Pound was never recompiled?
[...]
Your choice entirely.[...]
|
|
|
Re: [Pound Mailing List] Version 2
Chris Withers <chris(at)simplistix.co.uk> |
2005-11-23 11:40:30 |
[ FULL ]
|
Robert Segall wrote:[...][...][...]
OK.
[...]
Don't think so, this is on RHEL ;-)
[...][...]
No, not really ;-)
cheers,
Chris
[...]
|
|
|
Re: [Pound Mailing List] Checking the URL
Andrew Taylor <andrew.taylor(at)rentokil-initial.com> |
2005-11-28 15:49:50 |
[ FULL ]
|
Hi,
[...]
of URLs[...]
standards do[...]
The man page for Pound lists the following:
----------------
URL MATCHING
Pound attempts to filter out illegal request URLs. In general a
URL is defined as
{ / segment [; parameter] } [? qid [ = [ qval ] ] { & qid [ = [
qval ] ] } ] [ # fragment ]
Each of the elements is matched against the allowed character
set. By default, the parts are defined as:
CSsegment -
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.!~*'():(at)&=+$,%-
CSparameter -
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.!~*'():(at)&=+$,%-
CSqid -
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.!~*'()-
CSqval -
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.!~*'()%-
CSfragment -
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.!~*'()
----------------
As you can see, and as you have noted in your email, the semicolon is
not in the CSqid or CSqval lists and so it's rejeted.
I don't have any information regarding which RFC (if any) was consulted
when this was implemented, but the fix would be as follows:
Edit your config file, e.g. /usr/local/etc/pound.cfg and add:
CSqid
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.!~*'()-;
CSqval
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.!~*'()%-;
Restart pound and the semicolon should be allowed.
Man page for pound is at
http://www.andrewtaylor.me.uk/gnu/pound/manual1.9.txt
Regards,
Andrew Taylor
Technical Development
Corporate Information Technology
Rentokil Initial
Tel: 01342 327 171 x247
Fax: 01342 332 551
|
|
|
Re: [Pound Mailing List] Re: Checking the URL
Robert Segall <roseg(at)apsis.ch> |
2005-11-30 13:53:00 |
[ FULL ]
|
On Wed, 2005-11-30 at 08:56 +0100, Gaetan OFFREDO wrote:[...]
There is no requirement (nowhere does it say SHOULD) that the path be
checked, but it is not forbidden either. Pound can check it (if you so
wish) to protect the back-ends from malicious requests.
[...]
For example: RFC 2396 that you mention, section "3.4. Query Component".
To quote:
Within a query component, the characters ";", "/", "?", ":",
"(at)", "&", "=", "+", ",", and "$" are reserved.
Specifically, the ";" is reserved to signify the start of the "segment"
part.
[...]
You're welcome.[...]
|
|
|
Re: [Pound Mailing List] Simple Load Balancing 2.0 Config
Eric McCarthy <eric(at)desert.net> |
2005-11-30 19:12:07 |
[ FULL ]
|
On Nov 30, 2005, at 3:13 AM, Robert Segall wrote:[...][...][...]
The first back-end in the config still gets all the traffic.
[...]
No, the problem persists.
[...]
No effect for either a bogus or non-bogus third back-end when it is
added as the last back-end in the config.
However, putting a bogus back-end (server is up and reachable, but
not accepting connections) as the first back-end in the config
results in the request never returning and pound's CPU usage going to
100%.
-Eric
|
|
|
|
