After hammering on this for a while, I discovered that the address is 
substituted correctly (I've verified this by pointing to another server 
in the backend config) but the protocol is not  modified.  Looking a bit 
at the code (I'm not a C coder but I've been able to make some of it 
out), it looks like on line 1018 of http.c that the protocol of the 
location header is determined based on whether the value of the variable 
'ssl' is null. I cannot find an instance where it is explicitly set to 
null and it seems like it has to be non-null elsewhere in the function 
for it to work properly but it seems to me this might be why location 
rewriting isn't working properly. Perhaps somebody with an actual 
understanding of C (and the OpenSSL API) could ferret this out.

Thanks,

Rob

After some further examination, I realized the theory outlined in my 
last email was woefully wrong. I'll leave the coding to you. :)

However, I have figured out the basic issue -- gethostbyname in 
need_rewrite is returning null. I'm puzzled by this because an example 
program I have that also calls gethostbyname returns the correct value. 
The only thing I can think of is that my example uses a different 
library then pound? Here's what I have:

#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <arpa/inet.h>


int main() {
  struct hostent *foo;
  foo=gethostbyname("robtest.espsg.com");
  if (foo) {
    int i;
    printf("%s -> %s\n",foo->h_name,inet_ntoa(*(struct 
in_addr*)foo->h_addr));
    for (i=0; foo->h_aliases[i]; ++i) {
      printf("  also known as %s\n",foo->h_aliases[i]);
    }
  } else return 1;
/*  printf("%g %g\n",1e-10,1e10); */

return 0;
}

Regards,

Rob

On Fri, 2006-09-22 at 18:15 -0500, Rob Moore wrote:[...]

There is only one library. There also is an easy way to find out what
went wrong: add one line in svc.c, at 617

    if((he = gethostbyname(host)) == NULL || he->h_addr_list[0] == NULL) {
+       logmsg(LOG_WARNING, "gethostbyname(%s): %s", host, hstrerror(h_errno));
        if(ret_val = pthread_mutex_unlock(&host_mut))
            logmsg(LOG_WARNING, "need_rewrite() unlock: %s",
strerror(ret_val));
        return 0;
    }

This will tell you what the problem is.[...]

Thanks, Robert. I'm seeing this:

Sep 23 17:10:11 robtest pound: gethostbyname(robtest.espsg.com): No such
file or
 directory

Rob

On Sep 23, 2006 04:29 AM, Robert Segall wrote:
[...][...][...]
[...][...]

On Sat, 2006-09-23 at 12:10 -0500, Rob Moore wrote:[...]

That is not a "normal" error in gethostbyname - see the manpage for
details.

I suspect you either run Pound in a root jail that lacks the resolver
necessary files (stuff like /etc/resolv.conf or /etc/hosts) or that you
run it without the privileges necessary for it to be able to read these
files.[...]

You are correct, I have been running it with root jail enabled. If I 
comment that out in the config file, it functions correctly.

I recall seeing some discussion about the relevancy of root jail since 
pound doesn't write to the file system. Would you say that it's 
essential for a secure system?

Thanks,

Rob

Robert Segall wrote:[...][...][...]

On Mon, 2006-09-25 at 11:32 -0500, Rob Moore wrote:[...]

As I wrote earlier - just add the relevant files to your jail and you'll
be OK. First candidates are /etc/resolv.conf and (probably at least part
of) /etc/hosts. Depending on your system you may require a few others
(such as nsswitch.conf) as well - see the man pages for your resolver.
[...]

Essential? Certainly not, but I personally prefer a defence in depth.

It is true that Pound never writes to the file system, and that it
(probably) runs as an unprivileged user, but you never know what obscure
vulnerability may be lurking somewhere. Better safe than sorry.[...]

Thanks, Robert. Copying over the two files did the trick.

Rob

Just a tip for anybody using RootJail on RHEL -- in order to use 
anything except /etc/hosts for name resolution a little extra effort is 
needed. I came across a postfix howto that helped me determine which 
files are needed in the jail. Assuming your jail is located at 
/usr/share/pound:

cp /etc/resolv.conf /etc/services /etc/hosts /etc/host.conf 
/etc/nsswitch.conf /etc/localtime /usr/share/pound/etc
cp /lib/libnss_*.so* /lib/libresolv.so* /lib/libdb.so* /usr/share/pound/lib

localtime isn't strictly necessary for resolution but does allow for the 
correct timestamps in the log files.

Rob