|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2007
/
2007-01
/
Possible bug with HeadRemove (and feature request)
[
Load balacing based on geographical location / ... ]
[
against DoS attack / "howard chen" ... ]
Possible bug with HeadRemove (and feature request)
BizzApp <ml(at)bizzapp.biz> |
2007-01-05 16:27:59 |
[ FULL ]
|
Hello,
According to the manual, HeadRemove may be specified multiple times to
remove multiple headers. However, I cannot seem to make this work with
version 2.2.0 or 2.2.1. Configuration as follows:
ListenHTTPS
Address 192.168.1.6
Port 443
Cert "/opt/web/pound/etc/sslvhost.pem"
HeadRemove "X-TEST1:"
HeadRemove "X-TEST2:"
End
On their own, both statements work but when used together, only the
latter statement takes effect. One solution is to re-write it as a
single regexp such as "(X-TEST1|X-TEST2):".
On a related note, would it be possible to allow multiple AddHeader
statements to be used within a HTTPS listener? I would find this
functionality very useful as it would greatly simplify the configuration
of pound and the backends.
Many Thanks, Mark
|
|
|
Re: [Pound Mailing List] Possible bug with HeadRemove (and feature request)
Robert Segall <roseg(at)apsis.ch> |
2007-01-06 11:27:25 |
[ FULL ]
|
On Fri, 2007-01-05 at 15:27 +0000, BizzApp wrote:[...]
Thanks for pointing this out - it will be fixed in the next release.
[...]
That I don't really understand: one header or many is really the same.
Could you give an example of why would this be necessary?[...]
|
|
|
Re: [Pound Mailing List] Possible bug with HeadRemove (and feature request)
BizzApp <ml(at)bizzapp.biz> |
2007-01-08 15:23:53 |
[ FULL ]
|
[...][...]
Hi Robert, thanks for the response.
Our setup (which I believe is fairly common) is that we have multiple
named based vhosts sharing a single IP. We also have an SSL vhost on
port 443. As it stands, anyone connecting to port 443 will see the vhost
specified by their host header (content that doesn't match the SSL
certificate). For example, we have http://www.example1.com and
https://www.example2.com - both
unrelated sites but sharing the same IP.
We don't want users to be able to access example1.com over https. Anyone
connecting to port 443 should see example2.com (matching the SSL
certificate) regardless of host header specified.
My simple solution to this is as follows: For the HTTPS listener, I use
a HeadRemove statement to remove the Host: header supplied by the client
and use an AddHeader to add the host I want them to see. Rather
efficient I thought. Like many others, I also need a second header to
indicated to the application running on the backends if the request is
over SSL or not.
Now, I realise that's it's possible to do this via a HeadRequire service
that directs example2.com to a backend listening on a different port.
However, I note and agree with your comments in the documentation that
vhosts should be implemented in the backends. So this functionality
would simplify my pound configuration and the back end configuration too.
Many Thanks[...]
|
|
|
Re: [Pound Mailing List] Possible bug with HeadRemove (and feature request)
Robert Segall <roseg(at)apsis.ch> |
2007-01-08 18:31:44 |
[ FULL ]
|
On Mon, 2007-01-08 at 14:23 +0000, BizzApp wrote:[...]
It looks to me like you are doing vhosts anyway, but in a very
roundabout way. Even worse, you'll still get a certificate mismatch, as
that is checked even before the HeadRequire mechanism.[...]
|
|
|
|
