Hi,

For information I am using  Pound with SSL and virtual hosts service setup
as well in order to access our different backend sites. And I would say it
works pretty  well . We use a wildcard certificate for securing all our
subdomains. This is more cost effective and easier  to manage as well. 

I have one HTTPS listener and basically just filter services by headers.

yann.
[...]

On Fri, 2007-03-02 at 10:52 -0800, Blake Barnett wrote:[...]

Yes, all conditions have precedence over the session mechanism. A
session applies only once all other conditions have been met.[...]

On Fri, 2007-03-02 at 22:26 +0100, dev(at)tallowitz.ch wrote:[...]

Thanks for the information - I am sure a few other people appreciate it
as well.

Pound should work fine with these certificates - there is no difference
between HTTP and HTTPS in so far as the headers are concerned.[...]

> I'm looking at my Apache 2 logs and I can see that the remote IP is
in[...]

http://stderr.net/apache/rpaf/

I haven't tried it yet, but it's on my to-do list...

Regards,[...]

Hi,

Robert Easthope wrote:[...]
Look at the manual of apache httpd server, Specifically LogFormat.
I'm sure you can extract the IP of the client from X-Forwarded-For header.

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" 
\"%{User-Agent}i\" %P %c %T" combined

or something like this :)
[...]

Look for the forwarded-for header.


On 3/13/07 7:13 AM, "Robert Easthope" <r.easthope(at)ukerna.ac.uk> wrote:
[...]

Stefan Lambrev wrote:[...][...][...]
coming through a proxy at their end tried to browse the sites, at which 
point apache merrily logs two IPs, seperated by a comma. Needless to 
say, webalizer and similar things barf horribly when they find a line in 
the log files that doesn't match the proper combined format. Luckily, it 
only barfs on that particular line and then continues, but it means our 
graphs excluded huge numbers of people.

Would it be possible to make a header specific to Pound, perhaps 
X-Pound-Client(or -Source, or -Something) which could be used for this 
purpose?

Dave.

Hi,

Richard Wilson wrote:[...][...]
>>> Hi,
>>>
>>> I'm looking at my Apache 2 logs and I can see that the remote IP
is in
>>> fact the load balancers IP.  Is there any way to get pound to 
>>> forward on
>>> the originator IP address so we can still record useful stats
using
>>> apache tools.  Can pound spoof the sender's ip and put the real
person
>>> looking up the website rather than its own?
>>>
>>> Thanks,
>>> Bob
>>>
>>>   [...][...]

--- http.c.orig Wed Feb 28 18:18:11 2007
+++ http.c      Wed Feb 28 18:18:44 2007
(at)(at) -911,6 +911,7 (at)(at)
         if(cur_backend->be_type == BACK_END) {
             addr2str(caddr, MAXBUF - 1, &from_host);
             BIO_printf(be, "X-Forwarded-For: %s\r\n", caddr);
+           BIO_printf(be, "X-IP-From: %s\r\n", caddr);

             /* final CRLF */
             BIO_puts(be, "\r\n");


and of course do not forget to add something like this in your pound.conf:
    HeadDeny "X-IP-From"
 :)

Btw if you really do not care what you have in X-Forwarded-For but just 
the last IP you can deny it too and no patches will be needed (well, not 
tested)
[...]

mod_extract_forwarded2

http://www.cotds.org/mod_extract_forwarded2/

This should probably added to a FAQ somewhere :-)

Jacques.

At 15:13 13/03/2007, Robert Easthope wrote:[...]

Hi,
[...]
was [...]
which [...]
in [...]
it [...]
our [...]

One possibility instead of modifying Pound or using the suggested log
line could be to add the following Apache config lines to your backend:

	SetEnvIf Remote_Addr "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
sRemoteAddr=$1
	SetEnvIfNoCase X-Forwarded-For "^\s*unknown\s*$"
sXForwardedFor=%{sRemoteAddr}e
	SetEnvIfNoCase X-Forwarded-For
"^\s*(unknown,\s*)*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*"
sXForwardedFor=$2
	LogFormat "%{sXForwardedFor}e %l %u %t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-Agent}i\" %P %c %T" combined 

I use a similar thing for the purpose of capturing the original IP
address in a reverse proxy chain, but this particular one is untested,
so beware. In particular, line 2 above is from the top of my head.

The first two lines are supposed to capture the Pound IP address in case
you don't find anything suitable in the X-Forwarded-For header, i.e. if
this header contains only "unknown". I've seen this happen, I think,
though not with Pound. The third line captures the first valid IP
address in the list provided in the X-Forwarded-For header. Note that
this address is the really first one and not the one hitting your Pound
load balancer. Change the regular expression accordingly to capture the
one hitting Pound, if that's what you need. The last line is supposed to
log your captured IP address.

If it works, make the above example a bit more robust before placing it
in production, since there are other possibilities in which the
X-Forwarded-For header might be damaged and you'd need to use the Pound
address instead.

Regards,

 Curro
 ---
 Francisco Javier "Curro" Alcala-Soler

This email message is intended only for the use of the named recipient.
Information contained in this email message and its attachments may be
privileged, confidential and protected from disclosure. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication to others. Also please notify the sender by replying to this
message and then delete it from your system.

Thankyou Jacques and others for as always really helpful comments, I am
very impressed with pound and the community support that it has.

Regards,
Bob

-----Original Message-----
From: Jacques Caron [mailto:jc(at)oxado.com] 
Sent: 13 March 2007 17:28
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Apache logs


mod_extract_forwarded2

http://www.cotds.org/mod_extract_forwarded2/

This should probably added to a FAQ somewhere :-)

Jacques.

At 15:13 13/03/2007, Robert Easthope wrote:[...]

[...]

How do I apply the patch?  Is it available as a binary to download?

-----Original Message-----
From: Stefan Lambrev [mailto:stefan.lambrev(at)sun-fish.com] 
Sent: 13 March 2007 17:25
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Apache logs


Hi,

Richard Wilson wrote:[...][...]
>>> Hi,
>>>
>>> I'm looking at my Apache 2 logs and I can see that the remote IP
is 
>>> in fact the load balancers IP.  Is there any way to get pound to 
>>> forward on the originator IP address so we can still record useful

>>> stats using apache tools.  Can pound spoof the sender's ip and put

>>> the real person looking up the website rather than its own?
>>>
>>> Thanks,
>>> Bob
>>>
>>>   [...][...]
[...]

--- http.c.orig Wed Feb 28 18:18:11 2007
+++ http.c      Wed Feb 28 18:18:44 2007
(at)(at) -911,6 +911,7 (at)(at)
         if(cur_backend->be_type == BACK_END) {
             addr2str(caddr, MAXBUF - 1, &from_host);
             BIO_printf(be, "X-Forwarded-For: %s\r\n", caddr);
+           BIO_printf(be, "X-IP-From: %s\r\n", caddr);

             /* final CRLF */
             BIO_puts(be, "\r\n");


and of course do not forget to add something like this in your
pound.conf:
    HeadDeny "X-IP-From"
 :)

Btw if you really do not care what you have in X-Forwarded-For but just 
the last IP you can deny it too and no patches will be needed (well, not

tested)
[...]

This would be a feature, that would be great to enable via switch.

It was one of the first things I had to solve when implementing Pound in
order to produce meaningful log files from apache.

Using Pound logs as authoratative was another suggestion, which I chose not
to implement.

I added the x-forward for support to apache logging eventually, and changed
the logging to simulate conventional logging. However I still have an issue
with cache proxies reporting more then one IP, and other related logging
errors. 

A switch would solve this for intermediate users such as myself, who don't
know how to tweak Pound when its compiled. 

The logging issue seems straightforward enough, and something most users
have to grapple with one way or another. 

Thank you,
Kiriki Delany

-----Original Message-----
From: Robert Easthope [mailto:r.easthope(at)ukerna.ac.uk] 
Sent: Tuesday, March 13, 2007 4:46 PM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Apache logs

How do I apply the patch?  Is it available as a binary to download?

-----Original Message-----
From: Stefan Lambrev [mailto:stefan.lambrev(at)sun-fish.com] 
Sent: 13 March 2007 17:25
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Apache logs


Hi,

Richard Wilson wrote:[...][...]
>>> Hi,
>>>
>>> I'm looking at my Apache 2 logs and I can see that the remote IP
is 
>>> in fact the load balancers IP.  Is there any way to get pound to 
>>> forward on the originator IP address so we can still record useful

>>> stats using apache tools.  Can pound spoof the sender's ip and put

>>> the real person looking up the website rather than its own?
>>>
>>> Thanks,
>>> Bob
>>>
>>>   [...][...]
[...]

--- http.c.orig Wed Feb 28 18:18:11 2007
+++ http.c      Wed Feb 28 18:18:44 2007
(at)(at) -911,6 +911,7 (at)(at)
         if(cur_backend->be_type =BACK_END) {
             addr2str(caddr, MAXBUF - 1, &from_host);
             BIO_printf(be, "X-Forwarded-For: %s\r\n", caddr);
+           BIO_printf(be, "X-IP-From: %s\r\n", caddr);

             /* final CRLF */
             BIO_puts(be, "\r\n");


and of course do not forget to add something like this in your
pound.conf:
    HeadDeny "X-IP-From"
 :)

Btw if you really do not care what you have in X-Forwarded-For but just 
the last IP you can deny it too and no patches will be needed (well, not

tested)
[...]

If anyone decides to write a FAQ there is an ISAPI X-Forwarded filter 
for IIS available too.

http://devcentral.f5.com/weblogs/joe/archive/2005/09/23/1492.aspx

Regards,
Jon

Jacques Caron wrote:[...][...][...]
[...]

On Wed, 2007-03-14 at 09:00 +0100, Raphael Pesche wrote:[...]

Change the value of MAXBUF and recompile. I would also suggest you have
another look at your application - that long an URL is "unusual".[...]

On Tue, 2007-03-13 at 17:06 -0700, Kiriki Delany wrote:[...]

It would also break a bunch of RFCs. Might be easier if you just
HeadRemove the header (so all previous proxies are erased) and use the
unique X-Forwarded-for from Pound for the Apache logs.

I might add that I'm not entirely to me clear why you choose to use each
Apache log separately instead of the combined Pound log, but that is
your choice.[...]

Robert Segall schrieb:[...][...][...]

Thanks, it worked.
I agree, that long an URL is somehow unusual. Such URLs can be produced
by the advanced search of Plone.

Regards,
Raphael

[...]

John Moore wrote:[...]
You are right pound can't proxy SSL requests and last hop is aways plain 
text :)
If your backends are remotely there are a lot of ways to create a 
encrypted connection to them. You can do this with various VPN/IPsec 
solutions (OpenVPN is best for me),
you can use stunnel between pound and backend also or even OpenSSH. 
There are thousands ways to do what you want to do :)
[...]

Stefan Lambrev wrote:[...]
OK, that's what I thought.[...]
Yes, my fallback was to use SSH tunnelling. I'll take a look at OpenVPN 
as well. Thanks for the suggestions!

John
[...]

On Fri, 2007-02-16 at 17:41 +0100, Robert Segall wrote:[...]

All of the answers received - with one exception - indicated good
performance, comparable to direct back-end access (within a few
percentage points).

The one exception is Pound 2.2.1 running on an RH9 system (Linux kernel
2.4). The back-end tested is Apache 2 on Debian. Pound is about 5 times
slower than direct back-end access.

I must admit I have no idea what the actual reason is, especially since
other people reported good performance on other RH versions. Prime
suspects would be the RH pthreads library (I seem to recall that RH
tried at some point to do something like NPTL on 2.4), the TCP stack or
some unrelated factor (like generic hardware or networking problems).

Additional suggestions and results are welcome.[...]

Yes, RH AS3 had kernel 2.4 but with NPTL back ported.
RedHat 9.0 also had NPTL.

If you want, its possible to install linux kernel 2.6 on RH 9.0. And then you
can check if it's a 2.4 kernel "problem".
Or you can rebuild a more recent 2.4 kernel, one not from RH but from
kernel.org.. 
These are just ideas...
Sergio Freire

-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch] 
Sent: segunda-feira, 19 de Março de 2007 17:29
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Slow transfer

On Fri, 2007-02-16 at 17:41 +0100, Robert Segall wrote:[...]

All of the answers received - with one exception - indicated good
performance, comparable to direct back-end access (within a few
percentage points).

The one exception is Pound 2.2.1 running on an RH9 system (Linux kernel
2.4). The back-end tested is Apache 2 on Debian. Pound is about 5 times
slower than direct back-end access.

I must admit I have no idea what the actual reason is, especially since
other people reported good performance on other RH versions. Prime
suspects would be the RH pthreads library (I seem to recall that RH
tried at some point to do something like NPTL on 2.4), the TCP stack or
some unrelated factor (like generic hardware or networking problems).

Additional suggestions and results are welcome.[...]

Also, I suggest to try this hack mentioned by RedHat (maybe the 2.4.1 value at
compile time):



If an application does not work properly with NPTL, it can be run using the old
LinuxThreads implementation by setting the following environment variable:

LD_ASSUME_KERNEL=<kernel-version>

The following versions are available:

- 2.4.1 - Linuxthreads with floating stacks

- 2.2.5 - Linuxthreads without floating stacks




Sergio Freire


-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch] 
Sent: segunda-feira, 19 de Março de 2007 17:29
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Slow transfer

On Fri, 2007-02-16 at 17:41 +0100, Robert Segall wrote:[...]

All of the answers received - with one exception - indicated good
performance, comparable to direct back-end access (within a few
percentage points).

The one exception is Pound 2.2.1 running on an RH9 system (Linux kernel
2.4). The back-end tested is Apache 2 on Debian. Pound is about 5 times
slower than direct back-end access.

I must admit I have no idea what the actual reason is, especially since
other people reported good performance on other RH versions. Prime
suspects would be the RH pthreads library (I seem to recall that RH
tried at some point to do something like NPTL on 2.4), the TCP stack or
some unrelated factor (like generic hardware or networking problems).

Additional suggestions and results are welcome.[...]

Hi,

michael.ringler(at)itecplus.de wrote:[...]
Probably your backends return HTTP not HTTPS links, so you just create a 
loop.
If you want this to work you need to rewrite the URL which can be done 
on the backend.
If you are using apache httpd server, then mod_rewrite is your solution :)
[...]