On Thu, 2006-06-01 at 10:11 +0100, Sérgio Freire wrote:[...]

You are right - thanks for the fix.[...]

Út, kvě 30, 2006 ve 07:41:37 +0200, Robert Segall napsal:[...]

Hi,

I think I found same problem with lighttpd. Look like lighty remove
these headers...

If anybody know about what to config in lighty not to remove ssl
header, write me please.

--
 .''`. Ondra 'Kepi' Kudlik
: :' : Debian GNU/Linux User
`. `'
  `-   http://www.nosoftwarepatents.com/cz/m/intro/index.html

Dear all,

Looks like pound doesn't always keep sticky (cookie-based) sessions
forwarded to the same backend.

This is cut-down log from LiveHTTPHeaders

----------------------------------------------------------
GET /over.gif HTTP/1.1
Host: www.host.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
Accept: image/png,*/*;q=0.5
Accept-Language: nl-NL,nl;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=698109120e94ba73f82de4976a293cf6
 
HTTP/1.x 200 OK
Date: Wed, 07 Jun 2006 17:31:47 GMT
Server: Apache/2.0.55 (Unix) DAV/2 PHP/4.3.11
Last-Modified: Sun, 28 May 2006 19:47:07 GMT
Etag: "9e73e-749-777fc4c0"
Accept-Ranges: bytes
Content-Length: 1865
X-Served-by: fe03
Connection: close
Content-Type: image/gif
----------------------------------------------------------

X-Served-by is a custom header, added by Apache to indicate which backend
requests are forwarded to.
fe01, fe02, fe03... and so on.

So far so good, all requests in this session were served from fe03.

Now I want to enter area protected with basic authorization:
 
----------------------------------------------------------
HEAD /content/piece123.avi HTTP/1.1
Host: www.host.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=
0.8,image/png,*/*;q=0.5
Accept-Language: nl-NL,nl;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=698109120e94ba73f82de4976a293cf6
Pragma: no-cache
Cache-Control: no-cache
 
...and here, BOOM!..
 
HTTP/1.x 401 Authorization Required
Date: Wed, 07 Jun 2006 17:31:48 GMT
Server: Apache/2.0.55 (Unix) DAV/2 PHP/4.3.11
WWW-Authenticate: Basic realm="Please enter your loginname and password"
Connection: close
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------
 
The browser shows famous gray window with basic auth.
Now, requests are sent with auth header.
 
----------------------------------------------------------
HEAD /content/piece123.avi HTTP/1.1
Host: www.oldje.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=
0.8,image/png,*/*;q=0.5
Accept-Language: nl-NL,nl;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=698109120e94ba73f82de4976a293cf6
Pragma: no-cache, no-cache
Cache-Control: no-cache, no-cache
Authorization: Basic bG9naWNhbDptbzJkZWxsZW4=
 
HTTP/1.x 200 OK
Date: Wed, 07 Jun 2006 17:32:21 GMT
Server: Apache/2.0.55 (Unix) DAV/2 PHP/4.3.11
Last-Modified: Mon, 29 May 2006 15:12:40 GMT
Etag: "a1fde-11558b3-bfd4aa00"
Accept-Ranges: bytes
Content-Length: 18176179
X-Served-by: fe02
Connection: close
Content-Type: application/vnd.rn-content
----------------------------------------------------------

BOOM - now session is switched to fe02 - while fe03 is still alive and
healthy!
 
And from now on everything goes via fe02.

I witnessed several cases like this one.

The $1M question:
Could it be that 401 Authorization required answer from the backend server
disrupts somehow session tracking mechanics in pound?

Pound version is 1.10 here, because I had some strange segfaults with 2.0
and 2.0.x are not marked as stable yet.

So if possible, in future versions of Pound I'd like to see ALL cases when
session tracking is lost as an error, written explicitly in error log, with
relevant information like 'because backend server doesn't seem to breathe
anymore' or whatever.

Another feature request that I dare to express is that session <> backend
coupling could be probably made persistent, with berkeleydb or hash table or
something. This is because on every pound restart, this coupling is users
have to log on again. If this information can be persisted and flushed on
demand, pound can be restarted as often as I want without any side effects.


Regards,
Timur

[...]

Hi Timur,
could you please try with the latest "beta" release 2.0.7?
Im using it in production without problems and soon this one will be marked 
as 2.1 stable...
Although Im not sure about the authentication+cookies session losing, its 
better if you use latest version:
    - there were some problems with first 2.xx releases, and some with 
session tracking
    - about the segfault, its not expected to happen in any case.. please 
use latest and see if it happens.. if so please send more info
    - about the sugestion, well in my opinion I think that its kind of 
interesting but you shouldn't need it if your main problem is pound 
restarting due to segfaults...

Regards,
Sergio Freire

----- Original Message ----- 
From: "Timur Evdokimov" <timur(at)jacum.com>
To: <pound(at)apsis.ch>
Sent: Wednesday, June 07, 2006 8:22 PM
Subject: RE: Welcome to [Pound Mailing List]

[...]

[...]

Hello Timur,

I'm using Pound 2.0.6 in my production site with cookie based session 
tracking without problems. Try to update Pound to a newer version.
[...]

On Fri, 2006-06-09 at 16:43 +0300, Janno Sannik wrote:[...]

No.[...]

On Fri, 2006-06-09 at 12:14 -0700, Steve Otto wrote:[...]

Sorry, not supported (though interesting - send a patch and we'll
certainly consider it).[...]

Steve Otto said the following on 06/09/2006 02:14 PM:[...]

You should be able to do something with iptables. Block new connections
while letting the old ones finish. When no more requests exist do
whatever upgrade you need. After open iptables again. When no new
connection are allowed pound should tag that backend as down and take it
out of the list.

This should work though I've never done it myself. I would look at what
keep-alive and persistent http connection does to this, but eventually
there should no longer be any active connections to that tomcat
instance. I would try it on some test setup before actually doing it in
production.


Russell Valentine

If pound marks the backend as down, then existing sessions will be 
reassigned.  Existing transactions should complete just fine (which is 
what Steve was probably asking for).

I think that you can do the same thing with the HAPort capability with 
lower complexity.  That would have the same problem with sessions, but 
depending on sessions except as an optimization is dangerous.

Russell Valentine wrote:[...][...][...]
[...]

Robert,

Please accept my apologies for the delay. I have not had an opportunity to 
conduct those tests yet but hope to do so over the weekend.

Many Thanks
Richard

----- Original Message ----- 
From: "Robert Segall" <roseg(at)apsis.ch>
To: <pound(at)apsis.ch>
Sent: Friday, June 30, 2006 5:49 PM
Subject: [Pound Mailing List] Pound status

[...]