/ Zope / Apsis / Pound Mailing List / Archive / 2007 / 2007-02 / RE: [Pound Mailing List] Https redirection question: [SOLUTION]

[ << ] [ >> ]

[ https trailing slash problem / ... ] [ pound 2.5.5 LogLevel, not working failure detect ... ]

RE: [Pound Mailing List] Https redirection question: [SOLUTION]
"Wassink, mw. ing. A." <AWassink(at)cvz.nl>		 2007-02-28 16:02:54 [ FULL ] 
Hi Ted,

Thanks very much for your reply. 

We currently have one webserver (10.10.10.10) under our control serving
multiple websites, and like to keep it this way. 
Although a solution, an extra trivial web-server (physical machine I
suppose?) is not really an option for us.

The second option using a security plug-in in the webserver we did not
investigate because in the meantime we found another solution...:

1) We configured the POUND-server (192.168.10.135) with an extra
IP-address (192.168.10.134) and 
changed the DNS A-record for www.aaa.nl (de website which needs to be
protected by SSL) into 192.168.10.134.
2) Than in the pound.cfg we added extra ListenHTTP- and ListenHTTPS
sections for this IP-address 192.168.10.134. 
3) In the ListenHTTP we put the redirect statement towards the
https-service.
Combined with switching-off the forced-https-redirects configured in IIS
for www.aaa.nl this works fine.

Underneath our configuration (real IP-addresses are replaced by
ficticious ones):

Thanks for you help,
Regards,
Annemieke Wassink

#To distribute HTTP requests for all standard websites www.bbb.nl,
www.ccc.nl etc. (except www.aaa.nl) to our (single) webmachine
10.10.10.10:
ListenHTTP
    Address 192.168.10.135
    Port    80

    Service
        BackEnd
           Address 10.10.10.10
           Port    80
        End
    End
End

#To redirect clients connection to www.aaa.nl from HTTP to HTTPS :
ListenHTTP
    Address 192.168.10.134
    Port    80

    Service
         Redirect "https://www.aaa.nl"
    End
End

#To distribute HTTPS requests for www.aaa.nl to our (single) webmachine
10.10.10.10:
ListenHTTPS
    Address 192.168.10.134
    Port    443
    Cert    "/home/miek/pki/btltrailconcat.txt"

    Service
       BackEnd
          Address 10.10.10.10
	  Port 80
       End
    End
End

-----Oorspronkelijk bericht-----
Van: Ted Dunning [mailto:tdunning(at)veoh.com] 
Verzonden: woensdag 28 februari 2007 11:33
Aan: pound(at)apsis.ch
Onderwerp: Re: [Pound Mailing List] Https redirection question



The easiest way to do this would be to build a trivial web-server that
redirects all requests to https.

Then in pound, direct all http requests to this server and all https
requests to the normal server (using http).

Remember that pound will handle incoming https requests, but will not
generate any https requests to backends.  But what you really need is a
redirection, not load balancing so it is better to do what you need
using the application server rather than pound.

Another approach would be to use a security plug-in to look for the
headers that pound inserts for https requests.  If it doesn't see them,
it can redirect the requestor to https.  This saves an extra server, but
may involve changes to a machine you don't control.  If you are the one
who has to implement the security, then a trivial redirector that you
control is the answer. 


On 2/28/07 1:01 PM, "Wassink, mw. ing. A." <AWassink(at)cvz.nl> wrote:
[...]
[...]
pound(at)apsis.ch.[...]


--
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2007/2007-02/1172656916000/
1172658761000
Re: [Pound Mailing List] Https redirection question: [SOLUTION]
Ted Dunning <tdunning(at)veoh.com>		 2007-02-28 16:43:54 [ FULL ] 
Of course.

Same solution.  You did it with one line of configuration, I suggested an
entire web-server.

Perhaps, your solution is a bit better!


On 2/28/07 6:02 PM, "Wassink, mw. ing. A." <AWassink(at)cvz.nl> wrote:
[...][...][...][...][...][...][...]
RE: [Pound Mailing List] Https redirection question: [SOLUTION]
"Wassink, mw. ing. A." <AWassink(at)cvz.nl>		 2007-02-28 17:13:36 [ FULL ] 
Thanks for the compliment and your help. You helped us towards thinking
into this direction. 

-----Oorspronkelijk bericht-----
Van: Ted Dunning [mailto:tdunning(at)veoh.com] 
Verzonden: woensdag 28 februari 2007 16:44
Aan: pound(at)apsis.ch
CC: Giardina, dhr. N
Onderwerp: Re: [Pound Mailing List] Https redirection question:
[SOLUTION]


Of course.

Same solution.  You did it with one line of configuration, I suggested
an entire web-server.

Perhaps, your solution is a bit better!


On 2/28/07 6:02 PM, "Wassink, mw. ing. A." <AWassink(at)cvz.nl> wrote:
[...]
[...]
[...][...][...][...]
[...]
[...]
[...][...][...][...]
pound(at)apsis.ch.[...]


--
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2007/2007-02/1172674974000/
1172677434000
MailBoxer