|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2005
/
2005-11
/
[Pound Mailing List] Pound - v2.0b1
[
PROPFIND 501 Not Implemented - after upgrading ... ]
[
[patch] Stop pound from connecting to itself ... ]
[Pound Mailing List] Pound - v2.0b1
"MW Mike Weiner (5028)" <MWeiner(at)ag.com> |
2005-11-03 17:27:20 |
[ SNIP ]
|
I noticed the format of the config file has changed from 1.x to 2.0b1.
Is this documented anywhere? I am eager to see If the v2 will help me in
my virtual SSL hosts.
Michael Weiner
|
|
|
Re: [Pound Mailing List] Lost sessions
Russell Valentine <russ(at)altec.org> |
2005-11-07 18:55:25 |
[ SNIP ]
|
Thanks for everyone's help. Thanks for the AOL tip as well. I found out
its the backends that are overloading.
Example:
Backend 3 gets overloaded, now more requests get sent to the other
backends because it isn't responding. Those other backends eventually
get overloaded and it continues. Every time one backend overloads that
is when I am losing the sessions. At some point the first backend
becomes responsive again before all of them fail. So basically I need to
make more backends.
Russell Valentine
Joe Gooch said the following on 10/31/2005 09:25 AM:
> The other thing that might happen, especially with IP affinity is that
> AOL in particular has a farm of web proxies. Anytime an AOL user hits
> your website, it goes through their web proxy first, and since they have
> a couple different ips, the IP could change. I've seen it happen on our
> apps. It's pretty annoying.
>
> We moved to Cookie based affinity, so that's not a problem for us
> anymore.
> Joe
>
>
>>-----Original Message-----
>>From: Russell Valentine [mailto:russ(at)altec.org]
>>Sent: Friday, October 28, 2005 5:51 PM
>>To: pound(at)apsis.ch
>>Subject: Re: [Pound Mailing List] Lost sessions
>>
>>Ohh sorry, yes I use session type of "IP". After I sent the email I
>>noticed I was reading the log files wrong and that the file descriptor
>>and thread count was not representative when we would see the problem.
>>So far I hadn't seen the problem since I've been keeping track of that
>>(two days). We get more load the beginning of the week, so I'll get
>
> new
>
>>numbers including request rate at that time.
>>
>>Since you apparently seem to not have any problems if I don't find
>
> some
>
>>obvious solution then (like file descriptors) then I'll recheck the
>>application, however it was two separate applications that had been
>>observed to have this happening.
>>
>>Thanks for your reply!
>>
>>
>>Russell Valentine
>>
>>david walters said the following on 10/28/2005 12:52 PM:
>>
>>>You don't mention what kind of session affinity you have
>
> configured... I
>
>>>only mention this because your key problem seems to be with session
>>>affinity - and pound offers several types...
>>>
>>>Personally I would think that a session type of "IP" (because a
>
> hashed
>
>>>lookup should be the fastest) would be a reasonable compromise for
>
> high
>
>>>performance against equal balance in order handle peak loads the
>
> best on
>
>>>a modest server.
>>>
>>>The drawback is "if" you have lot of users from a single IP, then
>
> your
>
>>>cluster will not be 'perfectly' balanced. i.e. some backend servers
>
> will
>
>>>have to handle more load than others.
>>>
>>>We have 10 times your traffic _average_ by the way on a _very_
>
> modest
>
>>>(single CPU) server and no problems whatsover :-)
>>>
>>>/David
>>>
>>>
>>>On 10/28/05, *Russell Valentine* <russ(at)altec.org
>>><mailto:russ(at)altec.org>> wrote:
>>>
>>> Hi, I've been using pound for about two years, thanks for the
>
> great
>
>>> program. I have a question concerning sessions. I've been
>
> noticing
>
>>> during our busiest times it seems after a certain point pound
>
> can't
>
>>> remember new sessions anymore, so new sessions cannot be
>
> maintained
>
>>on
>>
>>> the web server.
>>>
>>> 1) User hits pound
>>> 2) pound sends request to certain backend
>>> 3) session gets made on backend
>>> 4) user hits pound again
>>> 5) pound sends request to a different backend, now backend has
>
> no
>
>>idea
>>
>>> about the session
>>>
>>> I only see this problem during times when we have most of our
>>
>>traffic,
>>
>>> when we get around 1000 requests per minute.
>>>
>>> I tried to see if we were perhaps maxing on threads or file
>>
>>descriptors.
>>
>>> I counted the treads with ps and used lsof for file descriptor
>
> and
>
>>> counted those periodically in a cron job.
>>>
>>> Max I see from lsof: ~200
>>> Max # of threads I see is ~100
>>>
>>> These are no where near the limit as shown in ulimit.
>>> I'm using pound v1.9 on Linux 2.4 kernel. Does anyone have
>
> ideas?
>
>>>
>>> Russell Valentine
>>>
>>> --
>>> To unsubscribe send an email with subject 'unsubscribe' to
>>> pound(at)apsis.ch <mailto:pound(at)apsis.ch>.
>>> Please contact roseg(at)apsis.ch <mailto:roseg(at)apsis.ch> for
>
> questions.
>
>>> http://192.168.1.2:8080/Apsis/pound/pound_list/manage_mailboxer
>>>
>>>
>>>
>>>
>>>--
>>>Regards,
>>>David Walters
>>
|
|
|
Re: [Pound Mailing List] Version 2
Chris Withers <chris(at)simplistix.co.uk> |
2005-11-16 17:42:43 |
[ SNIP ]
|
Hi Robert,
Robert Segall wrote:
> I have yet to see any reaction to the 2.x series. Could anybody confirm
> if they tested it, and what the results were?
Nice to hear from you. Any comment on the mail I posted to this list
last week about segfaults from pound 1.5?
I'd be interested in trialing 2.x if you could give me any kind of
indication that these problems are solved...
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
|
|
|
Re: [Pound Mailing List] Version 2
Robert Segall <roseg(at)apsis.ch> |
2005-11-16 18:17:36 |
[ SNIP ]
|
On Wed, 2005-11-16 at 16:42 +0000, Chris Withers wrote:
> Hi Robert,
>
> Robert Segall wrote:
> > I have yet to see any reaction to the 2.x series. Could anybody confirm
> > if they tested it, and what the results were?
>
> Nice to hear from you. Any comment on the mail I posted to this list
> last week about segfaults from pound 1.5?
>
> I'd be interested in trialing 2.x if you could give me any kind of
> indication that these problems are solved...
I must admit I have no idea why you get such problems on 1.5 - maybe
some strange library mix-up? I was hoping someone else could help.
In any case, that is not a version you should use (known security
problem). Try at least to upgrade to the latest 1.9, which fixes quite a
few issues...
I would be grateful if you tried 2.x, though I can't in all honesty call
it production-ready. A bit of chicken-and-egg situation here - it won't
be production-ready until more people test it, and it doesn't get tested
until it's production-ready.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
|
|
|
Re: [Pound Mailing List] Version 2
"Simon Matter" <simon.matter(at)ch.sauter-bc.com> |
2005-11-17 10:14:24 |
[ SNIP ]
|
> I have yet to see any reaction to the 2.x series. Could anybody confirm
> if they tested it, and what the results were?
I have built rpms of the 2.x here but according to the logs, nobody has
tried them so far.
http://www.invoca.ch/pub/packages/pound/beta/
I have tested 2.0b2 on a very low traffic box without any problems.
However, my situation is too simple to tell much about possible issues.
For me, it just works.
Thanks for the good work!
Simon
|
|
|
Re: [Pound Mailing List] Version 2
Andrew Taylor <andrew.taylor(at)rentokil-initial.com> |
2005-11-17 16:16:14 |
[ SNIP ]
|
Robert,
>> I have yet to see any reaction to the 2.x series. Could anybody confirm
>> if they tested it, and what the results were?
I'm doing some testing of version 2 at the moment and will see if I can
get some load through it, although as you state, it's a bit of a
catch-22 - we may not be happy to run this in production until it's
stable and it won't go stable without some testing!
Anyway, we currently use Pound in conjunction with this patch -
http://www.apsis.ch/pound/pound_list/archive/2005/2005-04/1113404051000
You stated at the time you may look into integrating this into Pound -
any progress on this? It's unlikely we would be prepared to upgrade to
v2 unless it has this functionality (either built in or as a patch - and
I don't think we have the knowledge to patch it ourselves).
If Pound 2 had built in support for failover back ends like this, we
would definitely be encouraged to progress testing and put into
production. I imagine, from past mailing list posts, others would be in
a similar situation.
Finally, looking at the source, the comments etc all still refer to v1.9
(I thought I'd downloaded the wrong version to start with!). Perhaps
this needs tidying to make it clear for anyone looking through the
source and testing that it's v2 - although I appreciate we're still in
the beta stage.
I'll get back to you with any progress we make in testing.
Regards,
Andrew Taylor
Technical Development
Corporate Information Technology
Rentokil Initial
Tel: 01342 327 171 x247
Fax: 01342 332 551
|
|
|
Re: [Pound Mailing List] Pound - v2.0b1
Andrew Taylor <andrew.taylor(at)rentokil-initial.com> |
2005-11-17 16:23:50 |
[ SNIP ]
|
Hi,
> I noticed the format of the config file has changed from 1.x to 2.0b1.
> Is this documented anywhere?
The config format has indeed changed, it's now much clearer and easier
to manage.
The new format is described in 'man pound', with examples - also
available here:
http://www.andrewtaylor.me.uk/gnu/pound/manual.txt
> I am eager to see If the v2 will help me in
> my virtual SSL hosts.
Not sure what you mean by Virtual SSL Hosts, but if you mean multiple
SSL sites on one IP address, then this isn't something that can be done,
and it's not a restriction of Pound. You can put multiple SSL sites on
one IP, but different ports. One HTTP listener can't deal with multiple
sites as there's no Host header to read.
Regards,
Andrew Taylor
Technical Development
Corporate Information Technology
Rentokil Initial
Tel: 01342 327 171 x247
Fax: 01342 332 551
|
|
|
Re: [Pound Mailing List] Pound - v2.0b1
Ximon Eighteen <ximon.eighteen(at)int.greenpeace.org> |
2005-11-17 16:35:57 |
[ SNIP ]
|
> Not sure what you mean by Virtual SSL Hosts, but if you mean multiple
> SSL sites on one IP address, then this isn't something that can be done,
> and it's not a restriction of Pound. You can put multiple SSL sites on
> one IP, but different ports. One HTTP listener can't deal with multiple
> sites as there's no Host header to read.
Please excuse my complete lack of understanding of HTTPS, but *if* Pound
needs the Host header to determine which key/certificate/whatever to
decrypt the SSL data, can't it just try each that it knows about in turn?
Not clever for a production system, but perhaps someone else can see a
way of improving the performance. Just wondered if, theoretically, this
would work.
|
|
|
Re: [Pound Mailing List] Pound - v2.0b1
Dave Hinton <dah(at)thereaction.co.uk> |
2005-11-17 17:07:51 |
[ SNIP ]
|
On 17 Nov 2005, at 3:35pm, Ximon Eighteen wrote:
>
>> Not sure what you mean by Virtual SSL Hosts, but if you mean multiple
>> SSL sites on one IP address, then this isn't something that can be
>> done,
>> and it's not a restriction of Pound. You can put multiple SSL sites on
>> one IP, but different ports. One HTTP listener can't deal with
>> multiple
>> sites as there's no Host header to read.
>
> Please excuse my complete lack of understanding of HTTPS, but *if*
> Pound
> needs the Host header to determine which key/certificate/whatever to
> decrypt the SSL data, can't it just try each that it knows about in
> turn?
No, it can’t.
The web browser will complain (either show a warning to its user, or
flatly refuse to show the page, depending on how it’s configured) as
soon as it is shown a certificate that does not match the web address
it asked for.
> Not clever for a production system, but perhaps someone else can see a
> way of improving the performance. Just wondered if, theoretically, this
> would work.
It’s not possible with the SSL protocol in its current state.
|
|
|
Re: [Pound Mailing List] Pound - v2.0b1
Ximon Eighteen <ximon.eighteen(at)int.greenpeace.org> |
2005-11-17 17:10:07 |
[ SNIP ]
|
> Please excuse my complete lack of understanding of HTTPS, but *if* Pound
> needs the Host header to determine which key/certificate/whatever to
> decrypt the SSL data, can't it just try each that it knows about in turn?
Sorry, let me rephrase that.
If pound needs to be told which key/certificate/whatever to use to
decrypt SSL traffic, and cannot pick the correct one if it has several
because it has no Host header to help it choose, can it not just try
every one it has?
|
|
|
Re: [Pound Mailing List] Pound - v2.0b1
Sam Johnston <samjie(at)gmail.com> |
2005-11-18 11:00:48 |
[ SNIP ]
|
On 11/17/05, Ximon Eighteen <ximon.eighteen(at)int.greenpeace.org> wrote:
> > Please excuse my complete lack of understanding of HTTPS, but *if* Pound
> > needs the Host header to determine which key/certificate/whatever to
> > decrypt the SSL data, can't it just try each that it knows about in turn?
>
> Sorry, let me rephrase that.
>
> If pound needs to be told which key/certificate/whatever to use to
> decrypt SSL traffic, and cannot pick the correct one if it has several
> because it has no Host header to help it choose, can it not just try
> every one it has?
RTFRFC :-)
It has to send the certificate first. Wildcard certs can be used to
work around this issue in some sites.
And yes, the lack of 'overloading' in this fashion is a bit of a
problem, but it probably stems from the fact that SSL/TLS is a generic
protocol rather than HTTP specific (it's used, for example, in ssh). I
can only assume that people who know better than I do considered this
when they formulated the specifications (even if only the more recent
ones - eg TLS), and that if it could be done sensibly, securely and in
a backwards compatible fashion then it would have been.
- samj
|
|
|
Re: [Pound Mailing List] Pound - v2.0b1
Yusuf Goolamabbas <yusufg(at)outblaze.com> |
2005-11-18 11:50:02 |
[ SNIP ]
|
> I noticed the format of the config file has changed from 1.x to 2.0b1.
> Is this documented anywhere? I am eager to see If the v2 will help me in
> my virtual SSL hosts.
You are looking for Server Name Indication
http://paul.querna.org/journal/articles/2005/04/24/tls-server-name-indication?postid=70
http://paul.querna.org/journal/articles/2005/04/29/sni-support-in-mozilla
Regards, Yusuf
|
|
|
Re: [Pound Mailing List] Version 2
Andrew Taylor <andrew.taylor(at)rentokil-initial.com> |
2005-11-18 12:12:42 |
[ SNIP ]
|
Hi,
As promised, results of testing thus far:
Using very simple config files is fine so far. However we use Pound to
distibute requests to seperate servers depending on the host header.
Thus, a sample config would be:
----------------------------------------
User "nobody"
Group "nobody"
RootJail "/var/jailroot/pound"
LogFacility local1
LogLevel 1
ListenHTTP
Address 10.0.0.2
Port 80
End
Service
HeadRequire "Host:.*www.website.com.*"
BackEnd
Address 192.168.0.81
Port 80
End
End
----------------------------------------
Without the HeadRequire parameter Pound starts and runs fine, but with
it, we get:
Starting Pound
/etc/rc.d/init.d/pound: line 33: 6274 Segmentation fault "$(at)"
[FAILED]
'pound -f /usr/local/etc/pound.cfg' results in 'Segmentation fault'
All we get in the log file /var/log/messages is:
Nov 18 10:56:40 smsserver pound: starting...
Is this a mis-configuration my end or a potential bug? Anything more I
can do to track the fault?
Regards,
Andrew Taylor
Technical Development
Corporate Information Technology
Rentokil Initial
Tel: 01342 327 171 x247
Fax: 01342 332 551
|
|
|
Re: [Pound Mailing List] Version 2
Robert Segall <roseg(at)apsis.ch> |
2005-11-18 13:32:11 |
[ SNIP ]
|
On Thu, 2005-11-17 at 15:16 +0000, Andrew Taylor wrote:
> Anyway, we currently use Pound in conjunction with this patch -
> http://www.apsis.ch/pound/pound_list/archive/2005/2005-04/1113404051000
>
> You stated at the time you may look into integrating this into Pound -
> any progress on this? It's unlikely we would be prepared to upgrade to
> v2 unless it has this functionality (either built in or as a patch - and
> I don't think we have the knowledge to patch it ourselves).
>
> If Pound 2 had built in support for failover back ends like this, we
> would definitely be encouraged to progress testing and put into
> production. I imagine, from past mailing list posts, others would be in
> a similar situation.
That is one of the two enhancements planned for 2.0 (along with Redirect
"rewrite" - aka the ability to redirect to a URL dependant on the
original request path). However we won't even get started with the
enhancements until we are confident of the reliability of the existing
code-base.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
|
|
|
Re: [Pound Mailing List] Pound 2 cfg
Andrew Taylor <andrew.taylor(at)rentokil-initial.com> |
2005-11-18 17:30:06 |
[ SNIP ]
|
Hi,
> however, i use hostheaders in the request for apache virtual
> hosting...so this wont work as defined above. Can anyone give me some
> pointers to get this working in 2b3 ?
My post earlier on today gave the sample config below, which should give
you an idea of what's required.
The key line is the HeadRequire one, slightly different position and
syntax to version 1.x:
----------------------------------------
User "nobody"
Group "nobody"
RootJail "/var/jailroot/pound"
LogFacility local1
LogLevel 1
ListenHTTP
Address 10.0.0.2
Port 80
End
Service
HeadRequire "Host:.*www.website.com.*"
BackEnd
Address 192.168.0.81
Port 80
End
End
----------------------------------------
Thus your new config file would be something like:
----------------------------------------
Service
BackEnd
HeadRequire "Host:.*intranet.ag.com.*"
Address 10.10.240.201
Port 8082
End
End
----------------------------------------
HTH
Regards,
Andrew Taylor
Technical Development
Corporate Information Technology
Rentokil Initial
Tel: 01342 327 171 x247
Fax: 01342 332 551
|
|
|
RE: [Pound Mailing List] Pound 2 cfg
"MW Mike Weiner (5028)" <MWeiner(at)ag.com> |
2005-11-18 18:12:54 |
[ SNIP ]
|
-----Original Message-----
From: Andrew Taylor [mailto:andrew.taylor(at)rentokil-initial.com]
Sent: Friday, November 18, 2005 11:30 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Pound 2 cfg
Hi,
> however, i use hostheaders in the request for apache virtual
> hosting...so this wont work as defined above. Can anyone give me some
> pointers to get this working in 2b3 ?
My post earlier on today gave the sample config below, which should give
you an idea of what's required.
The key line is the HeadRequire one, slightly different position and
syntax to version 1.x:
----------------------------------------
User "nobody"
Group "nobody"
RootJail "/var/jailroot/pound"
LogFacility local1
LogLevel 1
ListenHTTP
Address 10.0.0.2
Port 80
End
Service
HeadRequire "Host:.*www.website.com.*"
BackEnd
Address 192.168.0.81
Port 80
End
End
----------------------------------------
Thus your new config file would be something like:
----------------------------------------
Service
BackEnd
HeadRequire "Host:.*intranet.ag.com.*"
Address 10.10.240.201
Port 8082
End
End
----------------------------------------
Thank you Andrew, that was a huge help - sorry if I missed the earlier
email regarding the syntactical change in the configuration file.
Again, thank you for your assist!
Michael Weiner
|
|
|
RE: [Pound Mailing List] Version 2
"MW Mike Weiner (5028)" <MWeiner(at)ag.com> |
2005-11-18 21:29:19 |
[ SNIP ]
|
OK, I have migrated my older pound config to the newer format, and have
been running some tests, and all looks good so far. Now my next step is
to get SSL working as well, as we have sign-in and join pages for each
domain so it would be great if the virthost SSL problems were not an
issue in v2. So far, I have the following for my configuration:
------------------------------------------------------------------------
-------------
User "apache"
Group "apache"
RootJail "/usr/share/pound"
LogFacility local1
LogLevel 3
# Main listening ports
ListenHTTP
Address 10.10.240.201
Port 80
xHTTP 1
End
ListenHTTPS
Address 10.10.240.201
Port 443
Cert "/usr/share/ssl/certs/pound.pem"
Ciphers
"ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
xHTTP 1
End
Service
HeadRequire "Host:.*intranet.ag.com.*"
BackEnd
Address 10.10.240.201
Port 8082
End
End
Service
HeadRequire "Host:.*intranet2.ag.com.*"
BackEnd
Address 10.10.232.70
Port 8080
End
End
Service
HeadRequire "Host:.*dev.remind.americangreetings.com.*"
BackEnd
Address 10.10.240.201
Port 89
End
End
Service
HeadRequire "Host:.*dev.remind.bluemountain.com.*"
BackEnd
Address 10.10.240.201
Port 91
End
End
Service
HeadRequire "Host:.*dev.passport.bmamessenger.com.*"
BackEnd
Address 10.10.240.201
Port 10080
End
End
Service
HeadRequire "Host:.*dev.passport.mypersonalexpression.com.*"
BackEnd
Address 10.10.240.201
Port 10080
End
End
Service
HeadRequire "Host:.*dev.jp.mypersonalexpression.com.*"
BackEnd
Address 10.10.240.201
Port 35080
End
End
Service
HeadRequire "Host:.*dev.cn.mypersonalexpression.com.*"
BackEnd
Address 10.10.240.201
Port 35080
End
End
Service
HeadRequire "Host:.*dev.kr.mypersonalexpression.com.*"
BackEnd
Address 10.10.240.201
Port 35080
End
End
Service
HeadRequire "Host:.*dev.greetings.aol.com.*"
BackEnd
Address 10.10.232.226
Port 8092
End
End
Service
HeadRequire "Host:.*dev.911memorialquilt.com.*"
BackEnd
Address 10.10.240.201
Port 8083
End
BackEnd
Address 10.10.240.101
Port 80
End
End
Service
HeadRequire "Host:.*dev.americangreetings.com.*"
BackEnd
Address 10.10.240.101
Port 80
End
BackEnd
Address 10.10.240.201
Port 81
End
End
Service
HeadRequire "Host:.*dev.agmobile.com.*"
BackEnd
Address 10.10.240.123
Port 80
End
BackEnd
Address 10.10.240.201
Port 19080
End
End
Service
HeadRequire "Host:.*dev.beatgreets.com.*"
BackEnd
Address 10.10.240.103
Port 80
End
BackEnd
Address 10.10.240.201
Port 13380
End
End
Service
HeadRequire "Host:.*dev.bluemountain.com.*"
BackEnd
Address 10.10.240.124
Port 80
End
BackEnd
Address 10.10.240.201
Port 16080
End
End
Service
HeadRequire "Host:.*dev.bluemountaincards.co.uk.*"
BackEnd
Address 10.10.240.121
Port 80
End
BackEnd
Address 10.10.240.201
Port 22880
End
End
Service
HeadRequire "Host:.*dev.msn.bluemountaincards.co.uk.*"
BackEnd
Address 10.10.240.121
Port 80
End
BackEnd
Address 10.10.240.201
Port 22880
End
End
Service
HeadRequire "Host:.*dev.ninemsn.bluemountaincards.com.au.*"
BackEnd
Address 10.10.240.125
Port 80
End
BackEnd
Address 10.10.240.201
Port 23080
End
End
Service
HeadRequire "Host:.*dev.aol.bluemountaincards.com.au.*"
BackEnd
Address 10.10.240.125
Port 80
End
BackEnd
Address 10.10.240.201
Port 23080
End
End
Service
HeadRequire "Host:.*dev.bmamessenger.com.*"
BackEnd
Address 10.10.240.126
Port 80
End
BackEnd
Address 10.10.240.201
Port 25080
End
End
Service
HeadRequire "Host:.*dev.cme4.americangreetings.com.*"
BackEnd
Address 10.10.240.201
Port 8084
End
End
Service
HeadRequire "Host:.*dev.createandprint.com.*"
BackEnd
Address 10.10.240.110
Port 80
End
BackEnd
Address 10.10.240.201
Port 81
End
End
Service
HeadRequire "Host:.*duus.americangreetings.com.*"
BackEnd
Address 10.10.240.201
Port 82
End
End
Service
HeadRequire "Host:.*dev.egreetings.com.*"
BackEnd
Address 10.10.240.102
Port 80
End
BackEnd
Address 10.10.240.201
Port 12380
End
End
Service
HeadRequire "Host:.*dev.ffje.com.*"
BackEnd
Address 10.10.240.118
Port 80
End
BackEnd
Address 10.10.240.201
Port 22480
End
End
Service
HeadRequire "Host:.*dev.img.adsag.com.*"
BackEnd
Address 10.10.240.117
Port 80
End
BackEnd
Address 10.10.240.201
Port 21080
End
End
Service
HeadRequire "Host:.*dev.imgag.com.*"
BackEnd
Address 10.10.240.111
Port 80
End
BackEnd
Address 10.10.240.201
Port 12880
End
End
Service
HeadRequire "Host:.*dev.jazzymail.com.*"
BackEnd
Address 10.10.240.122
Port 80
End
BackEnd
Address 10.10.240.201
Port 18080
End
End
Service
HeadRequire "Host:.*dev.kidzonks.com.*"
BackEnd
Address 10.10.240.104
Port 80
End
BackEnd
Address 10.10.240.201
Port 9780
End
End
Service
HeadRequire "Host:.*dev.milexch.americangreetings.com.*"
BackEnd
Address 10.10.240.108
Port 80
End
BackEnd
Address 10.10.240.201
Port 13280
End
End
Service
HeadRequire "Host:.*dev.msn.americangreetings.com.*"
BackEnd
Address 10.10.240.101
Port 80
End
BackEnd
Address 10.10.240.201
Port 22180
End
End
Service
HeadRequire "Host:.*dev.nickgreetings.com.*"
BackEnd
Address 10.10.240.116
Port 80
End
BackEnd
Address 10.10.240.201
Port 22280
End
End
Service
HeadRequire "Host:.*dev.oms.americangreetings.com.*"
BackEnd
Address 10.10.240.115
Port 80
End
BackEnd
Address 10.10.240.201
Port 23080
End
End
Service
HeadRequire "Host:.*dev.pdb.americangreetings.com.*"
BackEnd
Address 10.10.240.113
Port 80
End
BackEnd
Address 10.10.240.201
Port 22080
End
End
Service
HeadRequire "Host:.*dev.aim.americangreetings.com.*"
BackEnd
Address 10.10.240.131
Port 80
End
BackEnd
Address 10.10.240.201
Port 28080
End
End
Service
HeadRequire "Host:.*dev.compuserve.americangreetings.com.*"
BackEnd
Address 10.10.240.101
Port 80
End
BackEnd
Address 10.10.240.201
Port 81
End
End
Service
HeadRequire
"Host:.*dev.digitalcity.americangreetings.com.*"
BackEnd
Address 10.10.240.101
Port 80
End
BackEnd
Address 10.10.240.201
Port 81
End
End
Service
HeadRequire "Host:.*dev.icq.americangreetings.com.*"
BackEnd
Address 10.10.240.101
Port 80
End
BackEnd
Address 10.10.240.201
Port 81
End
End
Service
HeadRequire "Host:.*dev.netscape.americangreetings.com.*"
BackEnd
Address 10.10.240.101
Port 80
End
BackEnd
Address 10.10.240.201
Port 81
End
End
Service
HeadRequire "Host:.*dev.yahoo.americangreetings.com.*"
BackEnd
Address 10.10.240.109
Port 80
End
BackEnd
Address 10.10.240.201
Port 17080
End
End
Service
HeadRequire "Host:.*dev.passitarond.com.*"
BackEnd
Address 10.10.240.201
Port 13180
End
End
Service
HeadRequire "Host:.*dev.ucsmaint.americangreetings.com.*"
BackEnd
Address 10.10.240.105
Port 80
End
BackEnd
Address 10.10.240.201
Port 1081
End
End
Service
HeadRequire "Host:.*dev.ucsserv.americangreetings.com.*"
BackEnd
Address 10.10.240.106
Port 80
End
BackEnd
Address 10.10.240.201
Port 1080
End
End
Service
HeadRequire "Host:.*dev.wbwebcards.com.*"
BackEnd
Address 10.10.240.107
Port 80
End
BackEnd
Address 10.10.240.201
Port 11980
End
End
Service
HeadRequire "Host:.*dev.intractive.ag.com.*"
BackEnd
Address 10.10.240.129
Port 80
End
BackEnd
Address 10.10.240.201
Port 27080
End
End
Service
HeadRequire "Host:.*dev.lipservice.defjammobile.com.*"
BackEnd
Address 10.10.240.130
Port 80
End
BackEnd
Address 10.10.240.201
Port 29080
End
End
Service
HeadRequire "Host:.*dev.bmahelp.com.*"
BackEnd
Address 10.10.240.128
Port 80
End
BackEnd
Address 10.10.240.201
Port 26080
End
End
Service
HeadRequire "Host:.*dev.hatterchatter.com.*"
BackEnd
Address 10.10.240.137
Port 80
End
BackEnd
Address 10.10.240.201
Port 31080
End
End
Service
HeadRequire "Host:.*dev.bloombyag.com.*"
BackEnd
Address 10.10.240.138
Port 80
End
BackEnd
Address 10.10.240.201
Port 32080
End
End
Service
HeadRequire "Host:.*dev.target.americangreetings.com.*"
BackEnd
Address 10.10.240.142
Port 80
End
BackEnd
Address 10.10.240.201
Port 34080
End
End
------------------------------------------------------------------------
-------------
But I have a few questions,
1) is it possible to collapse all the "service" stanzas into 1 basically
monolithic stanza so as not to have to repeat it so often as in the
above?
2) how would I get SSL for these to work? Maintain a separate pound.cfg
for the SSL versions of these?
3) does the issues with ealier releases of Pound revolving around the
virtual hosts mod_ssl issues still exist? As I run secures on all the
above, same Ips as their non-secure side, just a secure port.
Thanks in advance
Michael Weiner
|
|
|
Re: [Pound Mailing List] Version 2
Ted Dunning <tdunning(at)veoh.com> |
2005-11-18 22:54:39 |
[ SNIP ]
|
MW Mike Weiner (5028) wrote:
>... very long example with many duplicated IP addresses deleted ...
>1) is it possible to collapse all the "service" stanzas into 1 basically
>monolithic stanza so as not to have to repeat it so often as in the
>above?
>
>
Your question isn't entirely clear (as well as being below a very long
example so people might not have seen it)
Did you want to have multiple alternatives for the HeadRequire in a
single stanza?
Or did you want to have a default stanza that everything below would
inherit addresses from?
>2) how would I get SSL for these to work? Maintain a separate pound.cfg
>for the SSL versions of these?
>3) does the issues with ealier releases of Pound revolving around the
>virtual hosts mod_ssl issues still exist? As I run secures on all the
>above, same Ips as their non-secure side, just a secure port.
>
>
These questions are confusing in that it sounds like you are asking for
something that just isn't possible with SSL.
Are you asking to have a single IP/port address to handle multiple
SSL'ed hosts? If so, have you seen the previous traffic that explained
how this just isn't possible?
Or are you asking how to set up multiple SSL listeners, each on a
different port?
--
Ted Dunning
Chief Scientist
Veoh Networks
|
|
|
RE: [Pound Mailing List] Version 2
"MW Mike Weiner (5028)" <MWeiner(at)ag.com> |
2005-11-20 02:07:15 |
[ SNIP ]
|
-----Original Message-----
From: Ted Dunning [mailto:tdunning(at)veoh.com]
Sent: Friday, November 18, 2005 4:55 PM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Version 2
MW Mike Weiner (5028) wrote:
>>... very long example with many duplicated IP addresses deleted ...
>>1) is it possible to collapse all the "service" stanzas into 1
>>basically monolithic stanza so as not to have to repeat it so often as
>>in the above?
>>
>>
>Your question isn't entirely clear (as well as being below a very long
example so
>people might not have seen it)
>Did you want to have multiple alternatives for the HeadRequire in a
single stanza?
>Or did you want to have a default stanza that everything below would
inherit
>addresses from?
I apologize for any confusion, but my question seemed to be can I have
multiple HeadRequires within a single service stanza?
>>2) how would I get SSL for these to work? Maintain a separate
pound.cfg
>>for the SSL versions of these?
>>3) does the issues with ealier releases of Pound revolving around the
>>virtual hosts mod_ssl issues still exist? As I run secures on all the
>>above, same Ips as their non-secure side, just a secure port.
>>
>>
>These questions are confusing in that it sounds like you are asking for
something
>that just isn't possible with SSL.
>Are you asking to have a single IP/port address to handle multiple
SSL'ed hosts?
>If so, have you seen the previous traffic that explained how this just
isn't
>possible?
> Or are you asking how to set up multiple SSL listeners, each on a
different port?
Multiple listeners, each on a different port.
Michael Weiner
|
|
|
Re: [Pound Mailing List] Version 2
Chris Withers <chris(at)simplistix.co.uk> |
2005-11-21 10:14:37 |
[ SNIP ]
|
Robert Segall wrote:
> On Wed, 2005-11-16 at 16:42 +0000, Chris Withers wrote:
>
>>Hi Robert,
>>
>>Robert Segall wrote:
>>
>>>I have yet to see any reaction to the 2.x series. Could anybody confirm
>>>if they tested it, and what the results were?
>>
>>Nice to hear from you. Any comment on the mail I posted to this list
>>last week about segfaults from pound 1.5?
>>
>>I'd be interested in trialing 2.x if you could give me any kind of
>>indication that these problems are solved...
>
> I must admit I have no idea why you get such problems on 1.5 - maybe
> some strange library mix-up? I was hoping someone else could help.
Well, how can I get more info than the rather useless "signal 11"
message in the logs?
> In any case, that is not a version you should use (known security
> problem). Try at least to upgrade to the latest 1.9, which fixes quite a
> few issues...
OK, I'll recommend to the appropriate people that we do that...
> I would be grateful if you tried 2.x, though I can't in all honesty call
> it production-ready. A bit of chicken-and-egg situation here - it won't
> be production-ready until more people test it, and it doesn't get tested
> until it's production-ready.
I'm afraid, by the sounds of it, we're more likely either to move to
Netscalar or LVS :-S
cheers,
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
|
|
|
Re: [Pound Mailing List] Version 2
Andrew Taylor <andrew.taylor(at)rentokil-initial.com> |
2005-11-21 11:00:35 |
[ SNIP ]
|
> I apologize for any confusion, but my question seemed to be can I have
> multiple HeadRequires within a single service stanza?
No, the HeadRequire statements are AND'd, so it would have to fulfil all
the requirements to match. So you'll probably need all your service
stanzas. Without knowing your environment I wouldn't like to guess at a
more efficient config, though it may be possible..
> Multiple listeners, each on a different port.
This is simply done by adding multiple ListenHTTPS stanzas with
different ports, e.g.:
ListenHTTPS
Address 1.2.3.4
Port 443
Cert "/etc/pound/pound1.pem"
End
ListenHTTPS
Address 1.2.3.4
Port 444
Cert "/etc/pound/pound2.pem"
End
You should then put the Service for the specific listener into the
Listen stanza, e.g.:
ListenHTTPS
Address 1.2.3.4
Port 443
Cert "/etc/pound/pound1.pem"
Service
BackEnd
Address 2.3.4.5
Port 443
End
End
End
This ensures that only that service will respond on that listener,
keeping it tidy and without confusion.
Regards,
Andrew Taylor
Technical Development
Corporate Information Technology
Rentokil Initial
Tel: 01342 327 171 x247
Fax: 01342 332 551
|
|
|
RE: [Pound Mailing List] Version 2
"MW Mike Weiner (5028)" <MWeiner(at)ag.com> |
2005-11-21 12:48:23 |
[ SNIP ]
|
-----Original Message-----
From: Andrew Taylor [mailto:andrew.taylor(at)rentokil-initial.com]
Sent: Monday, November 21, 2005 5:01 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Version 2
> I apologize for any confusion, but my question seemed to be can I have
> multiple HeadRequires within a single service stanza?
No, the HeadRequire statements are AND'd, so it would have to fulfil all
the requirements to match. So you'll probably need all your service
stanzas. Without knowing your environment I wouldn't like to guess at a
more efficient config, though it may be possible..
> Multiple listeners, each on a different port.
This is simply done by adding multiple ListenHTTPS stanzas with
different ports, e.g.:
ListenHTTPS
Address 1.2.3.4
Port 443
Cert "/etc/pound/pound1.pem"
End
ListenHTTPS
Address 1.2.3.4
Port 444
Cert "/etc/pound/pound2.pem"
End
You should then put the Service for the specific listener into the
Listen stanza, e.g.:
ListenHTTPS
Address 1.2.3.4
Port 443
Cert "/etc/pound/pound1.pem"
Service
BackEnd
Address 2.3.4.5
Port 443
End
End
End
This ensures that only that service will respond on that listener,
keeping it tidy and without confusion.
--
Thanks for your response Andrew, I will slap the configuration around
today and see how things come out.
Thanks again
Michael Weiner
|
|
|
Re: [Pound Mailing List] Version 2
Rune Saetre <rune.saetre(at)netcom-gsm.no> |
2005-11-21 15:46:56 |
[ SNIP ]
|
Hi
>> I apologize for any confusion, but my question seemed to be can I have
>> multiple HeadRequires within a single service stanza?
>
> No, the HeadRequire statements are AND'd, so it would have to fulfil all
> the requirements to match. So you'll probably need all your service
> stanzas. Without knowing your environment I wouldn't like to guess at a
> more efficient config, though it may be possible..
I haven't tried this out, but since regular expression matching is used
you should be able to match different host headers in the same HeadRequire
rule, like this:
HeadRequire "^Host: (host-a\.website\.com)|(otherhost\.org)(:.*)*$"
or
HeadRequire "^Host: (host-a)|(otherhost)|(www)\.website\.com(:.*)*$"
Regards
Rune
---
Rune Sætre <rune.saetre(at)netcom-gsm.no>
NetCom as, Infrastructure
..
|
|
|
Re: [Pound Mailing List] Version 2
Ondra Kudlik <kepi(at)orthank.net> |
2005-11-21 15:59:42 |
[ SNIP ]
|
Po, lis 21, 2005 ve 03:46:56 +0100, Rune Saetre napsal:
> Hi
>
> >>I apologize for any confusion, but my question seemed to be can I have
> >>multiple HeadRequires within a single service stanza?
> >
> >No, the HeadRequire statements are AND'd, so it would have to fulfil all
> >the requirements to match. So you'll probably need all your service
> >stanzas. Without knowing your environment I wouldn't like to guess at a
> >more efficient config, though it may be possible..
>
> I haven't tried this out, but since regular expression matching is used
> you should be able to match different host headers in the same HeadRequire
> rule, like this:
>
> HeadRequire "^Host: (host-a\.website\.com)|(otherhost\.org)(:.*)*$"
> or
> HeadRequire "^Host: (host-a)|(otherhost)|(www)\.website\.com(:.*)*$"
My idea was the same some time ago, but you must have one section
per one host, instead there will be problems with including files
from one site in other (in same section), linking and redirecting...
|
|
|
Re: [Pound Mailing List] Version 2
Robert Segall <roseg(at)apsis.ch> |
2005-11-22 09:06:44 |
[ SNIP ]
|
On Mon, 2005-11-21 at 09:14 +0000, Chris Withers wrote:
> Well, how can I get more info than the rather useless "signal 11"
> message in the logs?
Use a debugger? As the segmentation violation occurs a program can't
very well give you an error message.
I still suspect you have a mix-up in your libraries - perhaps you
upgraded some DLLs and the old Pound was never recompiled?
> I'm afraid, by the sounds of it, we're more likely either to move to
> Netscalar or LVS :-S
Your choice entirely.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
|
|
|
Re: [Pound Mailing List] Version 2
Chris Withers <chris(at)simplistix.co.uk> |
2005-11-23 11:40:30 |
[ SNIP ]
|
Robert Segall wrote:
> On Mon, 2005-11-21 at 09:14 +0000, Chris Withers wrote:
>
>>Well, how can I get more info than the rather useless "signal 11"
>>message in the logs?
>
> Use a debugger? As the segmentation violation occurs a program can't
> very well give you an error message.
OK.
> I still suspect you have a mix-up in your libraries - perhaps you
> upgraded some DLLs and the old Pound was never recompiled?
Don't think so, this is on RHEL ;-)
>>I'm afraid, by the sounds of it, we're more likely either to move to
>>Netscalar or LVS :-S
>
> Your choice entirely.
No, not really ;-)
cheers,
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
|
|
|
Re: [Pound Mailing List] Checking the URL
Andrew Taylor <andrew.taylor(at)rentokil-initial.com> |
2005-11-28 15:49:50 |
[ SNIP ]
|
Hi,
> Reading RFC2396 (URI generic syntax) I cannot see that the query part
of URLs
> should be checked by any entity but the resource itself. Which
standards do
> you refer to for checking the query part ?
The man page for Pound lists the following:
----------------
URL MATCHING
Pound attempts to filter out illegal request URLs. In general a
URL is defined as
{ / segment [; parameter] } [? qid [ = [ qval ] ] { & qid [ = [
qval ] ] } ] [ # fragment ]
Each of the elements is matched against the allowed character
set. By default, the parts are defined as:
CSsegment -
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.!~*'():(at)&=+$,%-
CSparameter -
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.!~*'():(at)&=+$,%-
CSqid -
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.!~*'()-
CSqval -
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.!~*'()%-
CSfragment -
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.!~*'()
----------------
As you can see, and as you have noted in your email, the semicolon is
not in the CSqid or CSqval lists and so it's rejeted.
I don't have any information regarding which RFC (if any) was consulted
when this was implemented, but the fix would be as follows:
Edit your config file, e.g. /usr/local/etc/pound.cfg and add:
CSqid
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.!~*'()-;
CSqval
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.!~*'()%-;
Restart pound and the semicolon should be allowed.
Man page for pound is at
http://www.andrewtaylor.me.uk/gnu/pound/manual1.9.txt
Regards,
Andrew Taylor
Technical Development
Corporate Information Technology
Rentokil Initial
Tel: 01342 327 171 x247
Fax: 01342 332 551
|
|
|
Re: [Pound Mailing List] Re: Checking the URL
Robert Segall <roseg(at)apsis.ch> |
2005-11-30 13:53:00 |
[ SNIP ]
|
On Wed, 2005-11-30 at 08:56 +0100, Gaetan OFFREDO wrote:
> So, my questions :
> . Reading RFC2396 (URI generic syntax) I cannot see that the query part of
> URLs should be checked by any entity but the resource itself. Which
> standards do you refer to for checking the query part ?
There is no requirement (nowhere does it say SHOULD) that the path be
checked, but it is not forbidden either. Pound can check it (if you so
wish) to protect the back-ends from malicious requests.
> . Which RFC was the Pound programmers to reject the semicolons in the query
> part ?
For example: RFC 2396 that you mention, section "3.4. Query Component".
To quote:
Within a query component, the characters ";", "/", "?", ":",
"(at)", "&", "=", "+", ",", and "$" are reserved.
Specifically, the ";" is reserved to signify the start of the "segment"
part.
> Thanks a lot
You're welcome.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
|
|
|
Re: [Pound Mailing List] Simple Load Balancing 2.0 Config
Eric McCarthy <eric(at)desert.net> |
2005-11-30 19:12:07 |
[ SNIP ]
|
On Nov 30, 2005, at 3:13 AM, Robert Segall wrote:
> On Tue, 2005-11-29 at 17:23 -0700, Eric McCarthy wrote:
>> I'm attempting to test 2.0b3 with the following config. Pound always
>> chooses the first back-end and never any other.
>>
>> ListenHTTP
>> Address 207.182.32.9
>> Port 8081
>> End
>>
>> Service
>> BackEnd
>> Address 207.182.32.9
>> Port 80
>> End
>> BackEnd
>> Address 204.17.34.119
>> Port 80
>> End
>> End
>>
>> This should load balance all requests between those two back-ends,
>> shouldn't it? I've tested on both FreeBSD 5.4 and Mac OS X 10.4, both
>> with the same results.
>
> Please try the following to help tracing down the problem:
>
> - try reversing the order of the two servers and check which of them
> gets the traffic
The first back-end in the config still gets all the traffic.
> - try setting a higher priority on the second server. Does it get some
> traffic?
No, the problem persists.
> - try adding a third (even if bogus) back-end. What do you see?
No effect for either a bogus or non-bogus third back-end when it is
added as the last back-end in the config.
However, putting a bogus back-end (server is up and reachable, but
not accepting connections) as the first back-end in the config
results in the request never returning and pound's CPU usage going to
100%.
-Eric
|
|
|
|
