/ Zope / Apsis / Pound Mailing List / Archive / 2006 / 2006-08 / Re: [Pound Mailing List] Pound and SSL Setup

[ << ] [ >> ]

[ advice for use of pound / "dirk dekker" ... ] [ Timeout problems / Ondra Kudlik ... ]

Re: [Pound Mailing List] Pound and SSL Setup
"Mathew Brown" <mathewbrown(at)fastmail.fm>
2006-08-01 03:51:57 [ FULL ]
Adam, 
  Thanks a lot for your reply.  I noticed that the homepage for Pound is
  very sparse.  Are there any links to tutorials?  I couldn't find any
  on the main page?  Finally, can Pound be used as an SSL bridge / SSL
  initiation where the SSL link is terminated at it and then
  re-initiates the SSL session (kind of like ISA 2004)?.  Thanks for
  your help.

On Mon, 31 Jul 2006 01:14:05 +0200, "Adam Borowski"
<kilobyte(at)angband.pl> said:[...][...]

Re: [Pound Mailing List] advice for use of pound
Johannes Findeisen <mailman(at)hanez.org>
2006-08-01 04:00:20 [ FULL ]
Hi,

On Mon, 2006-07-31 at 21:49 +0200, dirk dekker wrote:[...]

Yeah, you really could do that with Pound. But Pound takes focus on
being a load balancer like: Url: www.abc.com is redirected to
192.168.0.1 (Webserver-1) or 192.168.0.2 (Webserver-2) depending on the
"load" of these machines. But what you want to do is possible too -
Without any problems.
[...]

Do you mean, if there is Hardware available, that is looking like small
*DSL routers and where Pound is installed?

I think no, but i don't know... But you could build one by
yourself... ;)

I've never seen a solution build with this board but you could buy a
mini PC from http://www.soekris.com/ and
install Linux or BSD and Pound.
Hehe, I don't know if the CPU's are fast enough but i am really
interested in some benchmarks... :)

Is anybody out there who tried that out? 
[...]

No Problem... Let me know what solution you will select at the end.
[...]

Regards,
[...]

Re: [Pound Mailing List] Timeout problems
Fat Bear Server Administration <server(at)fatbear.com>
2006-08-01 17:41:39 [ FULL ]
I, too, am getting customer complaints of error 500s.  With a customer on the
phone and looking at the logs in real time, I saw the error 500 happening at
just the same time that pound emitted an error.  And, pound is emitting errors
every few minutes.  I've copied a recent sample below.  This makes pound seem
buggy. From past posts, I seem to recall that some of these are just warnings
that need no modification of the pound config at all.  If so, I'd like to turn
these warning messages off.  But, for the rest, what should I do.  I've also
copied my simple config file below.

Thanks,
Steve Amerige
Fat Bear Incorporated

System: Red Hat Linux 9.0 (also on Fedora Core 1 and Fedora Core 4 with the
same problems)
Pound version: 2.0.4

pound.cfg

LogLevel            0
User                "safeuser"
Group               "safegroup"

ListenHTTP
    Address         64.242.84.187
    Port            80
End

ListenHTTPS
    Address         64.242.84.187
    Port            443
    Cert            "/usr/local/apache2/conf/ssl/fatbear.com/fatbear.com.pem"
End

Service
    BackEnd
        Address     64.242.84.187
        Port        8088
    End
End


/var/log/messages

Aug  1 07:53:11 fat1 pound: error copy server cont: Connection timed out
Aug  1 07:53:55 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 07:53:55 fat1 pound: error flush headers to 86.209.26.127: Connection
reset by peer
Aug  1 07:54:06 fat1 pound: error copy server cont: Connection timed out
Aug  1 07:54:22 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 07:56:17 fat1 pound: error copy server cont: Connection timed out
Aug  1 07:58:38 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:00:24 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:03:29 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:04:03 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:05:15 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:05:46 fat1 pound: error flush headers to 68.79.159.2: Connection
reset by peer
Aug  1 08:05:48 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:05:51 fat1 pound: error flush headers to 68.79.159.2: Connection
reset by peer
Aug  1 08:05:51 fat1 pound: error flush headers to 68.79.159.2: Connection
reset by peer
Aug  1 08:05:51 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:06:45 fat1 pound: error flush headers to 68.79.159.2: Connection
reset by peer
Aug  1 08:07:01 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:07:49 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:08:05 fat1 pound: error copy server cont: Connection timed out
Aug  1 08:08:06 fat1 pound: error flush headers to 68.79.159.2: Connection
reset by peer
Aug  1 08:08:08 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:08:49 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:09:00 fat1 pound: error flush headers to 71.139.184.220: Connection
reset by peer
Aug  1 08:09:17 fat1 pound: response error read from 64.242.84.187:8088:
Connection timed out
Aug  1 08:09:52 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:09:54 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:10:34 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:10:38 fat1 pound: error copy server cont: Connection timed out
Aug  1 08:12:57 fat1 pound: error copy server cont: Connection timed out
Aug  1 08:13:29 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:13:32 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:15:22 fat1 pound: error copy chunk cont: Connection reset by peer
Aug  1 08:15:25 fat1 pound: error flush headers to 128.218.39.136: Connection
reset by peer
Aug  1 08:15:25 fat1 pound: error flush headers to 128.218.39.136: Connection
reset by peer
Aug  1 08:15:30 fat1 pound: error copy chunk cont: Connection reset by peer
Aug  1 08:17:36 fat1 pound: error flush headers to 81.231.98.56: Connection
reset by peer
Aug  1 08:18:18 fat1 pound: can't read header
Aug  1 08:18:32 fat1 pound: error copy chunk cont: Connection reset by peer
Aug  1 08:18:38 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:18:59 fat1 pound: error flush headers to 212.219.238.55: Connection
reset by peer
Aug  1 08:19:03 fat1 pound: error read from 220.179.77.169: Connection timed
out
Aug  1 08:19:12 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:19:13 fat1 pound: error flush headers to 81.231.98.56: Connection
reset by peer
Aug  1 08:19:49 fat1 pound: error read from 68.254.149.123: Connection reset by
peer
Aug  1 08:19:49 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:19:49 fat1 pound: error flush headers to 68.254.149.123: Connection
reset by peer
Aug  1 08:21:07 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:23:18 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:24:57 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:25:05 fat1 pound: error copy server cont: Connection timed out
Aug  1 08:25:06 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:25:09 fat1 pound: error flush headers to 24.143.15.102: Connection
reset by peer
Aug  1 08:26:55 fat1 pound: error copy server cont: Connection timed out
Aug  1 08:28:58 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:29:06 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:29:27 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:29:35 fat1 pound: error copy server cont: Connection timed out
Aug  1 08:29:47 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:32:29 fat1 pound: error copy server cont: Connection timed out
----- Original Message ----- 
From: Ondra Kudlik 
To: Pound 
Sent: Tuesday, August 01, 2006 2:57 PM
Subject: [Pound Mailing List] Timeout problems


Hi,

two days ago we switched to Pound 2.0.9 from 1.8 and now we have
problem with timeouts.

We have apache behind pound and when some client have script which
take long time it returns error 500 and in logs there is 

response error read from 127.0.0.1:10000: Connection timed out

I found TimeOut in documentation so I add it to BackEnd end yes, it
is better.. but how I can set ideal value for TimeOut? What if
script take 3 minutes to go or 5 minutes or 30 seconds? I'm not
really sure but I think that with Pound 1.8 there wasn't this
problem.

Can you give me some advice?

Thanks
[...]
Attachments:  
text.html text/html 10199 Bytes

Re: [Pound Mailing List] Timeout problems
Jacques Caron <jc(at)oxado.com>
2006-08-01 19:04:15 [ FULL ]
Hi,

At 12:27 01/08/2006, Ondra Kudlik wrote:[...]

Depends on your app and your requirements.
[...]

We use several "Service" entries in our pound configuration that map 
to different actions (matching the Host and/or URL): URLs that are 
associated with reports that can be quite long to generate have a 
longer TimeOut value (e.g. 300 seconds) while others that need to 
complete very quickly or die right away (JS scripts linked into 
affiliate pages) have a very short TimeOut (2 seconds), while others 
have an "average" TimeOut at 120 seconds, etc.

That seems to work pretty well now.

Jacques.

Re: [Pound Mailing List] Timeout problems
Jacques Caron <jc(at)oxado.com>
2006-08-01 19:06:15 [ FULL ]
Hi,

At 17:41 01/08/2006, Fat Bear Server Administration wrote:[...]

Well, no, it does exactly what it is told: if a server does not 
respond within the expected time, complain and don't stay there 
forever. You can adjust the TimeOut value based on your requirements.

Jacques.

Re: [Pound Mailing List] Timeout problems
Ondra Kudlik <kepi(at)orthank.net>
2006-08-01 19:16:39 [ FULL ]
t, srp 01, 2006 ve 07:04:15 +0200, Jacques Caron napsal:[...]

Yes, I understand this well. But we are webhosting company and have
hundreds of clients and we are not able to know good timeout for
each of them :(

Re: Welcome to [Pound Mailing List]
"Tony Perrie" <tony(at)involution.com>
2006-08-02 00:07:09 [ FULL ]
I'm having a bit of trouble deploying Pound 2.0.9.  It appears that
the output of my rails application is slightly garbled after sending
it through the Pound proxy from Mongrel.  Some newline characters look
like they have been eaten.  The application is fine if I load it from
Mongrel directly.  Is this a known problem?

Tony
http://involution.com

Re: [Pound Mailing List] Problem w/ Openssl
Falk Brockerhoff <fb(at)smartterra.de>
2006-08-04 21:03:08 [ FULL ]
beno schrieb:
[...]

Hi Beno (Realname would be fine),
[...]

Did you installed openssl from the ports? (openssl-0.9.8b_1 or newer).
While configuring you have to give the path to the userside installed
openssl-libs:

./configure --with-ssl=/usr/local/

Runs fine for me with FreeBSD 6.1
[...]

Regards,

Falk Brockerhoff
Attachments:  
fb.vcf text/x-vcard 363 Bytes

Re: [Pound Mailing List] Timeout problems
Fat Bear Server Administration <server(at)fatbear.com>
2006-08-04 23:13:38 [ FULL ]
>> We use several "Service" entries in our pound configuration that map
to [...][...]

1. We're in the same situation.... what did you decide to do?  Would you share
your configuation file?  I'm not familiar with the "Service" entries you're
referring to... does anyone have an example of this that could work on a server
hosting many customer domains (for which I have no knowledge of what they use
their domains for)?  For that matter, I'd love to see a template configuration
file that would be good for a general virtual hosting provider.  Please see
below what we're using right now.

2. I see errors of the form:

    Aug  1 08:19:12 fat1 pound: error copy server cont: Connection reset by
peer

every few minutes in the log file.  I've changed the TimeOut to 120 (to get rid
of the Connection timed out messages), and I was hoping that would take care of
this as well.  What does this error mean?  What action do I need to take to
resolve whatever are the underlying problems?  If it's not a problem message,
shouldn't LogLevel 0 supress it?

Thanks,
Steve Amerige
Fat Bear Incorporated

pound.cfg

LogLevel            0
User                "safeuser"
Group               "safegroup"

ListenHTTP
    Address         64.242.84.187
    Port            80
End

ListenHTTPS
    Address         64.242.84.187
    Port            443
    Cert            "/usr/local/apache2/conf/ssl/fatbear.com/fatbear.com.pem"
End

Service
    BackEnd
        Address     64.242.84.187
        Port        8088
    End
End
Attachments:  
text.html text/html 4438 Bytes

Re: [Pound Mailing List] Timeout problems
Ondra Kudlik <kepi(at)orthank.net>
2006-08-05 00:57:39 [ FULL ]
P, srp 04, 2006 ve 02:13:38 -0700, Fat Bear Server Administration napsal:[...]

I can't resolve this correctly, so I set timeout to very high number
but I'm not sure about impacts
[...]

search the pound archive, but I think that this isn't related to
this isue. For timeout problem you will see Connection timeout in
logs. 
[...]

No, cause loglevel 0 disable access logging but error messages are
shown anyway

Service
        HeadRequire "Host: .*somehost\.cz.*"
        BackEnd
                Address         127.0.0.1
                Port            10000
                TimeOut         1200
        End
End

But again, I just wonder why this issue is only in Pound 2.x, we
have no such problems with 1.x branch

Ondra Kudlik
[...]

Re: [Pound Mailing List] Timeout problems
Robert Segall <roseg(at)apsis.ch>
2006-08-05 11:52:26 [ FULL ]
On Tue, 2006-08-01 at 12:27 +0200, Ondra Kudlik wrote:[...]

In 1.8 the default was "infinite", thus no time-outs at all. In later
versions we moved away from that, as it lead to dead back-ends not being
recognised (dead as in an infinite loop rather than off).

In general you can set as long a time-out as you want - the effect is
only that unresponsive servers will take a while to be recognised as
dead. Servers that have crashed completely will still refuse the
connection, and thus the time-out is not relevant.[...]

Re: [Pound Mailing List] Session Handling Problem - still exists
Falk Brockerhoff <noc(at)smartterra.de>
2006-08-10 14:05:41 [ FULL ]
Hello again,

In the meanwhile I upgraded to pound 2.0.9 (still on FreeBSD 6.1) and
changed my configuration syntax:

User            "www"
Group           "www"
LogLevel        2
Alive           5

ListenHTTP
        Address 0.0.0.0
        Port 80
End

Service
        Session
                Type    PARM
                ID      "PHPSESSID"
                TTL     300
        End

        BackEnd
                Address 10.0.0.1
                Port 80
                Priority 1
        End
        BackEnd
                Address 10.0.0.2
                Port 80
                Priority 1
        End
End
[...]

The problem still exists - does anyone have an idea how to fix this
behavior?

Regards,

Falk Brockerhoff

Re: [Pound Mailing List] Session Handling Problem - still exists
Falk Brockerhoff <noc(at)smartterra.de>
2006-08-10 14:38:35 [ FULL ]
Hmmm,

it seems that the problem is not caused by pound - the redirects to the
backends are working fine. If the users is redirected to web1 everything
works fine, but on web2 the session dies after some time.

Ok, so I have to find the bug on the web2-backend, not within pound.
Sorry for my hastily posting to the list.

But I don't know why web2 is doing so strange things. It is exactly
identicaly to web1, where everything works fine...

Regards,

Falk

Re: [Pound Mailing List] Enhanvements
Falk Brockerhoff <noc(at)smartterra.de>
2006-08-17 15:20:52 [ FULL ]
Robert Segall schrieb:
[...]

This would be a very nice feature, I think!

Regards,

Falk

Re: [Pound Mailing List] Enhanvements
Adam Borowski <kilobyte(at)angband.pl>
2006-08-17 15:45:36 [ FULL ]
On Thu, Aug 17, 2006 at 02:49:59PM +0200, Robert Segall wrote:[...]

You'll want to start with:
http://www.apsis.ch/pound/pound_list/archive/2006/2006-07/1151714111000

It does almost what you want -- I didn't eliminate xHTTP, but WebDAV
accepts four values:
  * 0 -- disabled
  * 1 -- as currently w/o --enable-msdav
  * 2 -- RFC-compliant methods
  * 3 -- as in --enable-msdav: all Microsoft extensions
Values higher than 1 force xHTTP to be on.

[...]

Re: [Pound Mailing List] Enhanvements
Ondra Kudlik <kepi(at)orthank.net>
2006-08-17 15:46:05 [ FULL ]
Čt, srp 17, 2006 ve 02:49:59 +0200, Robert Segall napsal:[...]

as you know, this will be great for us. No further patching and
hacking :)
[...]

this will be really great future!
[...]

I have to say same thing as before. We have big problems with pound
not supporting redirect from same domain to https version in
scripts...

http://www.domain.com/ -> https://www.domain.com is must for us and
it is very hard time now without it and many complaints from our
clients :(

--
 .''`. Ondra 'Kepi' Kudlik
: :' : Debian GNU/Linux User
`. `'
  `-   http://www.nosoftwarepatents.com/cz/m/intro/index.html

Re: [Pound Mailing List] Enhanvements
Eric McCarthy <eric(at)desert.net>
2006-08-17 19:41:01 [ FULL ]
On Thu, Aug 17, 2006 at 02:49:59PM +0200, Robert Segall wrote:[...]

An "Include" directive for the configuration file would be a nice
feature to have.

-Eric

RE: [Pound Mailing List] Enhanvements
<F.Alcala-Soler(at)iaea.org>
2006-08-17 20:23:47 [ FULL ]
Hello,

These are my needs for features:
[...]

1) +1 on the above.

2) When logging the backend server that has been used (LogLevel 2), I
see only the Port in parenthesis. If it is not possible to configure
Pound to display also the Address, I'd find such a feature useful. I
have all backend servers configured on the same port and the current
information in the log is not enough to determine which one's been used.

3) I have a NAT router between Pound and the backend servers. This is so
because my backend servers are cloned VMware virtual machines and I do
not have enough IP addresses to bridge them. There are several backend
machines on every physical host and I use port forwarding to access the
web servers in them (all on port 80, while the forwarders on the
physical host listen on ports 80, 81, 82... one for each clone). This
means that the checks that Pound performs on backend hosts (both Port
and HAPort) are actually responded to by the NAT router. I can shut down
a backend web server and Pound won't notice. My suggestion would be a
configuration option to do pervasive checks, i.e. something on top of
the currently used TCP handshake, something like requesting a dummy URL
or doing a HEAD HTTP request. These would need to be answered by backend
servers only.

If suggestion 3) were to be implemented, I would not need 1) and 2).
They are derived from the fact that to overcome the above problem, I
have daisy-chaining Pound servers. I place a Pound server on each
physical host balancing the load for the clone backends on that same
host and one external Pound server distributing the load between these
Pound installations on the physical hosts. Because I can no longer use
the sequential port numbers, I would need the Address on the log files,
and because the death of all clones on a physical server would not be
noticed by the external Pound (unless I created yet one more HAPort
server), the emergency backend directive would help us serve requests
from any host with dead backends by fetching them directly from an
adjacent physical host. (Currently I am thinking of trying out with a
very low priority configuration for the emergency backend, which would
actually be the Pound installation on a physical host).

If anyone sees other solutions to my issues, please let me know.

Thanks,

 Curro

This email message is intended only for the use of the named recipient.
Information contained in this email message and its attachments may be
privileged, confidential and protected from disclosure. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication to others. Also please notify the sender by replying to this
message and then delete it from your system.

RE: [Pound Mailing List] Enhanvements
Robert Segall <roseg(at)apsis.ch>
2006-08-18 11:25:07 [ FULL ]
On Thu, 2006-08-17 at 20:23 +0200, F.Alcala-Soler(at)iaea.org wrote:[...]

Not here - it logs in the usual address:port format.
[...]

That is simply impossible - it would break just about every IP standard
I ever heard about. By definition the NAT router cannot respond to
packets for forwarded ports. To check: run a port scan on your NAT box;
if what you say is true then each and every port will show as open,
regardless of weather it is forwarded or not.

As to the lack of IP addresses: the network segment(s) between Pound and
the servers is private, so you have as many addresses as you want.
[...]

In other words you have no NAT but extra Pound instances.

This is not a particularly efficient topology - you are better off with
a single Pound instance distributing the load to the various servers
directly. Use routing rather than NAT to get access to the virtual
machines.[...]

Re: [Pound Mailing List] Enhanvements
Robert Segall <roseg(at)apsis.ch>
2006-08-18 11:27:20 [ FULL ]
On Thu, 2006-08-17 at 10:41 -0700, Eric McCarthy wrote:[...]

Why? What is the advantage? Is your config file so large that you
actually need the feature? Not criticising but asking, as I'd like Pound
to stay as simple as possible.

In any case Pound reads the config file (with or without includes)
exactly once, on start-up.[...]

Re: [Pound Mailing List] Enhanvements
Holger Gl <holger.glaess(at)asknet.de>
2006-08-18 11:55:16 [ FULL ]
Robert Segall wrote:[...][...]
>>> Please post additional suggestions here and we'll try to add them
to the
>>> list.
>>>       [...][...]

hi

an include function is nice to have for configuration syncronistation 
between 2 boxes
in a HA environment.

but this need an fuktion for reload of config by an singal ( like a HUP 
) or an automatic check
and reload feature for configs.

holger

Re: [Pound Mailing List] Enhanvements
Malte Ahrens <malte.ahrens(at)web.de>
2006-08-18 12:29:08 [ FULL ]
Hello,[...]
I'm not sure whether it was mentioned before. For me it would be great 
to have the possibility to track a 'health page' of the back ends. For 
example pound should retrieve every X seconds a special page which only 
content is 'OK' or 'FAIL'. This would give me the possibility to do some 
health checks like DB lookups, server status and so on and drop a 
backend even when apache (the server) is still responding.
I know there is the HAport directive but to my mind it's a very 
complicate way...


Malte

Re: [Pound Mailing List] Enhanvements
Falk Brockerhoff <noc(at)smartterra.de>
2006-08-18 12:34:02 [ FULL ]
Holger Gl schrieb:
[...]

In a HA environment a session synchronisation between two carped
pound-boxes would be fine...
[...]

Regards,

Falk

Re: [Pound Mailing List] Enhanvements
=?UTF-8?B?SG9sZ2VyIEdsw6TDnw==?= <holger.glaess(at)asknet.de>
2006-08-18 12:49:11 [ FULL ]
Falk Brockerhoff wrote:[...][...][...]
holger
[...]

hi
i don´t talk about session sycronistation just from the syncronisation 
of the configs between the boxes
or do you do configure your settings on both machine by hand ?

holger

Re: [Pound Mailing List] Enhanvements
Simon Slaytor <sslaytor(at)iom.com>
2006-08-18 12:57:22 [ FULL ]
I can confirm that on OpenBSD 3.9 only the port is logged.

Aug 18 11:51:12 CLI-LB1 pound: 10.190.66.66 GET / HTTP/1.1 - HTTP/1.1 
200 OK (http:80)
Aug 18 11:51:19 CLI-LB1 pound: 10.190.66.66 GET / HTTP/1.1 - HTTP/1.1 
304 Not Modified (http:80)
Aug 18 11:51:19 CLI-LB1 last message repeated 2 times
Aug 18 11:51:22 CLI-LB1 pound: 10.190.70.70 GET / HTTP/1.1 - HTTP/1.1 
304 Not Modified (http:80)
Aug 18 11:51:22 CLI-LB1 last message repeated 3 times

This might have a bearing on my none load balancing problem.


Robert Segall wrote:[...][...]
>>> - add an emergency back-end directive (hot back-up): a 
>>> back-end that is
>>> used only when all other back-ends are dead and stops being used
when
>>> any of the others is reactivated.
>>>       [...][...][...][...][...][...]
Attachments:  
text.html text/html 4848 Bytes

Re: [Pound Mailing List] Enhanvements
Falk Brockerhoff <noc(at)smartterra.de>
2006-08-18 13:03:19 [ FULL ]
Holger Gl schrieb:
[...]

Ok, I should said that this was meant as an additional suggestion.. No,
I run a script on the master which scopy the config to the slave and
restarts pound on both machines.
[...]

Regards,

Falk

Re: [Pound Mailing List] Enhanvements
Robert Klikics <robert.klikics(at)unitedprint.com>
2006-08-18 13:12:35 [ FULL ]
Am 18.08.2006 12:29 schrieb Malte Ahrens:
I'm not sure
whether it was mentioned before. For me it would be great to have the
possibility to track a 'health page' of the back ends. For example
pound should retrieve every X seconds a special page which only content
is 'OK' or 'FAIL'. This would give me the possibility to do some health
checks like DB lookups, server status and so on and drop a backend even
when apache (the server) is still responding.
  
I know there is the HAport directive but to my mind it's a very
complicate way...
  
  

Great Idea!
Would also be nice to have a statusinfo like Apache's "server-status"
or something where the admin can see the current/average requests and
other things ....
Malte
  

Robert
Attachments:  
text.html text/html 1211 Bytes

Re: [Pound Mailing List] Pound Performance
Harmen <harm(at)tty.nl>
2006-08-18 13:56:39 [ FULL ]
On Fri, Aug 18, 2006 at 07:51:22AM -0400, Jeffrey Brown wrote:[...]

Can you show the pound config file?
[...]
[...]

Re: [Pound Mailing List] Enhanvements
Ondra Kudlik <kepi(at)orthank.net>
2006-08-18 14:05:36 [ FULL ]
Hi,

I have imlemented this solution in my config.

in /etc/pound/conf.d there are many parts of config and then I have
rebuild action in init scripts:

rebuild)
        echo -n "Generating sites config: "
        gen_pound_sites # generate config for pound 
        /bin/cat /etc/pound/conf.d/* > /etc/pound/pound.cfg
        /usr/local/bin/pound_check_config $DAEMON $CONFIG
        ;;

important is only part /bin/cat /etc/pound/conf.d/* >
/etc/pound/pound.cfg

So if you add this to start action, there is no need to Include
directive.


And Robert, I'm wondering if it is problem for pound to have huge
amount of Service sections? My conf script has 2348 line now and it
is growing..

--
 .''`. Ondra 'Kepi' Kudlik
: :' : Debian GNU/Linux User
`. `'
  `-   http://www.nosoftwarepatents.com/cz/m/intro/index.html



P, srp 18, 2006 ve 11:27:20 +0200, Robert Segall napsal:[...]

Re: [Pound Mailing List] Pound Performance
Jeffrey Brown <jbrown(at)camsys.com>
2006-08-18 16:03:10 [ FULL ]
Harmen <harm(at)tty.nl> wrote on 08/18/2006 07:56:39 AM:
[...]
time. [...]

Certainly.

# cat /usr/local/etc/pound.cfg

User "pound"
Group "pound"
Daemon 1
LogLevel 0
Alive 30

ListenHTTP
        Address 192.168.5.101
        port 80
        Client 10
        Change30x 1

        Service
                URL ".*"
        HeadRequire "Host:.*http-test.domain.com.*"
                backEnd
                        Address 192.168.5.21
                        Port 80
                End
                Session
                        Type IP
                        TTL 300
                End
        End
End

ListenHTTPS
        Address 192.168.5.101
        Port 443
        xHTTP 0
        WebDAV 0
        Client 10
        Change30x 1
        Cert "/usr/local/etc/newcert.pem"

        Service
                URL ".*"
                HeadRequire "Host:.*serverA.domain.com.*"
                BackEnd
                        Address x.x.x.x
                        Port 80
                End
#               Session
#                       Type IP
#                       TTL 300
#               End
        End

        Service
                URL ".*"
                HeadRequire "Host:.*serverB.domain.com.*"
                BackEnd
                        Address x.x.x.x
                        Port 80
                End
#               Session
#                       Type IP
#                       TTL 300
#               End
        End

        Service
                URL ".*"
                HeadRequire "Host:.*serverC.domain.com.*"
                BackEnd
                        Address x.x.x.x
                        Port 80
                End
#               Session
#                       Type IP
#                       TTL 300
#               End
        End

        Service
                URL ".*"
                HeadRequire "Host:.*serverD.domain.com.*"
                BackEnd
                        Address x.x.x.x
                        Port 80
                End
#               Session
#                       Type IP
#                       TTL 300
#               End
        End

        Service
                URL ".*"
                HeadRequire "Host:.*serverE.domain.com.*"
                BackEnd
                        Address x.x.x.x
                        Port 80
                End
#               Session
#                       Type IP
#                       TTL 300
#               End
        End

        Service
                URL ".*"
                HeadRequire "Host:.*serverF.domain.com.*"
                BackEnd
                        Address x.x.x.x
                        Port 80
                End
#               Session
#                       Type IP
#                       TTL 300
#               End
        End

#       Service
#               URL ".*"
#               HeadRequire "Host:.*www-test.domain.com.*"
#               BackEnd
#                       Address 192.168.5.21
#                       Port 80
#               End
#               Session
#                       Type IP
#                       TTL 300
#               End
#
Attachments:  
text.html text/html 12579 Bytes

RE: [Pound Mailing List] Enhanvements
<F.Alcala-Soler(at)iaea.org>
2006-08-18 18:49:03 [ FULL ]
Hi Robert,
[...]

I am not seeing the backend's address? Here is an example log line produced
with LogLevel 2 on SuSE 10:

Aug 18 13:18:42 LOADB1 pound: 192.168.218.127 GET /stylesheets/mainSearch.css
HTTP/1.1 - HTTP/1.1 304 Not Modified (:80)

It shows only the port in parenthesis.
[...]

I think I haven't explained it properly. The "NAT router" and "port forwarding"
refer to the way VMware GSX server handles these virtual devices. The router
isn't a physical device, but a Windows services that passes inbound
communications through forwarding tunnels from ports on the NIC of a physical
host to the virtual, private network used to communicate with the virtual
machines on this same host.

I've done the packet captures with Ethereal and the VMware NAT router closes
the connection with Pound before it's started the corresponding connection with
the backend server. It goes like this:

Pound               NAT Router                 Backend

      >- SYN     ->
      <- SYN,ACK -<
      >- ACK     ->
      >- FIN,ACK ->
                                >- SYN     ->
      <- ACK     -<
                                <- SYN,ACK -<
                                >- ACK,RST ->  (not sure about this one,
                                                writing from top of my head,
                                                but the router closes it,
                                                since the other side is closed)

The communication between the NAT router and the backend happen in memory,
since the VMware networks are virtual (super quick, also). The sequence is not
always the same: sometimes the whole communication between Pound and the NAT
router is finished before the router has time to start to talk to the backend.

Regarding the port scan, I haven't tried it, but I am sure that it would find
open only the ports for which there is a forwarding tunnel defined. This type
of VMware virtual NAT router actually routes only for the defined forwarding
tunnels (or for the outgoing communications, of course).

Also, note that the router is not bridging transparently at layer 2, so it is
responsible for the TCP connections that are opened against it.
[...]

You're right, but in our configuration Pound is on a different physical host as
the servers and I do not have access to that network. It is one of our
organization's DMZ areas and I get one IP address per physical host. With the
virtual machines behind the NAT router I have as many private networks/IP
addresses as I like (all of them virtual).

However, I think I get an idea of what you mean. Perhaps you mean that I am
free to add a second, private IP address to the NICs and expose the virtual
machines' private address on the network through bridging, instead of NATing.
Thus, every NIC would be able to communicate both on the "official" as on the
"private" network through the same wire. I am not sure about how to do this on
Windows 2003, but I am off to the drawing board... It would allow us to go back
to the single Pound installation.
[...]

The NAT is there:

Host 1                   Host 2
Pound     ->     NAT router -> Pound -> Backend
                                     -> Backend
                                     -> Backend
                            Host 3
          ->     NAT router -> Pound -> Backend
                                     -> Backend
                                     -> Backend

All servers in hosts 2 and 3 are virtual machines, so they have full (private)
network access among themselves. Hosts 1, 2 and 3 have each a single IP
address, this is why we need NATing to the Pound and Backends on hosts 2 and 3.

I would love to have a single Pound instance. Actually this is what I tested
first, until I discovered that Pound on host 1 could not check the availability
of the HAPorts and Ports of the backends.

Thanks a lot for your help,

 Curro 

This email message is intended only for the use of the named recipient.
Information contained in this email message and its attachments may be
privileged, confidential and protected from disclosure. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication to others. Also please notify the sender by replying to this
message and then delete it from your system.

Re: [Pound Mailing List] Enhanvements
Sean Gabriel Heacock <gabriel(at)korsoft.com>
2006-08-18 23:05:18 [ FULL ]
On Fri, 2006-08-18 at 11:27 +0200, Robert Segall wrote:[...]

I'd like to see this feature myself, not that my Pound config is very
big, but at some point I'd like to automate the process of setting up
SSL for a customer.  I'd rather create a new file that's included by
pound.conf (preferably in the conf.d style) than have a script touch the
main config file and probably screw it up.  And if the customer leaves,
I'd just have to delete their included file.

At some point I'll patch Pound to do this myself if it's not going to be
officially supported (I have no qualms about doing this - you should see
my Apache!) but this strikes me as a fairly simple feature that a lot of
people would find useful.
[...]

Re: [Pound Mailing List] Enhanvements
Eric McCarthy <eric(at)desert.net>
2006-08-19 01:02:55 [ FULL ]
On Aug 18, 2006, at 2:27 AM, Robert Segall wrote:[...][...]
>>> Please post additional suggestions here and we'll try to add them 

>>> to the
>>> list.[...][...]

Sean's answer is the same for us. We have a lot of our setups  
automated, except for the pound parts.
[...]

Acknowledged. I'm thinking of an include along the lines of an Apache  
Include directive or an #include used by the pre-parser in C.

-Eric

Re: [Pound Mailing List] Enhanvements
Adam Borowski <kilobyte(at)angband.pl>
2006-08-19 02:30:46 [ FULL ]
On Fri, Aug 18, 2006 at 03:05:18PM -0600, Sean Gabriel Heacock wrote:[...]

Since you ALREADY have to restart Pound, most likely using a short script
(even if it's just an one-liner), why won't you create pound.cfg from the
conf.d files?  This way you have exactly the same functionality, can tailor
it as you want while Pound itself is kept simple.
[...]

Re: [Pound Mailing List] Enhanvements
Alessio Cervellin <a.cervellin(at)acm.org>
2006-08-19 10:30:52 [ FULL ]
> In any case Pound reads the config file (with or without includes)[...]

A nice-to-have would be a feature that allows to change the 
configuration file without restarting pound. As example, there could be 
a SIGnal which once sent to the pound process instructs it to read again 
the configuration file. Would it be possible?

Re: [Pound Mailing List] Enhanvements
Ted Dunning <tdunning(at)veoh.com>
2006-08-21 08:44:40 [ FULL ]
So put an invocation of m4 into your startup script.  You can build the real
config from an arbitrarily macro-ized, include-filed config master file that
way.

No need to integrate m4 into pound when another tool already exists.

On 8/18/06 4:02 PM, "Eric McCarthy" <eric(at)desert.net> wrote:

>>> An "Include" directive for the configuration file would be a nice
>>> feature to have.[...][...][...][...]

Re: [Pound Mailing List] Enhanvements
"M. Krainer" <mkrainer05(at)gmail.com>
2006-08-21 12:36:39 [ FULL ]
On 8/17/06, Robert Segall <roseg(at)apsis.ch> wrote:[...]


An additional loglevel that logs the durration of the request to the backend
would be nice.

- Markus
Attachments:  
text.html text/html 588 Bytes

Re: [Pound Mailing List] Enhanvements
Robert Segall <roseg(at)apsis.ch>
2006-08-21 17:39:44 [ FULL ]
On Fri, 2006-08-18 at 14:05 +0200, Ondra Kudlik wrote:[...]

I honestly can't imagine why would you need over 2000 lines. The
performance penalty is not that big (an extra pattern match or two per
service) but the maintenance must be a nightmare.

Would you care to post an example of what you are doing? I suspect we
could reduce this quite a bit.[...]

Re: [Pound Mailing List] Enhanvements
Ondra Kudlik <kepi(at)orthank.net>
2006-08-21 20:49:20 [ FULL ]
Po, srp 21, 2006 ve 05:39:44 +0200, Robert Segall napsal:[...]

i have service for every virtual host... I'm not sure if this is
needed now but in past, I can't redirect between to web sites or
something simmilar...
[...]

not at all.. almost whole config is generated from database
[...]

Of course.

---------- start pound.conf ---------------
User "pound"
Group "pound"

LogLevel        0

Alive           20


ListenHTTP
    Address 81.0.246.70
    Port    80
    HTMLErr414  "/var/www/default/500.html"
    HTMLErr500  "/var/www/default/500.html"
    HTMLErr501  "/var/www/default/501.html"
    HTMLErr503  "/var/www/default/503.html"

    RewriteLocation 0

    Service
        HeadRequire "Host: .*firstdomain\.com.*"
        BackEnd
            Address 127.0.0.1
            Port    8080
            TimeOut 1200
        End
    End
    Service
        HeadRequire "Host: .*seconddomain\.com.*"
        BackEnd
            Address 127.0.0.1
            Port    8081
            TimeOut 1200
        End
    End
    Service
        HeadRequire "Host: .*thirddomain\.com.*"
        BackEnd
            Address 127.0.0.1
            Port    8080
            TimeOut 1200
        End
    End
    Service
     ....
     .... etc etc ...
End
---------- end pound.conf ---------------

You may wonder why I have only one backend :) but I'm not using
pound as load balancer for know (but I plan to) but as proxy for
distributing domains between http servers (we have some php4 and
php5 and some on other machines).

I'm not sure if I can optimize this, only option from my point of
view is to group the sites by http server (no problem) so it can
look like:

Service
	HeadRequire "Host: .*(firstdomain\.com)|(thirddomain\.com).*"
	BackEnd...
End

But I'm really not sure if it helps cause regexp is more
complicated.

Thanks for you time

--
 .''`. Ondra 'Kepi' Kudlik
: :' : Debian GNU/Linux User
`. `'
  `-   http://www.nosoftwarepatents.com/cz/m/intro/index.html

Re: [Pound Mailing List] SSL/Zope Question
"Klaus Alexander Seistrup" <kseistrup(at)gmail.com>
2006-08-23 17:45:58 [ FULL ]
Beno wrote:
[...]

Take a look at the solution mentioned in
http://www.apsis.ch/pound/pound_list/archive/2006/2006-03/1141502757000/index_html#1141562813000

Basically you will have to patch .../ZPublisher/HTTPRequest.py to
recognize a HTTP_HTTPS header (and switching to protocol https
whenever this header is seen).

Cheers,
[...]

Re: [Pound Mailing List] SSL/Zope Question
"Klaus Alexander Seistrup" <kseistrup(at)gmail.com>
2006-08-24 10:03:13 [ FULL ]
John Snowdon wrote:
[...]

It didn't work for me (older zope version, upgrade is not an option),
so I chose another solution and it works like a charm.

Cheers,
[...]

Re: [Pound Mailing List] SSL/Zope Question
"Klaus Alexander Seistrup" <kseistrup(at)gmail.com>
2006-08-24 11:25:08 [ FULL ]
John Snowdon wrote:
[...]

I agree.  I have Zope 2.7+ running on some of my servers, but at least
one is still running an older version.

Cheers,
[...]

Re: [Pound Mailing List] SSL/Zope Question
Robert Segall <roseg(at)apsis.ch>
2006-08-24 18:29:08 [ FULL ]
On Thu, 2006-08-24 at 11:25 +0200, Klaus Alexander Seistrup wrote:[...]

Modified versions of z2.py are available in the distribution for older
(2.5, 2.6) Zope versions.[...]

MailBoxer