Hi.

I would like to configure pound as ssl accelerator for our web servers
(different sites).

                                             +--<myserver1> 
www.mycompany.com
                      HTTPS           HTTP  /
<client>---<Internet>-------<pound>--------+----<myserver2>
 abc.mycompany.it
                                            \
                                             +--<myserver3> 
xyz.mycompany.com


With HTTPS all works fine. 

Now I need to setup pound to accept HTTP requests too, and translate them in
HTTPS request via URL rewrite feature or redirect.
I mean (for example like in http://www.donotcall.gov):
1) a client browser connects to http://myserver1
2) pound rewrites the request to https://myserver1


Any suggestion on how to configure pound for it? 

Here is a brief pound.cfg (I'm using pound version 2.0, but I also tried the
latest 2.1.4):

--------------- begin
ListenHTTP
     Address 10.19.19.25
     Port    80
     xHTTP 1
     WebDAV 1
     Change30x 1
     Service
          Url         "http://www.mysite1.com/.*"
# doesn't work:          Redirect    "https://www.mysite1.com/"
          Backend
               Address 10.19.19.25
               Port    443
          End
          Session
              Type    Cookie
              ID      "sess80"
              TTL     300
          End
     End
End


ListenHTTPs
     Address 10.19.19.25
     Port    443
     xHTTP 1
     WebDAV 1
     Change30x 1
     Cert "/certs/cert-chain-mysite1.pem"
     Service
          BackEnd
              Address 10.19.13.23
              Port    80
          End
          Session
              Type    Cookie
              ID      "sess1"
              TTL     300
          End
     End
End


ListenHTTPs
     Address 10.19.19.26
     Port    443
     xHTTP 1
     WebDAV 1
     Change30x 1
     Cert "/certs/cert-chain-mysite2.pem"
     Service
          BackEnd
              Address 10.19.13.13
              Port    80
          End
          Session
              Type    Cookie
              ID      "sess2"
              TTL     300
          End
     End
End
-------------- end

Thanks,
Massimo.

I don't think that pound will do what you request.

It will definitely convert https to http very well.

But converting http to https is (I am pretty sure) not possible.  You can
accept http requests that are passed on to the back end as http (no s), but
using pound as an SSL DE-celerator isn't what it was designed to do.

If the link to your backends really must be encrypted, consider stunnel or
ssh based tunnels or even firewall to firewall IPSEC instead.  All of these
will give you the desired security without messing around with https for
point to point communications.


On 10/18/06 6:40 AM, "Trevisani Massimo"
<Massimo.Trevisani(at)one-ans.it>
wrote:
[...]

Hi Ted.

What I needed to do was an "always https" with clients, even if they connect to
our servers via http. I thought that pound could solved my problem.

Thanks,
Massimo.

-----Messaggio originale-----
Da: Ted Dunning [mailto:tdunning(at)veoh.com]
Inviato: mer 18/10/2006 16.28
A: pound(at)apsis.ch
Oggetto: Re: [Pound Mailing List] how to configure pound for url rewrite /
redirect
 


I don't think that pound will do what you request.

It will definitely convert https to http very well.

But converting http to https is (I am pretty sure) not possible.  You can
accept http requests that are passed on to the back end as http (no s), but
using pound as an SSL DE-celerator isn't what it was designed to do.

If the link to your backends really must be encrypted, consider stunnel or
ssh based tunnels or even firewall to firewall IPSEC instead.  All of these
will give you the desired security without messing around with https for
point to point communications.


On 10/18/06 6:40 AM, "Trevisani Massimo"
<Massimo.Trevisani(at)one-ans.it>
wrote:
[...]

[...]

On Wed, 2006-10-18 at 15:40 +0200, Trevisani Massimo wrote:[...]

See below.
[...]

Careful, this is 2.0. For 2.1.4 WebDAV and xHTTP have been merged.
[...]

Not needed for a redirect.
[...]

That's not a URL but a host name. Remove it or rplace it with a
HeadRequire (if really needed).
[...]

Works just fine if you remove the URL above, which never matches
anything.
[...]

Remove completely both the Backend (otherwise some requests will go the
the Redirect, others to the Backend you define) and the Session (with
only a Redirect it is no longer relevant).
[...]

So your config should really show (for 2.1.4):

ListenHTTP
     Address 10.19.19.25
     Port    80
     xHTTP 2
     Service
          Redirect    "https://www.mysite1.com/"
     End
End

...which really means "for any request to http://10.19.19.25/... respond
with a redirect to https://www.mysite1.com/". Make sure
mysite1 NEVER
replies with a redirect to HTTP or you'll get a redirect loop.

Hope this answers your question.[...]

Ahhh... That is different.

Have you tried forcing a redirect at the backend level?  You could also set
up an http service that goes to a special purpose back end that you control
and which only redirects to the https version.


On 10/18/06 8:15 AM, "Trevisani Massimo"
<Massimo.Trevisani(at)one-ans.it>
wrote:
[...][...][...]

Hi Robert.

Thanks a lot. I tested it with version 2.1.4 and it's working!

Bye,
Massimo.

-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch]
Sent: Wed 18/10/2006 18.41
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] how to configure pound for url rewrite /
redirect
 
On Wed, 2006-10-18 at 15:40 +0200, Trevisani Massimo wrote:[...]

See below.
[...]

Careful, this is 2.0. For 2.1.4 WebDAV and xHTTP have been merged.
[...]

Not needed for a redirect.
[...]

That's not a URL but a host name. Remove it or rplace it with a
HeadRequire (if really needed).
[...]

Works just fine if you remove the URL above, which never matches
anything.
[...]

Remove completely both the Backend (otherwise some requests will go the
the Redirect, others to the Backend you define) and the Session (with
only a Redirect it is no longer relevant).
[...]

So your config should really show (for 2.1.4):

ListenHTTP
     Address 10.19.19.25
     Port    80
     xHTTP 2
     Service
          Redirect    "https://www.mysite1.com/"
     End
End

...which really means "for any request to http://10.19.19.25/... respond
with a redirect to https://www.mysite1.com/". Make sure
mysite1 NEVER
replies with a redirect to HTTP or you'll get a redirect loop.

Hope this answers your question.[...]

Hi all.

I want to add a note: one of my backend server is an OWA. To let pound work
correctly I had to add the line
AddHeader   "Front-End-Https: on"
in the related ListenHTTPs section, and now pound and OWA are working fine too.

Bye,
Massimo.

-----Original Message-----
From: Trevisani Massimo [mailto:Massimo.Trevisani(at)one-ans.it]
Sent: Thu 19/10/2006 10.04
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] how to configure pound for url rewrite /
redirect
 

Hi Robert.

Thanks a lot. I tested it with version 2.1.4 and it's working!

Bye,
Massimo.

-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch]
Sent: Wed 18/10/2006 18.41
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] how to configure pound for url rewrite /
redirect
 
On Wed, 2006-10-18 at 15:40 +0200, Trevisani Massimo wrote:[...]

See below.
[...]

Careful, this is 2.0. For 2.1.4 WebDAV and xHTTP have been merged.
[...]

Not needed for a redirect.
[...]

That's not a URL but a host name. Remove it or rplace it with a
HeadRequire (if really needed).
[...]

Works just fine if you remove the URL above, which never matches
anything.
[...]

Remove completely both the Backend (otherwise some requests will go the
the Redirect, others to the Backend you define) and the Session (with
only a Redirect it is no longer relevant).
[...]

So your config should really show (for 2.1.4):

ListenHTTP
     Address 10.19.19.25
     Port    80
     xHTTP 2
     Service
          Redirect    "https://www.mysite1.com/"
     End
End

...which really means "for any request to http://10.19.19.25/... respond
with a redirect to https://www.mysite1.com/". Make sure
mysite1 NEVER
replies with a redirect to HTTP or you'll get a redirect loop.

Hope this answers your question.[...]