Adam, 
  Thanks a lot for your reply.  I noticed that the homepage for Pound is
  very sparse.  Are there any links to tutorials?  I couldn't find any
  on the main page?  Finally, can Pound be used as an SSL bridge / SSL
  initiation where the SSL link is terminated at it and then
  re-initiates the SSL session (kind of like ISA 2004)?.  Thanks for
  your help.

On Mon, 31 Jul 2006 01:14:05 +0200, "Adam Borowski"
<kilobyte(at)angband.pl> said:
> On Sun, Jul 30, 2006 at 01:43:30PM -0700, Mathew Brown wrote:
> > Hi,
> >   I currently have the following setup and I was wondering if Pound can
> >   help me in my setup.  I have 2xNLB servers (linux-based with one in
> >   stand-by mode) with 2+ application servers behind the NLB (I plan on
> >   running JBoss on them).  Users will be connecting via https to the
> >   application server, so I am investigating my options.  I was
> >   considering buying a SSL accelerator card but didn't find many that
> >   support Linux.  I then ran across pound and was wondering if it can
> >   take the place of the SSL accelerator (I might add an extra CPU to
> >   handle the load).  Is this setup doable using pound?
> 
> Yeah, it is one of the primary purposes behind pound!
> 
> >   If so, how many SSL certificates would I need
> 
> Just one.  A SSL certificate is used per domain name, not per
> machine.  All involved servers will have copies of the same cert.
> 
> > and on which machines would they be?  On the NLB?  On the
> > Application Server?
> 
> It depends where you would want to have SSL decrypted.  If you want
> to entrust pound with doing the load balancing, you will put both
> pound and the SSL certs on your NLBs.  If you prefer netfilter-based
> load balancing and want pound do nothing but decrypting SSL, on the
> application servers.
> 
> I would strongly recommend the former.  Pound will notice when one of
> your application servers goes down; doing this with netfilter would
> require redundant work.
> 
> 
> Regards,
> -- 
> 1KB             // Q: How do you spot a good inetd?
> 		// A: It build-depends on equivs.
> 
> -- 
> To unsubscribe send an email with subject 'unsubscribe' to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>
http://www.apsis.ch/pound/pound_list/archive/2006/2006-07/1154292210000/1154301245000
-- 
  Mathew Brown
  mathewbrown(at)fastmail.fm

-- 
http://www.fastmail.fm - Accessible with your email software
                          or over the web

Hi,

On Mon, 2006-07-31 at 21:49 +0200, dirk dekker wrote:
> Hello,
>  
> I am very pleased to discover your product : pound. And as I understand
> right it's only working on a Unix/Linux like OS software.
> Maybe I may ask you an advice.
>  
> I have 2 Web production platform's running on Windows 2000 server and IIS
> and need the option to  redirect: requests distributing the URL  among the
> two servers according to the requested URL. On this moment we only have one
> WAN IP-address and all websites running on one webserver.
> To migrate to a second webserver or to make a separation of the websites, a
> second webserver is neccesary. 
> I wonder how to manage that with your wonderfull product: pound.
>  
> As example: 
> Directly behind the SDSL-router a Linux-platform is needed running POUND.
> Pound has programmed to work as followes:
> URL: www.abc.com <BLOCKED::BLOCKED::BLOCKED::http://www.abc.com>  is
> redirected to Webserver-1 and URL: www.xyz.com
> <BLOCKED::BLOCKED::BLOCKED::http://www.xyz.com>  is redirected to
> webserver-2 
>  
> Is that right?

Yeah, you really could do that with Pound. But Pound takes focus on
being a load balancer like: Url: www.abc.com is redirected to
192.168.0.1 (Webserver-1) or 192.168.0.2 (Webserver-2) depending on the
"load" of these machines. But what you want to do is possible too -
Without any problems.

> Will there be small "stand-alone" platforms running Linux, like a lot of
> Firewalls as NetAsq are working?

Do you mean, if there is Hardware available, that is looking like small
*DSL routers and where Pound is installed?

I think no, but i don't know... But you could build one by
yourself... ;)

I've never seen a solution build with this board but you could buy a
mini PC from http://www.soekris.com/ and install Linux or BSD and Pound.
Hehe, I don't know if the CPU's are fast enough but i am really
interested in some benchmarks... :)

Is anybody out there who tried that out? 

> Thanks for your patiance reading and answering this email; I will appreciate
> that very much.

No Problem... Let me know what solution you will select at the end.

> For now, with regards,

Regards,

-- 
Johannes Findeisen
 http://hanez.org

I, too, am getting customer complaints of error 500s.  With a customer on the
phone and looking at the logs in real time, I saw the error 500 happening at
just the same time that pound emitted an error.  And, pound is emitting errors
every few minutes.  I've copied a recent sample below.  This makes pound seem
buggy. From past posts, I seem to recall that some of these are just warnings
that need no modification of the pound config at all.  If so, I'd like to turn
these warning messages off.  But, for the rest, what should I do.  I've also
copied my simple config file below.

Thanks,
Steve Amerige
Fat Bear Incorporated

System: Red Hat Linux 9.0 (also on Fedora Core 1 and Fedora Core 4 with the
same problems)
Pound version: 2.0.4

pound.cfg

LogLevel            0
User                "safeuser"
Group               "safegroup"

ListenHTTP
    Address         64.242.84.187
    Port            80
End

ListenHTTPS
    Address         64.242.84.187
    Port            443
    Cert            "/usr/local/apache2/conf/ssl/fatbear.com/fatbear.com.pem"
End

Service
    BackEnd
        Address     64.242.84.187
        Port        8088
    End
End


/var/log/messages

Aug  1 07:53:11 fat1 pound: error copy server cont: Connection timed out
Aug  1 07:53:55 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 07:53:55 fat1 pound: error flush headers to 86.209.26.127: Connection
reset by peer
Aug  1 07:54:06 fat1 pound: error copy server cont: Connection timed out
Aug  1 07:54:22 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 07:56:17 fat1 pound: error copy server cont: Connection timed out
Aug  1 07:58:38 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:00:24 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:03:29 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:04:03 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:05:15 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:05:46 fat1 pound: error flush headers to 68.79.159.2: Connection
reset by peer
Aug  1 08:05:48 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:05:51 fat1 pound: error flush headers to 68.79.159.2: Connection
reset by peer
Aug  1 08:05:51 fat1 pound: error flush headers to 68.79.159.2: Connection
reset by peer
Aug  1 08:05:51 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:06:45 fat1 pound: error flush headers to 68.79.159.2: Connection
reset by peer
Aug  1 08:07:01 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:07:49 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:08:05 fat1 pound: error copy server cont: Connection timed out
Aug  1 08:08:06 fat1 pound: error flush headers to 68.79.159.2: Connection
reset by peer
Aug  1 08:08:08 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:08:49 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:09:00 fat1 pound: error flush headers to 71.139.184.220: Connection
reset by peer
Aug  1 08:09:17 fat1 pound: response error read from 64.242.84.187:8088:
Connection timed out
Aug  1 08:09:52 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:09:54 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:10:34 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:10:38 fat1 pound: error copy server cont: Connection timed out
Aug  1 08:12:57 fat1 pound: error copy server cont: Connection timed out
Aug  1 08:13:29 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:13:32 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:15:22 fat1 pound: error copy chunk cont: Connection reset by peer
Aug  1 08:15:25 fat1 pound: error flush headers to 128.218.39.136: Connection
reset by peer
Aug  1 08:15:25 fat1 pound: error flush headers to 128.218.39.136: Connection
reset by peer
Aug  1 08:15:30 fat1 pound: error copy chunk cont: Connection reset by peer
Aug  1 08:17:36 fat1 pound: error flush headers to 81.231.98.56: Connection
reset by peer
Aug  1 08:18:18 fat1 pound: can't read header
Aug  1 08:18:32 fat1 pound: error copy chunk cont: Connection reset by peer
Aug  1 08:18:38 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:18:59 fat1 pound: error flush headers to 212.219.238.55: Connection
reset by peer
Aug  1 08:19:03 fat1 pound: error read from 220.179.77.169: Connection timed
out
Aug  1 08:19:12 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:19:13 fat1 pound: error flush headers to 81.231.98.56: Connection
reset by peer
Aug  1 08:19:49 fat1 pound: error read from 68.254.149.123: Connection reset by
peer
Aug  1 08:19:49 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:19:49 fat1 pound: error flush headers to 68.254.149.123: Connection
reset by peer
Aug  1 08:21:07 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:23:18 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:24:57 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:25:05 fat1 pound: error copy server cont: Connection timed out
Aug  1 08:25:06 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:25:09 fat1 pound: error flush headers to 24.143.15.102: Connection
reset by peer
Aug  1 08:26:55 fat1 pound: error copy server cont: Connection timed out
Aug  1 08:28:58 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:29:06 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:29:27 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:29:35 fat1 pound: error copy server cont: Connection timed out
Aug  1 08:29:47 fat1 pound: error copy server cont: Connection reset by peer
Aug  1 08:32:29 fat1 pound: error copy server cont: Connection timed out
----- Original Message ----- 
From: Ondra Kudlik 
To: Pound 
Sent: Tuesday, August 01, 2006 2:57 PM
Subject: [Pound Mailing List] Timeout problems


Hi,

two days ago we switched to Pound 2.0.9 from 1.8 and now we have
problem with timeouts.

We have apache behind pound and when some client have script which
take long time it returns error 500 and in logs there is 

response error read from 127.0.0.1:10000: Connection timed out

I found TimeOut in documentation so I add it to BackEnd end yes, it
is better.. but how I can set ideal value for TimeOut? What if
script take 3 minutes to go or 5 minutes or 30 seconds? I'm not
really sure but I think that with Pound 1.8 there wasn't this
problem.

Can you give me some advice?

Thanks

-- 
 .''`. Ondra 'Kepi' Kudlik
: :' : Debian GNU/Linux User
`. `'
  `-   http://www.nosoftwarepatents.com/cz/m/intro/index.html 


-- 
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2006/2006-08/1154428070000

Hi,

At 12:27 01/08/2006, Ondra Kudlik wrote:
>We have apache behind pound and when some client have script which
>take long time it returns error 500 and in logs there is
>
>response error read from 127.0.0.1:10000: Connection timed out
>
>I found TimeOut in documentation so I add it to BackEnd end yes, it
>is better.. but how I can set ideal value for TimeOut?

Depends on your app and your requirements.

>  What if
>script take 3 minutes to go or 5 minutes or 30 seconds? I'm not
>really sure but I think that with Pound 1.8 there wasn't this
>problem.
>
>Can you give me some advice?

We use several "Service" entries in our pound configuration that map 
to different actions (matching the Host and/or URL): URLs that are 
associated with reports that can be quite long to generate have a 
longer TimeOut value (e.g. 300 seconds) while others that need to 
complete very quickly or die right away (JS scripts linked into 
affiliate pages) have a very short TimeOut (2 seconds), while others 
have an "average" TimeOut at 120 seconds, etc.

That seems to work pretty well now.

Jacques.

Hi,

At 17:41 01/08/2006, Fat Bear Server Administration wrote:
>I, too, am getting customer complaints of error 500s.  With a 
>customer on the phone and looking at the logs in real time, I saw 
>the error 500 happening at just the same time that pound emitted an 
>error.  And, pound is emitting errors every few minutes.  I've 
>copied a recent sample below.  This makes pound seem buggy.

Well, no, it does exactly what it is told: if a server does not 
respond within the expected time, complain and don't stay there 
forever. You can adjust the TimeOut value based on your requirements.

Jacques.

Út, srp 01, 2006 ve 07:04:15 +0200, Jacques Caron napsal:
> Hi,
> 
> At 12:27 01/08/2006, Ondra Kudlik wrote:
> >We have apache behind pound and when some client have script which
> >take long time it returns error 500 and in logs there is
> >
> >response error read from 127.0.0.1:10000: Connection timed out
> >
> >I found TimeOut in documentation so I add it to BackEnd end yes, it
> >is better.. but how I can set ideal value for TimeOut?
> 
> Depends on your app and your requirements.
> 
> > What if
> >script take 3 minutes to go or 5 minutes or 30 seconds? I'm not
> >really sure but I think that with Pound 1.8 there wasn't this
> >problem.
> >
> >Can you give me some advice?
> 
> We use several "Service" entries in our pound configuration that map to 
> different actions (matching the Host and/or URL): URLs that are associated 
> with reports that can be quite long to generate have a longer TimeOut 
> value (e.g. 300 seconds) while others that need to complete very quickly 
> or die right away (JS scripts linked into affiliate pages) have a very 
> short TimeOut (2 seconds), while others have an "average" TimeOut at 120 
> seconds, etc.
> 
> That seems to work pretty well now.

Yes, I understand this well. But we are webhosting company and have
hundreds of clients and we are not able to know good timeout for
each of them :(

I'm having a bit of trouble deploying Pound 2.0.9.  It appears that
the output of my rails application is slightly garbled after sending
it through the Pound proxy from Mongrel.  Some newline characters look
like they have been eaten.  The application is fine if I load it from
Mongrel directly.  Is this a known problem?

Tony
http://involution.com

beno schrieb:

> Hi;

Hi Beno (Realname would be fine),

> and everything checked out just fine. However, Pound threw an error
> concerning openssl not supporting threads. So I checked the version of
> openssl and it's an old one that's running. So, how do I shut the old
> one down and start the new one?

Did you installed openssl from the ports? (openssl-0.9.8b_1 or newer).
While configuring you have to give the path to the userside installed
openssl-libs:

./configure --with-ssl=/usr/local/

Runs fine for me with FreeBSD 6.1

> TIA,
> beno

Regards,

Falk Brockerhoff

>> We use several "Service" entries in our pound configuration that map to 
>> different actions (matching the Host and/or URL): URLs that are associated 
>> with reports that can be quite long to generate have a longer TimeOut 
>> value (e.g. 300 seconds) while others that need to complete very quickly 
>> or die right away (JS scripts linked into affiliate pages) have a very 
>> short TimeOut (2 seconds), while others have an "average" TimeOut at 120 
>> seconds, etc.
>> 
>> That seems to work pretty well now.
>
>Yes, I understand this well. But we are webhosting company and have
>hundreds of clients and we are not able to know good timeout for
>each of them :(

1. We're in the same situation.... what did you decide to do?  Would you share
your configuation file?  I'm not familiar with the "Service" entries you're
referring to... does anyone have an example of this that could work on a server
hosting many customer domains (for which I have no knowledge of what they use
their domains for)?  For that matter, I'd love to see a template configuration
file that would be good for a general virtual hosting provider.  Please see
below what we're using right now.

2. I see errors of the form:

    Aug  1 08:19:12 fat1 pound: error copy server cont: Connection reset by
peer

every few minutes in the log file.  I've changed the TimeOut to 120 (to get rid
of the Connection timed out messages), and I was hoping that would take care of
this as well.  What does this error mean?  What action do I need to take to
resolve whatever are the underlying problems?  If it's not a problem message,
shouldn't LogLevel 0 supress it?

Thanks,
Steve Amerige
Fat Bear Incorporated

pound.cfg

LogLevel            0
User                "safeuser"
Group               "safegroup"

ListenHTTP
    Address         64.242.84.187
    Port            80
End

ListenHTTPS
    Address         64.242.84.187
    Port            443
    Cert            "/usr/local/apache2/conf/ssl/fatbear.com/fatbear.com.pem"
End

Service
    BackEnd
        Address     64.242.84.187
        Port        8088
    End
End

Pá, srp 04, 2006 ve 02:13:38 -0700, Fat Bear Server Administration napsal:
> >> We use several "Service" entries in our pound configuration that map to 
> >> different actions (matching the Host and/or URL): URLs that are associated

> >> with reports that can be quite long to generate have a longer TimeOut 
> >> value (e.g. 300 seconds) while others that need to complete very quickly 
> >> or die right away (JS scripts linked into affiliate pages) have a very 
> >> short TimeOut (2 seconds), while others have an "average" TimeOut at 120 
> >> seconds, etc.
> >> 
> >> That seems to work pretty well now.
> >
> >Yes, I understand this well. But we are webhosting company and have
> >hundreds of clients and we are not able to know good timeout for
> >each of them :(
> 
> 1. We're in the same situation.... what did you decide to do?  Would you
share your configuation file?  I'm not familiar with the "Service" entries
you're referring to... does anyone have an example of this that could work on a
server hosting many customer domains (for which I have no knowledge of what
they use their domains for)?  For that matter, I'd love to see a template
configuration file that would be good for a general virtual hosting provider. 
Please see below what we're using right now.

I can't resolve this correctly, so I set timeout to very high number
but I'm not sure about impacts

> 2. I see errors of the form:
> 
>     Aug  1 08:19:12 fat1 pound: error copy server cont: Connection reset by
peer

search the pound archive, but I think that this isn't related to
this isue. For timeout problem you will see Connection timeout in
logs. 

> every few minutes in the log file.  I've changed the TimeOut to 120 (to get
rid of the Connection timed out messages), and I was hoping that would take
care of this as well.  What does this error mean?  What action do I need to
take to resolve whatever are the underlying problems?  If it's not a problem
message, shouldn't LogLevel 0 supress it?

No, cause loglevel 0 disable access logging but error messages are
shown anyway

Service
        HeadRequire "Host: .*somehost\.cz.*"
        BackEnd
                Address         127.0.0.1
                Port            10000
                TimeOut         1200
        End
End

But again, I just wonder why this issue is only in Pound 2.x, we
have no such problems with 1.x branch

Ondra Kudlik

> Thanks,
> Steve Amerige
> Fat Bear Incorporated
> 
> pound.cfg
> 
> LogLevel            0
> User                "safeuser"
> Group               "safegroup"
> 
> ListenHTTP
>     Address         64.242.84.187
>     Port            80
> End
> 
> ListenHTTPS
>     Address         64.242.84.187
>     Port            443
>     Cert            "/usr/local/apache2/conf/ssl/fatbear.com/fatbear.com.pem"
> End
> 
> Service
>     BackEnd
>         Address     64.242.84.187
>         Port        8088
>     End
> End

On Tue, 2006-08-01 at 12:27 +0200, Ondra Kudlik wrote:
> Hi,
> 
> two days ago we switched to Pound 2.0.9 from 1.8 and now we have
> problem with timeouts.
> 
> We have apache behind pound and when some client have script which
> take long time it returns error 500 and in logs there is 
> 
> response error read from 127.0.0.1:10000: Connection timed out
> 
> I found TimeOut in documentation so I add it to BackEnd end yes, it
> is better.. but how I can set ideal value for TimeOut? What if
> script take 3 minutes to go or 5 minutes or 30 seconds? I'm not
> really sure but I think that with Pound 1.8 there wasn't this
> problem.
> 
> Can you give me some advice?

In 1.8 the default was "infinite", thus no time-outs at all. In later
versions we moved away from that, as it lead to dead back-ends not being
recognised (dead as in an infinite loop rather than off).

In general you can set as long a time-out as you want - the effect is
only that unresponsive servers will take a while to be recognised as
dead. Servers that have crashed completely will still refuse the
connection, and thus the time-out is not relevant.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

Hello again,

In the meanwhile I upgraded to pound 2.0.9 (still on FreeBSD 6.1) and
changed my configuration syntax:

User            "www"
Group           "www"
LogLevel        2
Alive           5

ListenHTTP
        Address 0.0.0.0
        Port 80
End

Service
        Session
                Type    PARM
                ID      "PHPSESSID"
                TTL     300
        End

        BackEnd
                Address 10.0.0.1
                Port 80
                Priority 1
        End
        BackEnd
                Address 10.0.0.2
                Port 80
                Priority 1
        End
End

> Everything works fine, but session handling seems to be buggy when some
> load occurs.
> 
> When I visit a website via the loadbalancers I start a Session which
> SessionID is written as a parameter within the URL. For Example:
> http://www.bla.dom/index.php?PHPSESSID=808as0d809qwe78
> 
> I'm clicking around and session handling works fine, I'm served always
> from the same webserver. But when there is some load on the webservers,
> or I'm hitting Reload again and again rapidly fast, then I'll be served
> from the other webserver, too. But there isn't any session with my id,
> so I'm running into a session handling error.

The problem still exists - does anyone have an idea how to fix this
behavior?

Regards,

Falk Brockerhoff

Hmmm,

it seems that the problem is not caused by pound - the redirects to the
backends are working fine. If the users is redirected to web1 everything
works fine, but on web2 the session dies after some time.

Ok, so I have to find the bug on the web2-backend, not within pound.
Sorry for my hastily posting to the list.

But I don't know why web2 is doing so strange things. It is exactly
identicaly to web1, where everything works fine...

Regards,

Falk

Robert Segall schrieb:

> - add an emergency back-end directive (hot back-up): a back-end that is
> used only when all other back-ends are dead and stops being used when
> any of the others is reactivated.

This would be a very nice feature, I think!

Regards,

Falk

On Thu, Aug 17, 2006 at 02:49:59PM +0200, Robert Segall wrote:
> - make WebDAV a run-time configuration directive rather than a
> combination of compile and run-time (a bit like what we did with the
> logging a while ago). This would also eliminate the xHTTP directive.

You'll want to start with:
http://www.apsis.ch/pound/pound_list/archive/2006/2006-07/1151714111000

It does almost what you want -- I didn't eliminate xHTTP, but WebDAV
accepts four values:
  * 0 -- disabled
  * 1 -- as currently w/o --enable-msdav
  * 2 -- RFC-compliant methods
  * 3 -- as in --enable-msdav: all Microsoft extensions
Values higher than 1 force xHTTP to be on.


-- 
1KB		// Microsoft corollary to Hanlon's razor:
		//	Never attribute to stupidity what can be
		//	adequately explained by malice.

ÄŒt, srp 17, 2006 ve 02:49:59 +0200, Robert Segall napsal:
> Now that 2.1 has been out for almost 2 weeks and we have seen no
> problems, it is time to start thinking about future enhancements. The
> following are on our list:
> 
> - make WebDAV a run-time configuration directive rather than a
> combination of compile and run-time (a bit like what we did with the
> logging a while ago). This would also eliminate the xHTTP directive.
> 
> - allow Pound to reply to errors with user-defined HTML pages rather
> than text messages.

as you know, this will be great for us. No further patching and
hacking :)

> - rewrite the Destination header to correctly support WebDAV COPY and
> MOVE directives (necessary for Subversion).
> 
> - add a compile-time switch to allow disabling of non-essential error
> messages (such as when a client closes the connection prematurely).
> 
> - add an emergency back-end directive (hot back-up): a back-end that is
> used only when all other back-ends are dead and stops being used when
> any of the others is reactivated.

this will be really great future!

> 
> Please post additional suggestions here and we'll try to add them to the
> list.

I have to say same thing as before. We have big problems with pound
not supporting redirect from same domain to https version in
scripts...

http://www.domain.com/ -> https://www.domain.com is must for us and
it is very hard time now without it and many complaints from our
clients :(

--
 .''`. Ondra 'Kepi' Kudlik
: :' : Debian GNU/Linux User
`. `'
  `-   http://www.nosoftwarepatents.com/cz/m/intro/index.html 

On Thu, Aug 17, 2006 at 02:49:59PM +0200, Robert Segall wrote:
> Please post additional suggestions here and we'll try to add them to the
> list.

An "Include" directive for the configuration file would be a nice
feature to have.

-Eric

Hello,

These are my needs for features:

> - add an emergency back-end directive (hot back-up): a 
> back-end that is
> used only when all other back-ends are dead and stops being used when
> any of the others is reactivated.

1) +1 on the above.

2) When logging the backend server that has been used (LogLevel 2), I
see only the Port in parenthesis. If it is not possible to configure
Pound to display also the Address, I'd find such a feature useful. I
have all backend servers configured on the same port and the current
information in the log is not enough to determine which one's been used.

3) I have a NAT router between Pound and the backend servers. This is so
because my backend servers are cloned VMware virtual machines and I do
not have enough IP addresses to bridge them. There are several backend
machines on every physical host and I use port forwarding to access the
web servers in them (all on port 80, while the forwarders on the
physical host listen on ports 80, 81, 82... one for each clone). This
means that the checks that Pound performs on backend hosts (both Port
and HAPort) are actually responded to by the NAT router. I can shut down
a backend web server and Pound won't notice. My suggestion would be a
configuration option to do pervasive checks, i.e. something on top of
the currently used TCP handshake, something like requesting a dummy URL
or doing a HEAD HTTP request. These would need to be answered by backend
servers only.

If suggestion 3) were to be implemented, I would not need 1) and 2).
They are derived from the fact that to overcome the above problem, I
have daisy-chaining Pound servers. I place a Pound server on each
physical host balancing the load for the clone backends on that same
host and one external Pound server distributing the load between these
Pound installations on the physical hosts. Because I can no longer use
the sequential port numbers, I would need the Address on the log files,
and because the death of all clones on a physical server would not be
noticed by the external Pound (unless I created yet one more HAPort
server), the emergency backend directive would help us serve requests
from any host with dead backends by fetching them directly from an
adjacent physical host. (Currently I am thinking of trying out with a
very low priority configuration for the emergency backend, which would
actually be the Pound installation on a physical host).

If anyone sees other solutions to my issues, please let me know.

Thanks,

 Curro

This email message is intended only for the use of the named recipient.
Information contained in this email message and its attachments may be
privileged, confidential and protected from disclosure. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication to others. Also please notify the sender by replying to this
message and then delete it from your system.

On Thu, 2006-08-17 at 20:23 +0200, F.Alcala-Soler(at)iaea.org wrote:
> Hello,
> 
> These are my needs for features:
> 
> > - add an emergency back-end directive (hot back-up): a 
> > back-end that is
> > used only when all other back-ends are dead and stops being used when
> > any of the others is reactivated.
> 
> 1) +1 on the above.
> 
> 2) When logging the backend server that has been used (LogLevel 2), I
> see only the Port in parenthesis. If it is not possible to configure
> Pound to display also the Address, I'd find such a feature useful. I
> have all backend servers configured on the same port and the current
> information in the log is not enough to determine which one's been used.

Not here - it logs in the usual address:port format.

> 3) I have a NAT router between Pound and the backend servers. This is so
> because my backend servers are cloned VMware virtual machines and I do
> not have enough IP addresses to bridge them. There are several backend
> machines on every physical host and I use port forwarding to access the
> web servers in them (all on port 80, while the forwarders on the
> physical host listen on ports 80, 81, 82... one for each clone). This
> means that the checks that Pound performs on backend hosts (both Port
> and HAPort) are actually responded to by the NAT router. I can shut down
> a backend web server and Pound won't notice. My suggestion would be a
> configuration option to do pervasive checks, i.e. something on top of
> the currently used TCP handshake, something like requesting a dummy URL
> or doing a HEAD HTTP request. These would need to be answered by backend
> servers only.

That is simply impossible - it would break just about every IP standard
I ever heard about. By definition the NAT router cannot respond to
packets for forwarded ports. To check: run a port scan on your NAT box;
if what you say is true then each and every port will show as open,
regardless of weather it is forwarded or not.

As to the lack of IP addresses: the network segment(s) between Pound and
the servers is private, so you have as many addresses as you want.

> If suggestion 3) were to be implemented, I would not need 1) and 2).
> They are derived from the fact that to overcome the above problem, I
> have daisy-chaining Pound servers. I place a Pound server on each
> physical host balancing the load for the clone backends on that same
> host and one external Pound server distributing the load between these
> Pound installations on the physical hosts. Because I can no longer use
> the sequential port numbers, I would need the Address on the log files,
> and because the death of all clones on a physical server would not be
> noticed by the external Pound (unless I created yet one more HAPort
> server), the emergency backend directive would help us serve requests
> from any host with dead backends by fetching them directly from an
> adjacent physical host. (Currently I am thinking of trying out with a
> very low priority configuration for the emergency backend, which would
> actually be the Pound installation on a physical host).

In other words you have no NAT but extra Pound instances.

This is not a particularly efficient topology - you are better off with
a single Pound instance distributing the load to the various servers
directly. Use routing rather than NAT to get access to the virtual
machines.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

On Thu, 2006-08-17 at 10:41 -0700, Eric McCarthy wrote:
> On Thu, Aug 17, 2006 at 02:49:59PM +0200, Robert Segall wrote:
> > Please post additional suggestions here and we'll try to add them to the
> > list.
> 
> An "Include" directive for the configuration file would be a nice
> feature to have.

Why? What is the advantage? Is your config file so large that you
actually need the feature? Not criticising but asking, as I'd like Pound
to stay as simple as possible.

In any case Pound reads the config file (with or without includes)
exactly once, on start-up.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

Robert Segall wrote:
> On Thu, 2006-08-17 at 10:41 -0700, Eric McCarthy wrote:
>   
>> On Thu, Aug 17, 2006 at 02:49:59PM +0200, Robert Segall wrote:
>>     
>>> Please post additional suggestions here and we'll try to add them to the
>>> list.
>>>       
>> An "Include" directive for the configuration file would be a nice
>> feature to have.
>>     
>
> Why? What is the advantage? Is your config file so large that you
> actually need the feature? Not criticising but asking, as I'd like Pound
> to stay as simple as possible.
>
> In any case Pound reads the config file (with or without includes)
> exactly once, on start-up.
>   

hi

an include function is nice to have for configuration syncronistation 
between 2 boxes
in a HA environment.

but this need an fuktion for reload of config by an singal ( like a HUP 
) or an automatic check
and reload feature for configs.

holger

Hello,
> Now that 2.1 has been out for almost 2 weeks and we have seen no
> problems, it is time to start thinking about future enhancements. The
> following are on our list:
> .....
> Please post additional suggestions here and we'll try to add them to the
> list.
>   
I'm not sure whether it was mentioned before. For me it would be great 
to have the possibility to track a 'health page' of the back ends. For 
example pound should retrieve every X seconds a special page which only 
content is 'OK' or 'FAIL'. This would give me the possibility to do some 
health checks like DB lookups, server status and so on and drop a 
backend even when apache (the server) is still responding.
I know there is the HAport directive but to my mind it's a very 
complicate way...


Malte

Holger Gläß schrieb:

> an include function is nice to have for configuration syncronistation
> between 2 boxes in a HA environment.

In a HA environment a session synchronisation between two carped
pound-boxes would be fine...

> holger

Regards,

Falk

Falk Brockerhoff wrote:
> Holger Gläß schrieb:
>
>   
>> an include function is nice to have for configuration syncronistation
>> between 2 boxes in a HA environment.
>>     
>
> In a HA environment a session synchronisation between two carped
> pound-boxes would be fine...
>
>   
holger

>
> Regards,
>
> Falk
>
>
>   

hi
i don´t talk about session sycronistation just from the syncronisation 
of the configs between the boxes
or do you do configure your settings on both machine by hand ?

holger

I can confirm that on OpenBSD 3.9 only the port is logged.

Aug 18 11:51:12 CLI-LB1 pound: 10.190.66.66 GET / HTTP/1.1 - HTTP/1.1 
200 OK (http:80)
Aug 18 11:51:19 CLI-LB1 pound: 10.190.66.66 GET / HTTP/1.1 - HTTP/1.1 
304 Not Modified (http:80)
Aug 18 11:51:19 CLI-LB1 last message repeated 2 times
Aug 18 11:51:22 CLI-LB1 pound: 10.190.70.70 GET / HTTP/1.1 - HTTP/1.1 
304 Not Modified (http:80)
Aug 18 11:51:22 CLI-LB1 last message repeated 3 times

This might have a bearing on my none load balancing problem.


Robert Segall wrote:
> On Thu, 2006-08-17 at 20:23 +0200, F.Alcala-Soler(at)iaea.org wrote:
>   
>> Hello,
>>
>> These are my needs for features:
>>
>>     
>>> - add an emergency back-end directive (hot back-up): a 
>>> back-end that is
>>> used only when all other back-ends are dead and stops being used when
>>> any of the others is reactivated.
>>>       
>> 1) +1 on the above.
>>
>> 2) When logging the backend server that has been used (LogLevel 2), I
>> see only the Port in parenthesis. If it is not possible to configure
>> Pound to display also the Address, I'd find such a feature useful. I
>> have all backend servers configured on the same port and the current
>> information in the log is not enough to determine which one's been used.
>>     
>
> Not here - it logs in the usual address:port format.
>
>   
>> 3) I have a NAT router between Pound and the backend servers. This is so
>> because my backend servers are cloned VMware virtual machines and I do
>> not have enough IP addresses to bridge them. There are several backend
>> machines on every physical host and I use port forwarding to access the
>> web servers in them (all on port 80, while the forwarders on the
>> physical host listen on ports 80, 81, 82... one for each clone). This
>> means that the checks that Pound performs on backend hosts (both Port
>> and HAPort) are actually responded to by the NAT router. I can shut down
>> a backend web server and Pound won't notice. My suggestion would be a
>> configuration option to do pervasive checks, i.e. something on top of
>> the currently used TCP handshake, something like requesting a dummy URL
>> or doing a HEAD HTTP request. These would need to be answered by backend
>> servers only.
>>     
>
> That is simply impossible - it would break just about every IP standard
> I ever heard about. By definition the NAT router cannot respond to
> packets for forwarded ports. To check: run a port scan on your NAT box;
> if what you say is true then each and every port will show as open,
> regardless of weather it is forwarded or not.
>
> As to the lack of IP addresses: the network segment(s) between Pound and
> the servers is private, so you have as many addresses as you want.
>
>   
>> If suggestion 3) were to be implemented, I would not need 1) and 2).
>> They are derived from the fact that to overcome the above problem, I
>> have daisy-chaining Pound servers. I place a Pound server on each
>> physical host balancing the load for the clone backends on that same
>> host and one external Pound server distributing the load between these
>> Pound installations on the physical hosts. Because I can no longer use
>> the sequential port numbers, I would need the Address on the log files,
>> and because the death of all clones on a physical server would not be
>> noticed by the external Pound (unless I created yet one more HAPort
>> server), the emergency backend directive would help us serve requests
>> from any host with dead backends by fetching them directly from an
>> adjacent physical host. (Currently I am thinking of trying out with a
>> very low priority configuration for the emergency backend, which would
>> actually be the Pound installation on a physical host).
>>     
>
> In other words you have no NAT but extra Pound instances.
>
> This is not a particularly efficient topology - you are better off with
> a single Pound instance distributing the load to the various servers
> directly. Use routing rather than NAT to get access to the virtual
> machines.
>   

Holger Gläß schrieb:

> i don´t talk about session sycronistation just from the syncronisation
> of the configs between the boxes
> or do you do configure your settings on both machine by hand ?

Ok, I should said that this was meant as an additional suggestion.. No,
I run a script on the master which scopy the config to the slave and
restarts pound on both machines.

> holger

Regards,

Falk

Am 18.08.2006 12:29 schrieb Malte Ahrens:
I'm not sure
whether it was mentioned before. For me it would be great to have the
possibility to track a 'health page' of the back ends. For example
pound should retrieve every X seconds a special page which only content
is 'OK' or 'FAIL'. This would give me the possibility to do some health
checks like DB lookups, server status and so on and drop a backend even
when apache (the server) is still responding.
  
I know there is the HAport directive but to my mind it's a very
complicate way...
  
  

Great Idea!
Would also be nice to have a statusinfo like Apache's "server-status"
or something where the admin can see the current/average requests and
other things ....
Malte
  

Robert

On Fri, Aug 18, 2006 at 07:51:22AM -0400, Jeffrey Brown wrote:
> Hi,
>  
> I was hoping someone may be able to make some suggestions on how to improve
the performance of pound.
>  
> I am running pound on SuSE Linux Enterprise 9.0 on a Dell PowerEdge 2550 with
two 1.2ghz processors and 3gb memory.
>  
> The only site being proxied right now is Lotus Domino webmail for 250 total
users, with concurrency not exceeding 30 users at any given time.  
>  
> Memory and CPU utilization are never very high at all, but the webmail sit is
slower when accessed through pound than it is if you access the site directly.
>  
> I don't believe there are any configuration directives I should be using to
help performance except for maybe logging, which is set to the minimum.
>  
> Are there any server OS specific settings that might help?

Can you show the pound config file?

> 
> Thanks,
>  
> --jeff
> 

-- 
                               The Moon is Waning Crescent (25% of Full)

Hi,

I have imlemented this solution in my config.

in /etc/pound/conf.d there are many parts of config and then I have
rebuild action in init scripts:

rebuild)
        echo -n "Generating sites config: "
        gen_pound_sites # generate config for pound 
        /bin/cat /etc/pound/conf.d/* > /etc/pound/pound.cfg
        /usr/local/bin/pound_check_config $DAEMON $CONFIG
        ;;

important is only part /bin/cat /etc/pound/conf.d/* >
/etc/pound/pound.cfg

So if you add this to start action, there is no need to Include
directive.


And Robert, I'm wondering if it is problem for pound to have huge
amount of Service sections? My conf script has 2348 line now and it
is growing..

--
 .''`. Ondra 'Kepi' Kudlik
: :' : Debian GNU/Linux User
`. `'
  `-   http://www.nosoftwarepatents.com/cz/m/intro/index.html 


Pá, srp 18, 2006 ve 11:27:20 +0200, Robert Segall napsal:
> On Thu, 2006-08-17 at 10:41 -0700, Eric McCarthy wrote:
> > On Thu, Aug 17, 2006 at 02:49:59PM +0200, Robert Segall wrote:
> > > Please post additional suggestions here and we'll try to add them to the
> > > list.
> > 
> > An "Include" directive for the configuration file would be a nice
> > feature to have.
> 
> Why? What is the advantage? Is your config file so large that you
> actually need the feature? Not criticising but asking, as I'd like Pound
> to stay as simple as possible.
> 
> In any case Pound reads the config file (with or without includes)
> exactly once, on start-up.

Harmen <harm(at)tty.nl> wrote on 08/18/2006 07:56:39 AM:

> On Fri, Aug 18, 2006 at 07:51:22AM -0400, Jeffrey Brown wrote:
> > Hi,
> > 
> > I was hoping someone may be able to make some suggestions on how 
> to improve the performance of pound.
> > 
> > I am running pound on SuSE Linux Enterprise 9.0 on a Dell 
> PowerEdge 2550 with two 1.2ghz processors and 3gb memory.
> > 
> > The only site being proxied right now is Lotus Domino webmail for 
> 250 total users, with concurrency not exceeding 30 users at any given 
time. 
> > 
> > Memory and CPU utilization are never very high at all, but the 
> webmail sit is slower when accessed through pound than it is if you 
> access the site directly.
> > 
> > I don't believe there are any configuration directives I should be
> using to help performance except for maybe logging, which is set to 
> the minimum.
> > 
> > Are there any server OS specific settings that might help?
> 
> Can you show the pound config file?

Certainly.

# cat /usr/local/etc/pound.cfg

User "pound"
Group "pound"
Daemon 1
LogLevel 0
Alive 30

ListenHTTP
        Address 192.168.5.101
        port 80
        Client 10
        Change30x 1

        Service
                URL ".*"
        HeadRequire "Host:.*http-test.domain.com.*"
                backEnd
                        Address 192.168.5.21
                        Port 80
                End
                Session
                        Type IP
                        TTL 300
                End
        End
End

ListenHTTPS
        Address 192.168.5.101
        Port 443
        xHTTP 0
        WebDAV 0
        Client 10
        Change30x 1
        Cert "/usr/local/etc/newcert.pem"

        Service
                URL ".*"
                HeadRequire "Host:.*serverA.domain.com.*"
                BackEnd
                        Address x.x.x.x
                        Port 80
                End
#               Session
#                       Type IP
#                       TTL 300
#               End
        End

        Service
                URL ".*"
                HeadRequire "Host:.*serverB.domain.com.*"
                BackEnd
                        Address x.x.x.x
                        Port 80
                End
#               Session
#                       Type IP
#                       TTL 300
#               End
        End

        Service
                URL ".*"
                HeadRequire "Host:.*serverC.domain.com.*"
                BackEnd
                        Address x.x.x.x
                        Port 80
                End
#               Session
#                       Type IP
#                       TTL 300
#               End
        End

        Service
                URL ".*"
                HeadRequire "Host:.*serverD.domain.com.*"
                BackEnd
                        Address x.x.x.x
                        Port 80
                End
#               Session
#                       Type IP
#                       TTL 300
#               End
        End

        Service
                URL ".*"
                HeadRequire "Host:.*serverE.domain.com.*"
                BackEnd
                        Address x.x.x.x
                        Port 80
                End
#               Session
#                       Type IP
#                       TTL 300
#               End
        End

        Service
                URL ".*"
                HeadRequire "Host:.*serverF.domain.com.*"
                BackEnd
                        Address x.x.x.x
                        Port 80
                End
#               Session
#                       Type IP
#                       TTL 300
#               End
        End

#       Service
#               URL ".*"
#               HeadRequire "Host:.*www-test.domain.com.*"
#               BackEnd
#                       Address 192.168.5.21
#                       Port 80
#               End
#               Session
#                       Type IP
#                       TTL 300
#               End
#

Hi Robert,

> > 2) When logging the backend server that has been used
> (LogLevel 2), I
> > see only the Port in parenthesis. If it is not possible to configure
> > Pound to display also the Address, I'd find such a feature useful. I
> > have all backend servers configured on the same port and the current
> > information in the log is not enough to determine which
> one's been used.
>
> Not here - it logs in the usual address:port format.

I am not seeing the backend's address? Here is an example log line produced
with LogLevel 2 on SuSE 10:

Aug 18 13:18:42 LOADB1 pound: 192.168.218.127 GET /stylesheets/mainSearch.css
HTTP/1.1 - HTTP/1.1 304 Not Modified (:80)

It shows only the port in parenthesis.

> > 3) I have a NAT router between Pound and the backend
> servers. This is so
> > because my backend servers are cloned VMware virtual
> machines and I do
> > not have enough IP addresses to bridge them. There are
> several backend
> > machines on every physical host and I use port forwarding
> to access the
> > web servers in them (all on port 80, while the forwarders on the
> > physical host listen on ports 80, 81, 82... one for each
> clone). This
> > means that the checks that Pound performs on backend hosts
> (both Port
> > and HAPort) are actually responded to by the NAT router. I
> can shut down
> > a backend web server and Pound won't notice. My suggestion
> would be a
> > configuration option to do pervasive checks, i.e. something
> on top of
> > the currently used TCP handshake, something like requesting
> a dummy URL
> > or doing a HEAD HTTP request. These would need to be
> answered by backend
> > servers only.
>
> That is simply impossible - it would break just about every
> IP standard
> I ever heard about. By definition the NAT router cannot respond to
> packets for forwarded ports. To check: run a port scan on
> your NAT box;
> if what you say is true then each and every port will show as open,
> regardless of weather it is forwarded or not.

I think I haven't explained it properly. The "NAT router" and "port forwarding"
refer to the way VMware GSX server handles these virtual devices. The router
isn't a physical device, but a Windows services that passes inbound
communications through forwarding tunnels from ports on the NIC of a physical
host to the virtual, private network used to communicate with the virtual
machines on this same host.

I've done the packet captures with Ethereal and the VMware NAT router closes
the connection with Pound before it's started the corresponding connection with
the backend server. It goes like this:

Pound               NAT Router                 Backend

      >- SYN     ->
      <- SYN,ACK -<
      >- ACK     ->
      >- FIN,ACK ->
                                >- SYN     ->
      <- ACK     -<
                                <- SYN,ACK -<
                                >- ACK,RST ->  (not sure about this one,
                                                writing from top of my head,
                                                but the router closes it,
                                                since the other side is closed)

The communication between the NAT router and the backend happen in memory,
since the VMware networks are virtual (super quick, also). The sequence is not
always the same: sometimes the whole communication between Pound and the NAT
router is finished before the router has time to start to talk to the backend.

Regarding the port scan, I haven't tried it, but I am sure that it would find
open only the ports for which there is a forwarding tunnel defined. This type
of VMware virtual NAT router actually routes only for the defined forwarding
tunnels (or for the outgoing communications, of course).

Also, note that the router is not bridging transparently at layer 2, so it is
responsible for the TCP connections that are opened against it.

> As to the lack of IP addresses: the network segment(s)
> between Pound and
> the servers is private, so you have as many addresses as you want.

You're right, but in our configuration Pound is on a different physical host as
the servers and I do not have access to that network. It is one of our
organization's DMZ areas and I get one IP address per physical host. With the
virtual machines behind the NAT router I have as many private networks/IP
addresses as I like (all of them virtual).

However, I think I get an idea of what you mean. Perhaps you mean that I am
free to add a second, private IP address to the NICs and expose the virtual
machines' private address on the network through bridging, instead of NATing.
Thus, every NIC would be able to communicate both on the "official" as on the
"private" network through the same wire. I am not sure about how to do this on
Windows 2003, but I am off to the drawing board... It would allow us to go back
to the single Pound installation.

> > If suggestion 3) were to be implemented, I would not need 1) and 2).
> > They are derived from the fact that to overcome the above problem, I
> > have daisy-chaining Pound servers. I place a Pound server on each
> > physical host balancing the load for the clone backends on that same
> > host and one external Pound server distributing the load
> between these
> > Pound installations on the physical hosts. Because I can no
> longer use
> > the sequential port numbers, I would need the Address on
> the log files,
> > and because the death of all clones on a physical server
> would not be
> > noticed by the external Pound (unless I created yet one more HAPort
> > server), the emergency backend directive would help us
> serve requests
> > from any host with dead backends by fetching them directly from an
> > adjacent physical host. (Currently I am thinking of trying
> out with a
> > very low priority configuration for the emergency backend,
> which would
> > actually be the Pound installation on a physical host).
>
> In other words you have no NAT but extra Pound instances.
>
> This is not a particularly efficient topology - you are
> better off with
> a single Pound instance distributing the load to the various servers
> directly. Use routing rather than NAT to get access to the virtual
> machines.

The NAT is there:

Host 1                   Host 2
Pound     ->     NAT router -> Pound -> Backend
                                     -> Backend
                                     -> Backend
                            Host 3
          ->     NAT router -> Pound -> Backend
                                     -> Backend
                                     -> Backend

All servers in hosts 2 and 3 are virtual machines, so they have full (private)
network access among themselves. Hosts 1, 2 and 3 have each a single IP
address, this is why we need NATing to the Pound and Backends on hosts 2 and 3.

I would love to have a single Pound instance. Actually this is what I tested
first, until I discovered that Pound on host 1 could not check the availability
of the HAPorts and Ports of the backends.

Thanks a lot for your help,

 Curro 

This email message is intended only for the use of the named recipient.
Information contained in this email message and its attachments may be
privileged, confidential and protected from disclosure. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication to others. Also please notify the sender by replying to this
message and then delete it from your system.

On Fri, 2006-08-18 at 11:27 +0200, Robert Segall wrote:
> On Thu, 2006-08-17 at 10:41 -0700, Eric McCarthy wrote:
> > An "Include" directive for the configuration file would be a nice
> > feature to have.
> 
> Why? What is the advantage? Is your config file so large that you
> actually need the feature? Not criticising but asking, as I'd like Pound
> to stay as simple as possible.

I'd like to see this feature myself, not that my Pound config is very
big, but at some point I'd like to automate the process of setting up
SSL for a customer.  I'd rather create a new file that's included by
pound.conf (preferably in the conf.d style) than have a script touch the
main config file and probably screw it up.  And if the customer leaves,
I'd just have to delete their included file.

At some point I'll patch Pound to do this myself if it's not going to be
officially supported (I have no qualms about doing this - you should see
my Apache!) but this strikes me as a fairly simple feature that a lot of
people would find useful.

-- 
Sean Gabriel Heacock
Telana Internet Services
http://www.telana.com/

On Aug 18, 2006, at 2:27 AM, Robert Segall wrote:
> On Thu, 2006-08-17 at 10:41 -0700, Eric McCarthy wrote:
>> On Thu, Aug 17, 2006 at 02:49:59PM +0200, Robert Segall wrote:
>>> Please post additional suggestions here and we'll try to add them  
>>> to the
>>> list.
>>
>> An "Include" directive for the configuration file would be a nice
>> feature to have.
>
> Why? What is the advantage? Is your config file so large that you
> actually need the feature? Not criticising but asking, as I'd like  
> Pound
> to stay as simple as possible.

Sean's answer is the same for us. We have a lot of our setups  
automated, except for the pound parts.

> In any case Pound reads the config file (with or without includes)
> exactly once, on start-up.

Acknowledged. I'm thinking of an include along the lines of an Apache  
Include directive or an #include used by the pre-parser in C.

-Eric

On Fri, Aug 18, 2006 at 03:05:18PM -0600, Sean Gabriel Heacock wrote:
> On Fri, 2006-08-18 at 11:27 +0200, Robert Segall wrote:
> > On Thu, 2006-08-17 at 10:41 -0700, Eric McCarthy wrote:
> > > An "Include" directive for the configuration file would be a nice
> > > feature to have.
> > Why? What is the advantage? Is your config file so large that you
> > actually need the feature? Not criticising but asking, as I'd like Pound
> > to stay as simple as possible.
> [...]  I'd rather create a new file that's included by
> pound.conf (preferably in the conf.d style) than have a script touch the
> main config file and probably screw it up.  And if the customer leaves,
> I'd just have to delete their included file.

Since you ALREADY have to restart Pound, most likely using a short script
(even if it's just an one-liner), why won't you create pound.cfg from the
conf.d files?  This way you have exactly the same functionality, can tailor
it as you want while Pound itself is kept simple.

-- 
1KB		// Microsoft corollary to Hanlon's razor:
		//	Never attribute to stupidity what can be
		//	adequately explained by malice.

> In any case Pound reads the config file (with or without includes)
> exactly once, on start-up.

A nice-to-have would be a feature that allows to change the 
configuration file without restarting pound. As example, there could be 
a SIGnal which once sent to the pound process instructs it to read again 
the configuration file. Would it be possible?

So put an invocation of m4 into your startup script.  You can build the real
config from an arbitrarily macro-ized, include-filed config master file that
way.

No need to integrate m4 into pound when another tool already exists.

On 8/18/06 4:02 PM, "Eric McCarthy" <eric(at)desert.net> wrote:

>>> An "Include" directive for the configuration file would be a nice
>>> feature to have.
>> 
>> Why? What is the advantage? Is your config file so large that you
>> actually need the feature? Not criticising but asking, as I'd like
>> Pound
>> to stay as simple as possible.
> 
> Sean's answer is the same for us. We have a lot of our setups
> automated, except for the pound parts.
> 
>> In any case Pound reads the config file (with or without includes)
>> exactly once, on start-up.
> 
> Acknowledged. I'm thinking of an include along the lines of an Apache
> Include directive or an #include used by the pre-parser in C.
> 
> -Eric
> 
> 

On 8/17/06, Robert Segall <roseg(at)apsis.ch> wrote:
>
> Now that 2.1 has been out for almost 2 weeks and we have seen no
> problems, it is time to start thinking about future enhancements.


An additional loglevel that logs the durration of the request to the backend
would be nice.

- Markus

On Fri, 2006-08-18 at 14:05 +0200, Ondra Kudlik wrote:
> And Robert, I'm wondering if it is problem for pound to have huge
> amount of Service sections? My conf script has 2348 line now and it
> is growing..

I honestly can't imagine why would you need over 2000 lines. The
performance penalty is not that big (an extra pattern match or two per
service) but the maintenance must be a nightmare.

Would you care to post an example of what you are doing? I suspect we
could reduce this quite a bit.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

Po, srp 21, 2006 ve 05:39:44 +0200, Robert Segall napsal:
> On Fri, 2006-08-18 at 14:05 +0200, Ondra Kudlik wrote:
> > And Robert, I'm wondering if it is problem for pound to have huge
> > amount of Service sections? My conf script has 2348 line now and it
> > is growing..
> 
> I honestly can't imagine why would you need over 2000 lines. The

i have service for every virtual host... I'm not sure if this is
needed now but in past, I can't redirect between to web sites or
something simmilar...

> performance penalty is not that big (an extra pattern match or two per
> service) but the maintenance must be a nightmare.

not at all.. almost whole config is generated from database

> Would you care to post an example of what you are doing? I suspect we
> could reduce this quite a bit.

Of course.

---------- start pound.conf ---------------
User "pound"
Group "pound"

LogLevel        0

Alive           20


ListenHTTP
    Address 81.0.246.70
    Port    80
    HTMLErr414  "/var/www/default/500.html"
    HTMLErr500  "/var/www/default/500.html"
    HTMLErr501  "/var/www/default/501.html"
    HTMLErr503  "/var/www/default/503.html"

    RewriteLocation 0

    Service
        HeadRequire "Host: .*firstdomain\.com.*"
        BackEnd
            Address 127.0.0.1
            Port    8080
            TimeOut 1200
        End
    End
    Service
        HeadRequire "Host: .*seconddomain\.com.*"
        BackEnd
            Address 127.0.0.1
            Port    8081
            TimeOut 1200
        End
    End
    Service
        HeadRequire "Host: .*thirddomain\.com.*"
        BackEnd
            Address 127.0.0.1
            Port    8080
            TimeOut 1200
        End
    End
    Service
     ....
     .... etc etc ...
End
---------- end pound.conf ---------------

You may wonder why I have only one backend :) but I'm not using
pound as load balancer for know (but I plan to) but as proxy for
distributing domains between http servers (we have some php4 and
php5 and some on other machines).

I'm not sure if I can optimize this, only option from my point of
view is to group the sites by http server (no problem) so it can
look like:

Service
	HeadRequire "Host: .*(firstdomain\.com)|(thirddomain\.com).*"
	BackEnd...
End

But I'm really not sure if it helps cause regexp is more
complicated.

Thanks for you time

--
 .''`. Ondra 'Kepi' Kudlik
: :' : Debian GNU/Linux User
`. `'
  `-   http://www.nosoftwarepatents.com/cz/m/intro/index.html 

Beno wrote:

> It is written that, for SSL, one should modify start Zope (modify the
> start file) as:
> python -X -w 8080 -y 8443
> but doesn't specify which file that is. It clearly isn't zope.conf, it
> doesn't look like zopectl or zopectl.py, either. Also, I have 3
> instances of Zope. Which file(s) am I to modify?

Take a look at the solution mentioned in
http://www.apsis.ch/pound/pound_list/archive/2006/2006-03/1141502757000/index_html#1141562813000

Basically you will have to patch .../ZPublisher/HTTPRequest.py to
recognize a HTTP_HTTPS header (and switching to protocol https
whenever this header is seen).

Cheers,

-- 
Klaus Alexander Seistrup
Copenhagen · Denmark
http://seistrup.dk/

John Snowdon wrote:

> Any particular reason you want to do this? Pound works very well as an
> SSL reverse proxy for Zope. All you have to do is modify zope.conf to
> generate https URL's instead of http (set the variable "HTTPS ON").

It didn't work for me (older zope version, upgrade is not an option),
so I chose another solution and it works like a charm.

Cheers,

-- 
Klaus Alexander Seistrup
Copenhagen · Denmark
http://magnetic-ink.dk/

John Snowdon wrote:

> Ah okay, we've standardised on a minimum version of 2.7 roughly two
> years ago - we find it to be a lot better than the earlier versions (ZEO
> support, configuration and start/stop control are much improved).

I agree.  I have Zope 2.7+ running on some of my servers, but at least
one is still running an older version.

Cheers,

-- 
Klaus Alexander Seistrup
København · Danmark
http://magnetic-ink.dk/

On Thu, 2006-08-24 at 11:25 +0200, Klaus Alexander Seistrup wrote:
> John Snowdon wrote:
> 
> > Ah okay, we've standardised on a minimum version of 2.7 roughly two
> > years ago - we find it to be a lot better than the earlier versions (ZEO
> > support, configuration and start/stop control are much improved).
> 
> I agree.  I have Zope 2.7+ running on some of my servers, but at least
> one is still running an older version.
> 
> Cheers,

Modified versions of z2.py are available in the distribution for older
(2.5, 2.6) Zope versions.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904