-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Segall wrote:[...][...][...]


Thanks, this works now.

Another problem:

When I enter a directory name without the trailing slash,eg. "/my/dir"
the webserver (Apache) answers with "301 (moved permanently)".
The client then asks for "/my/dir/".
When I use pound and HTTP, this works fine. The pound log (LogLevel 2)
says something like this:

x.x.x.x GET /my/dir HTTP/1.1 - HTTP/1.1 301 Moved Permanently (y.y.y.y:80)
x.x.x.x GET /my/dir/ HTTP/1.1 - HTTP/1.1 200 OK (y.y.y.y:80)


Now when I use the same session configuration with HTTPS, the
redirection does not seem to work. Only the first line (301) is logged,
the second request is missing.

I also tried setting Change30x (tried both 0 and 1).


my config (without HTTP):


Daemon 1
LogFacility local4
LogLevel 2
Alive 30


ListenHTTPS
    Address y.y.y.x
    Change30x 1
    Port 8443
    xHTTP 1
    WebDAV 0
    Cert "/etc/pound/server.pem"
    Ciphers
"ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"

    Service
        URL         ".*my-string=.*"
        BackEnd
            Address y.y.y.y
            Priority 4
            Port 80
        End
        BackEnd
            Address y.y.y.z
            Priority 5
            Port 80
        End

        Session
            Type PARM
            ID "my-string"
            TTL 3600
        End
    End

    Service
        BackEnd
            Address y.y.y.y
            Priority 4
            Port 80
        End
        BackEnd
            # lwm2
            Address y.y.y.z
            Priority 5
            Port 80
        End

        Session
            Type COOKIE
            ID "my-string"
            TTL 3600
        End
    End

End



Thanks,
Michael

.


- --
Michael Redinger
Zentraler Informatikdienst (Central IT Services)
Universitaet Innsbruck
Technikerstrasse 13                    Tel.: ++43 512 507 2335
6020 Innsbruck                         Fax.: ++43 512 507 2944
Austria                                Mail: Michael.Redinger(at)uibk.ac.at
BB98 D2FE 0F2C 2658 3780  3CB1 0FD7 A9D9 65C2 C11D
http://homepage.uibk.ac.at/~c102mr/mred-pubkey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDvPuCD9ep2WXCwR0RAuv+AKCeSv0e3GFbJl82hykVP4rpodwzHQCgykuR
qshNm8eryfVH0SIxLOd+Vr8=
=jyZa
-----END PGP SIGNATURE-----

On Thu, 2006-01-05 at 11:57 +0100, Michael Redinger wrote:[...]

The client asks for what Apache told it to ask for - namely the Location
in the 301 response.
[...]

Look in the Apache logs and use a higher LogLevel (and/or sniff the
traffic) to see what Location the Apache replied with.
[...]

Most likely Apache replies with a http://... Location
which Pound does
not recognise as being responsible for, and thus it does not rewrite it.
This might be due to several factors - it is difficult to say without
more information (wrong address, bad DNS, etc). At the very least try to
catch the Location contents (something like tcpwatch between Pound and
Apache would be very useful) and we'll take it from there.[...]

Zitat von Robert Segall <roseg(at)apsis.ch>:
[...]


I think I can see the problem now: The URL is rewritten to http://... instead of
https://.... I just somehow did not see this
difference in the URL ...
So https://pound:8443/my/dir becomes http://pound:8443/my/dir/.
Any ideas what is causing this?


Thanks,
Michael

On Thu, 2006-01-05 at 22:28 +0100, Michael Redinger wrote:[...]

The conditions for changing the Location header are:

- Change30x is set (value 1) for the Service in question
- the response is one of 301, 302, 303 or 307
- a Host header was seen in the original request
- the Location header, after DNS resolution, points either to the same
address as the one Pound is using to accept the request (aka the
ListenHTTP/ListenHTTPS), or to the back-end that issued this response

If all of these conditions were fulfilled then the Location header is
changed to "Location: proto://vhost/path", where

- proto is the protocol currently used for the request (http or https)
- vhost is the host name as it appears in the Host header (possibly
including port)
- path is the path in the original response Location

As I wrote in an earlier reply I suggest you look at the exact reply
received from Apache to determine if the necessary conditions are met.
Keep in mind that addresses are compared (rather than symbolic host
names), thus you'll also need to check on the values returned by the DNS
resolver on the machine Pound is running on.[...]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Segall wrote:[...][...][...]


Hi,

I think all of the conditions are met:
- - Change30x is 1
- - the response is 301
- - there is a location header
- - there is a host header in the original client request
- - the names should be ok (see below)

I tried this with binding either to the primary IP of the host (on eth0)
or to a secondary (on eth0:1). I then connected with the browser to the
corresponding hostname.
The answer from the server to pound always contains the correct
hostname. The only differences between the original request and the
location header sent by the server are
- - the trailing "/"
- - "http" instead of "https"

So, I think the IP/DNS part should be definitely ok, right?


The complete HTTP dialogs (tcpdump -s 5000). If necessary I could
provide the complete dump files:



Client:

GET /myurl HTTP/1.1
Host: myserver.uibk.ac.at:8443
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.12)
Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,de;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
X-Forwarded-For: x.x.x.x



Server:

HTTP/1.1 301 Moved Permanently
Date: Mon, 09 Jan 2006 08:44:24 GMT
Server: Apache/2.0.46 (Red Hat)
Location: http://myserver.uibk.ac.at:8443/myurl/
Content-Length: 342
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a
href="http://myserver.uibk.ac.at:8443/myurl/">here</a>.</p>
<hr />
<address>Apache/2.0.46 (Red Hat) Server at myserver.uibk.ac.at Port
8443</address>
</body></html>


Thanks,
Michael


- --
Michael Redinger
Zentraler Informatikdienst (Central IT Services)
Universitaet Innsbruck
Technikerstrasse 13                    Tel.: ++43 512 507 2335
6020 Innsbruck                         Fax.: ++43 512 507 2944
Austria                                Mail: Michael.Redinger(at)uibk.ac.at
BB98 D2FE 0F2C 2658 3780  3CB1 0FD7 A9D9 65C2 C11D
http://homepage.uibk.ac.at/~c102mr/mred-pubkey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDwizkD9ep2WXCwR0RAhoQAJ42K16ILyEEPjkF2Llik1MS2wfxgQCgj4SX
bBApqBIdNgv28ToYOog6fto=
=RaAe
-----END PGP SIGNATURE-----

On Mon, 2006-01-09 at 10:29 +0100, Michael Redinger wrote:[...]

Log-on to the machine running Pound and do a 'nslookup
myserver.uibk.ac.at' (or use dig). The address shown should be the same
as the one Pound is listening on. If it isn't you have your culprit, if
it is we have one.[...]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Segall wrote:[...][...][...]

Hi,

it is the address pound is listening on.
Any idea how I can help track down the problem?

One thing I noticed - I do not think this is the problem, just wanted to
mention it, to be sure:
When doing a normal tcpdump (without any options), I did not get the
whoe Location string. I had to use "-s " to get more data. Does pound
read the whole package or just the first few bytes?

Thanks,
Michael


- --
Michael Redinger
Zentraler Informatikdienst (Central IT Services)
Universitaet Innsbruck
Technikerstrasse 13                    Tel.: ++43 512 507 2335
6020 Innsbruck                         Fax.: ++43 512 507 2944
Austria                                Mail: Michael.Redinger(at)uibk.ac.at
BB98 D2FE 0F2C 2658 3780  3CB1 0FD7 A9D9 65C2 C11D
http://homepage.uibk.ac.at/~c102mr/mred-pubkey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDwlpdD9ep2WXCwR0RAs1JAKDPgfQk/6OPPbtpulrFGXzmDbOUuQCeMlkp
RkBHTkI9sXJx/fbafl2yPEA=
=1k3i
-----END PGP SIGNATURE-----

On Mon, 2006-01-09 at 13:43 +0100, Michael Redinger wrote:[...]

We'll look into it here.
[...]

That's not the problem.[...]

On Mon, 2006-01-09 at 13:43 +0100, Michael Redinger wrote:[...]

Please try replacing lines 685, 686 in svc.c with:

if(memcmp(&lstn->addr.sin_addr.s_addr, &addr.sin_addr.s_addr,
sizeof(addr.sin_addr.s_addr)) == 0
|| memcmp(&be->addr.sin_addr.s_addr, &addr.sin_addr.s_addr,
sizeof(addr.sin_addr.s_addr)) == 0)

This should compare the actual addresses (s_addr) rather than
everything.

Please let us know if it helps.[...]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


No, it still does not work.

I checked need_rewrite (I am not a C programmer, but at least I could
add a few logmsg() ... :-) ):
I think the problem is that splitting location and extracting the host
part does not work as expected.
In line 673 location is:
http://myhost.uibk.ac.at:8443/myurl/
and host is:
myhost.uibk.ac.at:8443/myurl/

Thanks,
Michael


Robert Segall wrote:[...][...][...]


- --
Michael Redinger
Zentraler Informatikdienst (Central IT Services)
Universitaet Innsbruck
Technikerstrasse 13                    Tel.: ++43 512 507 2335
6020 Innsbruck                         Fax.: ++43 512 507 2944
Austria                                Mail: Michael.Redinger(at)uibk.ac.at
BB98 D2FE 0F2C 2658 3780  3CB1 0FD7 A9D9 65C2 C11D
http://homepage.uibk.ac.at/~c102mr/mred-pubkey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDwoK9D9ep2WXCwR0RApD3AJ9lucUtf35YVemZs+4TigT+x/4BhgCgrTU9
siuZHXqAkUmTe+uGL8WwdiM=
=zhqT
-----END PGP SIGNATURE-----

On Mon, 2006-01-09 at 16:35 +0100, Michael Redinger wrote:[...]

That's OK - you just logged it a bit too early.

However, there's another problem: the port is not being taken out. Here
is what need_rewrite should look like:

int
need_rewrite(char *location, char *path, LISTENER *lstn, BACKEND *be)
{
    struct sockaddr_in  addr;
    struct hostent      *he;
    regmatch_t          matches[4];
    char                *host, *cp;

    /* split the location into its fields */
    if(regexec(&LOCATION, location, 4, matches, 0))
        return 0;
    host = location + matches[2].rm_so;
    strcpy(path, location + matches[3].rm_so);
    location[matches[1].rm_eo] = location[matches[2].rm_eo] = '\0';
    if((cp = strchr(host, ':')) != NULL)
        *cp = '\0';

    /*
     * Check if the location has the same address as the listener or the
back-end
     */
    memset(&addr, 0, sizeof(addr));
    addr.sin_family = AF_INET;
    if((he = gethostbyname(host)) == NULL || he->h_addr_list[0] == NULL)
        return 0;
    memcpy(&addr.sin_addr.s_addr, he->h_addr_list[0],
sizeof(addr.sin_addr.s_addr));
    if(memcmp(&lstn->addr.sin_addr.s_addr, &addr.sin_addr.s_addr,
sizeof(addr.sin_addr.s_addr)) == 0
    || memcmp(&be->addr.sin_addr.s_addr, &addr.sin_addr.s_addr,
sizeof(addr.sin_addr.s_addr)) == 0)
        return 1;

    return 0;
}

Please try with this - I think it should work.[...]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, that's it, this fixes the problem!

Thanks,
Michael

Robert Segall wrote:[...][...][...]


- --
Michael Redinger
Zentraler Informatikdienst (Central IT Services)
Universitaet Innsbruck
Technikerstrasse 13                    Tel.: ++43 512 507 2335
6020 Innsbruck                         Fax.: ++43 512 507 2944
Austria                                Mail: Michael.Redinger(at)uibk.ac.at
BB98 D2FE 0F2C 2658 3780  3CB1 0FD7 A9D9 65C2 C11D
http://homepage.uibk.ac.at/~c102mr/mred-pubkey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDw79hD9ep2WXCwR0RAn9DAKCXZrKtBhv0ikgn1kAOGwqkFNeUMQCg7k6U
ixQoiLx5QXvsMir1p+mOkXM=
=8TYO
-----END PGP SIGNATURE-----