Hi,

For information I am using  Pound with SSL and virtual hosts service setup
as well in order to access our different backend sites. And I would say it
works pretty  well . We use a wildcard certificate for securing all our
subdomains. This is more cost effective and easier  to manage as well. 

I have one HTTPS listener and basically just filter services by headers.

yann.

____________
 
Yann Carbonell
(514) 392 4926
ycarbonell(at)banctec.ca 

-----Original Message-----
From: dev(at)tallowitz.ch [mailto:dev(at)tallowitz.ch] 
Sent: March 2, 2007 4:26 PM
To: pound(at)apsis.ch
Subject: [Pound Mailing List] Vhosts with SSL

Hello list, 

I've just written to Robert and he suggested I post to this list, so I will.

It is possible to do virtual hosting with SSL. Roberts' description of the 
connection setup with SSL is of course completely correct. The only 
assumption not correct is that SSL certificates may only represent one 
single domain. There is a way (in fact several) to generate a certificate to

represent many domains.
So Pound - or any other proxy or webserver - could be saying: This is my 
certificate and my certificate represents example1.org, example2.com and 
example3.biz and certificate authority X will certify that. 

A very precise description (and status information) may be found on 
http://wiki.cacert.org/wiki/VhostTaskForce. That page also includes a 
browser compatibility list for different vhost methods.
Luckily, some commercial vendors also offer multi-domain certificates, so 
you won't have to wait for cacert to be included into Mozilla products, IE 
and Opera. I use a (commercial) multi-domain certificate in Apache and it 
works flawlessly with IE >=6 and FF >=1.5 (as is to be expected).
You have 10+ domains and your CA is still selling you a certificate for each

single domain? Get out of that situation as soon as possible, it will save 
you a lot of money. 

Beware: I do not use Pound. I do not know if Pound skips reading the HTTP 
Host header after doing HTTPS (maybe for efficency reasons?). If it does I 
assume it wouldn't require a lot of tweaking to put reading the Host header 
with HTTPS back in (the code must surely be there already). 

Cheers,
Stephen

-- 
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2007/2007-03/1172870770000

On Fri, 2007-03-02 at 10:52 -0800, Blake Barnett wrote:
> We are currently using the COOKIE session type.  We also have  
> services defined for individual BackEnds with either a HeadRequire,  
> or URL directive.  What happens if more than one of these conditions  
> are met?  For example, a new session comes in with both a cookie set  
> with our session variable, and the URL matches a pattern, does the  
> pattern match take precedence?

Yes, all conditions have precedence over the session mechanism. A
session applies only once all other conditions have been met.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

On Fri, 2007-03-02 at 22:26 +0100, dev(at)tallowitz.ch wrote:
> Hello list, 
> 
> I've just written to Robert and he suggested I post to this list, so I will. 
> It is possible to do virtual hosting with SSL. Roberts' description of the 
> connection setup with SSL is of course completely correct. The only 
> assumption not correct is that SSL certificates may only represent one 
> single domain. There is a way (in fact several) to generate a certificate to 
> represent many domains.
> So Pound - or any other proxy or webserver - could be saying: This is my 
> certificate and my certificate represents example1.org, example2.com and 
> example3.biz and certificate authority X will certify that. 
> 
> A very precise description (and status information) may be found on 
> http://wiki.cacert.org/wiki/VhostTaskForce. That page also includes a 
> browser compatibility list for different vhost methods.
> Luckily, some commercial vendors also offer multi-domain certificates, so 
> you won't have to wait for cacert to be included into Mozilla products, IE 
> and Opera. I use a (commercial) multi-domain certificate in Apache and it 
> works flawlessly with IE >=6 and FF >=1.5 (as is to be expected).
> You have 10+ domains and your CA is still selling you a certificate for each 
> single domain? Get out of that situation as soon as possible, it will save 
> you a lot of money. 
> 
> Beware: I do not use Pound. I do not know if Pound skips reading the HTTP 
> Host header after doing HTTPS (maybe for efficency reasons?). If it does I 
> assume it wouldn't require a lot of tweaking to put reading the Host header 
> with HTTPS back in (the code must surely be there already). 

Thanks for the information - I am sure a few other people appreciate it
as well.

Pound should work fine with these certificates - there is no difference
between HTTP and HTTPS in so far as the headers are concerned.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

> I'm looking at my Apache 2 logs and I can see that the remote IP is in
> fact the load balancers IP.  Is there any way to get pound to forward on
> the originator IP address so we can still record useful stats using
> apache tools.  Can pound spoof the sender's ip and put the real person
> looking up the website rather than its own?

http://stderr.net/apache/rpaf/

I haven't tried it yet, but it's on my to-do list...

Regards,
-- 
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/

Hi,

Robert Easthope wrote:
> Hi,
>
> I'm looking at my Apache 2 logs and I can see that the remote IP is in
> fact the load balancers IP.  Is there any way to get pound to forward on
> the originator IP address so we can still record useful stats using
> apache tools.  Can pound spoof the sender's ip and put the real person
> looking up the website rather than its own?
>
> Thanks,
> Bob
>
>   
Look at the manual of apache httpd server, Specifically LogFormat.
I'm sure you can extract the IP of the client from X-Forwarded-For header.

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" 
\"%{User-Agent}i\" %P %c %T" combined

or something like this :)

-- 
Best Wishes,
Stefan Lambrev
ICQ# 24134177

Look for the forwarded-for header.


On 3/13/07 7:13 AM, "Robert Easthope" <r.easthope(at)ukerna.ac.uk> wrote:

> Hi,
> 
> I'm looking at my Apache 2 logs and I can see that the remote IP is in
> fact the load balancers IP.  Is there any way to get pound to forward on
> the originator IP address so we can still record useful stats using
> apache tools.  Can pound spoof the sender's ip and put the real person
> looking up the website rather than its own?
> 
> Thanks,
> Bob
> 
> --
> To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> http://www.apsis.ch/pound/pound_list/archive/2007/2007-03/1173795186000

Stefan Lambrev wrote:
> Hi,
>
> Robert Easthope wrote:
>> Hi,
>>
>> I'm looking at my Apache 2 logs and I can see that the remote IP is in
>> fact the load balancers IP.  Is there any way to get pound to forward on
>> the originator IP address so we can still record useful stats using
>> apache tools.  Can pound spoof the sender's ip and put the real person
>> looking up the website rather than its own?
>>
>> Thanks,
>> Bob
>>
>>   
> Look at the manual of apache httpd server, Specifically LogFormat.
> I'm sure you can extract the IP of the client from X-Forwarded-For 
> header.
>
> LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" 
> \"%{User-Agent}i\" %P %c %T" combined
>
> or something like this :)
>
I tried that. It worked fine right up to the point where someone who was 
coming through a proxy at their end tried to browse the sites, at which 
point apache merrily logs two IPs, seperated by a comma. Needless to 
say, webalizer and similar things barf horribly when they find a line in 
the log files that doesn't match the proper combined format. Luckily, it 
only barfs on that particular line and then continues, but it means our 
graphs excluded huge numbers of people.

Would it be possible to make a header specific to Pound, perhaps 
X-Pound-Client(or -Source, or -Something) which could be used for this 
purpose?

Dave.

Hi,

Richard Wilson wrote:
> Stefan Lambrev wrote:
>> Hi,
>>
>> Robert Easthope wrote:
>>> Hi,
>>>
>>> I'm looking at my Apache 2 logs and I can see that the remote IP is in
>>> fact the load balancers IP.  Is there any way to get pound to 
>>> forward on
>>> the originator IP address so we can still record useful stats using
>>> apache tools.  Can pound spoof the sender's ip and put the real person
>>> looking up the website rather than its own?
>>>
>>> Thanks,
>>> Bob
>>>
>>>   
>> Look at the manual of apache httpd server, Specifically LogFormat.
>> I'm sure you can extract the IP of the client from X-Forwarded-For 
>> header.
>>
>> LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" 
>> \"%{User-Agent}i\" %P %c %T" combined
>>
>> or something like this :)
>>
> I tried that. It worked fine right up to the point where someone who 
> was coming through a proxy at their end tried to browse the sites, at 
> which point apache merrily logs two IPs, seperated by a comma. 
> Needless to say, webalizer and similar things barf horribly when they 
> find a line in the log files that doesn't match the proper combined 
> format. Luckily, it only barfs on that particular line and then 
> continues, but it means our graphs excluded huge numbers of people.
>
> Would it be possible to make a header specific to Pound, perhaps 
> X-Pound-Client(or -Source, or -Something) which could be used for this 
> purpose?
>
> Dave.
>
This patch works for me:

--- http.c.orig Wed Feb 28 18:18:11 2007
+++ http.c      Wed Feb 28 18:18:44 2007
(at)(at) -911,6 +911,7 (at)(at)
         if(cur_backend->be_type == BACK_END) {
             addr2str(caddr, MAXBUF - 1, &from_host);
             BIO_printf(be, "X-Forwarded-For: %s\r\n", caddr);
+           BIO_printf(be, "X-IP-From: %s\r\n", caddr);

             /* final CRLF */
             BIO_puts(be, "\r\n");


and of course do not forget to add something like this in your pound.conf:
    HeadDeny "X-IP-From"
 :)

Btw if you really do not care what you have in X-Forwarded-For but just 
the last IP you can deny it too and no patches will be needed (well, not 
tested)

-- 
Best Wishes,
Stefan Lambrev
ICQ# 24134177

mod_extract_forwarded2

http://www.cotds.org/mod_extract_forwarded2/

This should probably added to a FAQ somewhere :-)

Jacques.

At 15:13 13/03/2007, Robert Easthope wrote:
>Hi,
>
>I'm looking at my Apache 2 logs and I can see that the remote IP is in
>fact the load balancers IP.  Is there any way to get pound to forward on
>the originator IP address so we can still record useful stats using
>apache tools.  Can pound spoof the sender's ip and put the real person
>looking up the website rather than its own?
>
>Thanks,
>Bob
>
>--
>To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
>Please contact roseg(at)apsis.ch for questions.
>http://www.apsis.ch/pound/pound_list/archive/2007/2007-03/1173795186000

Hi,

> I tried that. It worked fine right up to the point where someone who
was 
> coming through a proxy at their end tried to browse the sites, at
which 
> point apache merrily logs two IPs, seperated by a comma. Needless to 
> say, webalizer and similar things barf horribly when they find a line
in 
> the log files that doesn't match the proper combined format. Luckily,
it 
> only barfs on that particular line and then continues, but it means
our 
> graphs excluded huge numbers of people.

One possibility instead of modifying Pound or using the suggested log
line could be to add the following Apache config lines to your backend:

	SetEnvIf Remote_Addr "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
sRemoteAddr=$1
	SetEnvIfNoCase X-Forwarded-For "^\s*unknown\s*$"
sXForwardedFor=%{sRemoteAddr}e
	SetEnvIfNoCase X-Forwarded-For
"^\s*(unknown,\s*)*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*"
sXForwardedFor=$2
	LogFormat "%{sXForwardedFor}e %l %u %t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-Agent}i\" %P %c %T" combined 

I use a similar thing for the purpose of capturing the original IP
address in a reverse proxy chain, but this particular one is untested,
so beware. In particular, line 2 above is from the top of my head.

The first two lines are supposed to capture the Pound IP address in case
you don't find anything suitable in the X-Forwarded-For header, i.e. if
this header contains only "unknown". I've seen this happen, I think,
though not with Pound. The third line captures the first valid IP
address in the list provided in the X-Forwarded-For header. Note that
this address is the really first one and not the one hitting your Pound
load balancer. Change the regular expression accordingly to capture the
one hitting Pound, if that's what you need. The last line is supposed to
log your captured IP address.

If it works, make the above example a bit more robust before placing it
in production, since there are other possibilities in which the
X-Forwarded-For header might be damaged and you'd need to use the Pound
address instead.

Regards,

 Curro
 ---
 Francisco Javier "Curro" Alcala-Soler

This email message is intended only for the use of the named recipient.
Information contained in this email message and its attachments may be
privileged, confidential and protected from disclosure. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication to others. Also please notify the sender by replying to this
message and then delete it from your system.

Thankyou Jacques and others for as always really helpful comments, I am
very impressed with pound and the community support that it has.

Regards,
Bob

-----Original Message-----
From: Jacques Caron [mailto:jc(at)oxado.com] 
Sent: 13 March 2007 17:28
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Apache logs


mod_extract_forwarded2

http://www.cotds.org/mod_extract_forwarded2/

This should probably added to a FAQ somewhere :-)

Jacques.

At 15:13 13/03/2007, Robert Easthope wrote:
>Hi,
>
>I'm looking at my Apache 2 logs and I can see that the remote IP is in 
>fact the load balancers IP.  Is there any way to get pound to forward 
>on the originator IP address so we can still record useful stats using 
>apache tools.  Can pound spoof the sender's ip and put the real person 
>looking up the website rather than its own?
>
>Thanks,
>Bob
>
>--
>To unsubscribe send an email with subject 'unsubscribe' to 
>pound(at)apsis.ch. Please contact roseg(at)apsis.ch for questions. 
>http://www.apsis.ch/pound/pound_list/archive/2007/2007-03/1173795186000


-- 
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch. Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2007/2007-03/1172871937000/
1173806871000

How do I apply the patch?  Is it available as a binary to download?

-----Original Message-----
From: Stefan Lambrev [mailto:stefan.lambrev(at)sun-fish.com] 
Sent: 13 March 2007 17:25
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Apache logs


Hi,

Richard Wilson wrote:
> Stefan Lambrev wrote:
>> Hi,
>>
>> Robert Easthope wrote:
>>> Hi,
>>>
>>> I'm looking at my Apache 2 logs and I can see that the remote IP is 
>>> in fact the load balancers IP.  Is there any way to get pound to 
>>> forward on the originator IP address so we can still record useful 
>>> stats using apache tools.  Can pound spoof the sender's ip and put 
>>> the real person looking up the website rather than its own?
>>>
>>> Thanks,
>>> Bob
>>>
>>>   
>> Look at the manual of apache httpd server, Specifically LogFormat. 
>> I'm sure you can extract the IP of the client from X-Forwarded-For 
>> header.
>>
>> LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
>> \"%{User-Agent}i\" %P %c %T" combined
>>
>> or something like this :)
>>
> I tried that. It worked fine right up to the point where someone who
> was coming through a proxy at their end tried to browse the sites, at 
> which point apache merrily logs two IPs, seperated by a comma. 
> Needless to say, webalizer and similar things barf horribly when they 
> find a line in the log files that doesn't match the proper combined 
> format. Luckily, it only barfs on that particular line and then 
> continues, but it means our graphs excluded huge numbers of people.
>
> Would it be possible to make a header specific to Pound, perhaps
> X-Pound-Client(or -Source, or -Something) which could be used for this

> purpose?
>
> Dave.
>
This patch works for me:

--- http.c.orig Wed Feb 28 18:18:11 2007
+++ http.c      Wed Feb 28 18:18:44 2007
(at)(at) -911,6 +911,7 (at)(at)
         if(cur_backend->be_type == BACK_END) {
             addr2str(caddr, MAXBUF - 1, &from_host);
             BIO_printf(be, "X-Forwarded-For: %s\r\n", caddr);
+           BIO_printf(be, "X-IP-From: %s\r\n", caddr);

             /* final CRLF */
             BIO_puts(be, "\r\n");


and of course do not forget to add something like this in your
pound.conf:
    HeadDeny "X-IP-From"
 :)

Btw if you really do not care what you have in X-Forwarded-For but just 
the last IP you can deny it too and no patches will be needed (well, not

tested)

-- 
Best Wishes,
Stefan Lambrev
ICQ# 24134177


-- 
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch. Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2007/2007-03/1172871937000/
1173806728000

This would be a feature, that would be great to enable via switch.

It was one of the first things I had to solve when implementing Pound in
order to produce meaningful log files from apache.

Using Pound logs as authoratative was another suggestion, which I chose not
to implement.

I added the x-forward for support to apache logging eventually, and changed
the logging to simulate conventional logging. However I still have an issue
with cache proxies reporting more then one IP, and other related logging
errors. 

A switch would solve this for intermediate users such as myself, who don't
know how to tweak Pound when its compiled. 

The logging issue seems straightforward enough, and something most users
have to grapple with one way or another. 

Thank you,
Kiriki Delany

-----Original Message-----
From: Robert Easthope [mailto:r.easthope(at)ukerna.ac.uk] 
Sent: Tuesday, March 13, 2007 4:46 PM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Apache logs

How do I apply the patch?  Is it available as a binary to download?

-----Original Message-----
From: Stefan Lambrev [mailto:stefan.lambrev(at)sun-fish.com] 
Sent: 13 March 2007 17:25
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Apache logs


Hi,

Richard Wilson wrote:
> Stefan Lambrev wrote:
>> Hi,
>>
>> Robert Easthope wrote:
>>> Hi,
>>>
>>> I'm looking at my Apache 2 logs and I can see that the remote IP is 
>>> in fact the load balancers IP.  Is there any way to get pound to 
>>> forward on the originator IP address so we can still record useful 
>>> stats using apache tools.  Can pound spoof the sender's ip and put 
>>> the real person looking up the website rather than its own?
>>>
>>> Thanks,
>>> Bob
>>>
>>>   
>> Look at the manual of apache httpd server, Specifically LogFormat. 
>> I'm sure you can extract the IP of the client from X-Forwarded-For 
>> header.
>>
>> LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
>> \"%{User-Agent}i\" %P %c %T" combined
>>
>> or something like this :)
>>
> I tried that. It worked fine right up to the point where someone who
> was coming through a proxy at their end tried to browse the sites, at 
> which point apache merrily logs two IPs, seperated by a comma. 
> Needless to say, webalizer and similar things barf horribly when they 
> find a line in the log files that doesn't match the proper combined 
> format. Luckily, it only barfs on that particular line and then 
> continues, but it means our graphs excluded huge numbers of people.
>
> Would it be possible to make a header specific to Pound, perhaps
> X-Pound-Client(or -Source, or -Something) which could be used for this

> purpose?
>
> Dave.
>
This patch works for me:

--- http.c.orig Wed Feb 28 18:18:11 2007
+++ http.c      Wed Feb 28 18:18:44 2007
(at)(at) -911,6 +911,7 (at)(at)
         if(cur_backend->be_type =BACK_END) {
             addr2str(caddr, MAXBUF - 1, &from_host);
             BIO_printf(be, "X-Forwarded-For: %s\r\n", caddr);
+           BIO_printf(be, "X-IP-From: %s\r\n", caddr);

             /* final CRLF */
             BIO_puts(be, "\r\n");


and of course do not forget to add something like this in your
pound.conf:
    HeadDeny "X-IP-From"
 :)

Btw if you really do not care what you have in X-Forwarded-For but just 
the last IP you can deny it too and no patches will be needed (well, not

tested)

-- 
Best Wishes,
Stefan Lambrev
ICQ# 24134177


-- 
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch. Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2007/2007-03/1172871937000/
1173806728000

-- 
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2007/2007-03/1172871937000/1173
829565000

If anyone decides to write a FAQ there is an ISAPI X-Forwarded filter 
for IIS available too.

http://devcentral.f5.com/weblogs/joe/archive/2005/09/23/1492.aspx

Regards,
Jon

Jacques Caron wrote:
> mod_extract_forwarded2
>
> http://www.cotds.org/mod_extract_forwarded2/
>
> This should probably added to a FAQ somewhere :-)
>
> Jacques.
>
> At 15:13 13/03/2007, Robert Easthope wrote:
>> Hi,
>>
>> I'm looking at my Apache 2 logs and I can see that the remote IP is in
>> fact the load balancers IP.  Is there any way to get pound to forward on
>> the originator IP address so we can still record useful stats using
>> apache tools.  Can pound spoof the sender's ip and put the real person
>> looking up the website rather than its own?
>>
>> Thanks,
>> Bob
>>
>> -- 
>> To unsubscribe send an email with subject 'unsubscribe' to 
>> pound(at)apsis.ch.
>> Please contact roseg(at)apsis.ch for questions.
>> http://www.apsis.ch/pound/pound_list/archive/2007/2007-03/1173795186000
>
>

-- 
Regards,
The IT Team


######################################################################
Attention: 
This e-mail message is privileged and confidential. If you are not the 
intended recipient please delete the message and notify the sender. 
Any views or opinions presented are solely those of the author.

This e-mail has been scanned and cleared by MailMarshal and 
Sophos Anti-Virus

######################################################################

On Wed, 2007-03-14 at 09:00 +0100, Raphael Pesche wrote:
> Hi,
> 
> 
> upon processing very long URLs (that is very long query strings) I get 
> an error
> 414 "Request URI too long".
> In my pound.cfg the options CheckURL and MaxRequest are unset (default 
> are "0" and "unlimited" respectively).
> I run pound 1.9.
> Is there anything I can do to prevent pound from rejecting these URLs?
> 
> Thanks in advance,
> Raphael

Change the value of MAXBUF and recompile. I would also suggest you have
another look at your application - that long an URL is "unusual".
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

On Tue, 2007-03-13 at 17:06 -0700, Kiriki Delany wrote:
> This would be a feature, that would be great to enable via switch.
> 
> It was one of the first things I had to solve when implementing Pound in
> order to produce meaningful log files from apache.
> 
> Using Pound logs as authoratative was another suggestion, which I chose not
> to implement.
> 
> I added the x-forward for support to apache logging eventually, and changed
> the logging to simulate conventional logging. However I still have an issue
> with cache proxies reporting more then one IP, and other related logging
> errors. 
> 
> A switch would solve this for intermediate users such as myself, who don't
> know how to tweak Pound when its compiled. 
> 
> The logging issue seems straightforward enough, and something most users
> have to grapple with one way or another. 

It would also break a bunch of RFCs. Might be easier if you just
HeadRemove the header (so all previous proxies are erased) and use the
unique X-Forwarded-for from Pound for the Apache logs.

I might add that I'm not entirely to me clear why you choose to use each
Apache log separately instead of the combined Pound log, but that is
your choice.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

Robert Segall schrieb:
> On Wed, 2007-03-14 at 09:00 +0100, Raphael Pesche wrote:
>   
>> Hi,
>>
>>
>> upon processing very long URLs (that is very long query strings) I get 
>> an error
>> 414 "Request URI too long".
>> In my pound.cfg the options CheckURL and MaxRequest are unset (default 
>> are "0" and "unlimited" respectively).
>> I run pound 1.9.
>> Is there anything I can do to prevent pound from rejecting these URLs?
>>
>> Thanks in advance,
>> Raphael
>>     
>
> Change the value of MAXBUF and recompile. I would also suggest you have
> another look at your application - that long an URL is "unusual".
>   

Thanks, it worked.
I agree, that long an URL is somehow unusual. Such URLs can be produced
by the advanced search of Plone.

Regards,
Raphael


-- 
___________________________________

Dr. Raphael Pesché

Rechenzentrum
Universitaet Freiburg
Hermann-Herder-Strasse 10
79104 Freiburg im Breisgau, Germany

Tel.: +49 (0)761 203 4621

John Moore wrote:
> Hi,
>
> I've been playing around with Pound and am very impressed so far. I 
> have a query about SSL usage. I know Pound can be used as an SSL 
> wrapper, with the result that cleartext requests are sent on to the 
> back end servers. Is it possible, though, for it to actually proxy SSL 
> requests, so that the redirected requests to the back end servers are 
> also SSL? I imagine not, because it requires to actually look at the 
> request headers, but I wondered whether it might initiate its own SSL 
> requests having done the initial decryption of the browser request.
>
> The reason I ask is that I am looking at the possibility of using 
> Pound in a project where it may well be redirecting to remote servers 
> over the open Internet, and clearly SSL would not be effective if the 
> last hop of the journey was cleartext.
>
> John
>
>
You are right pound can't proxy SSL requests and last hop is aways plain 
text :)
If your backends are remotely there are a lot of ways to create a 
encrypted connection to them. You can do this with various VPN/IPsec 
solutions (OpenVPN is best for me),
you can use stunnel between pound and backend also or even OpenSSH. 
There are thousands ways to do what you want to do :)

-- 
Best Wishes,
Stefan Lambrev
ICQ# 24134177

Stefan Lambrev wrote:
>
> You are right pound can't proxy SSL requests and last hop is aways 
> plain text :)
OK, that's what I thought.
> If your backends are remotely there are a lot of ways to create a 
> encrypted connection to them. You can do this with various VPN/IPsec 
> solutions (OpenVPN is best for me),
> you can use stunnel between pound and backend also or even OpenSSH. 
> There are thousands ways to do what you want to do :)
Yes, my fallback was to use SSH tunnelling. I'll take a look at OpenVPN 
as well. Thanks for the suggestions!

John

-- 
==============================================
John Moore  -  Norwich, UK  -  john(at)jmsd.co.uk
==============================================

On Fri, 2007-02-16 at 17:41 +0100, Robert Segall wrote:
> Given the number of complaints we have seen I'd like to have an informal
> poll (pun not intentional) for the performance problem. This is
> addressed to everybody, regardless of having a performance problem or
> not. Please mail me directly the following information and I'll
> summarise to the list.

All of the answers received - with one exception - indicated good
performance, comparable to direct back-end access (within a few
percentage points).

The one exception is Pound 2.2.1 running on an RH9 system (Linux kernel
2.4). The back-end tested is Apache 2 on Debian. Pound is about 5 times
slower than direct back-end access.

I must admit I have no idea what the actual reason is, especially since
other people reported good performance on other RH versions. Prime
suspects would be the RH pthreads library (I seem to recall that RH
tried at some point to do something like NPTL on 2.4), the TCP stack or
some unrelated factor (like generic hardware or networking problems).

Additional suggestions and results are welcome.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

Yes, RH AS3 had kernel 2.4 but with NPTL back ported.
RedHat 9.0 also had NPTL.

If you want, its possible to install linux kernel 2.6 on RH 9.0. And then you
can check if it's a 2.4 kernel "problem".
Or you can rebuild a more recent 2.4 kernel, one not from RH but from
kernel.org.. 
These are just ideas...
Sergio Freire

-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch] 
Sent: segunda-feira, 19 de Março de 2007 17:29
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Slow transfer

On Fri, 2007-02-16 at 17:41 +0100, Robert Segall wrote:
> Given the number of complaints we have seen I'd like to have an informal
> poll (pun not intentional) for the performance problem. This is
> addressed to everybody, regardless of having a performance problem or
> not. Please mail me directly the following information and I'll
> summarise to the list.

All of the answers received - with one exception - indicated good
performance, comparable to direct back-end access (within a few
percentage points).

The one exception is Pound 2.2.1 running on an RH9 system (Linux kernel
2.4). The back-end tested is Apache 2 on Debian. Pound is about 5 times
slower than direct back-end access.

I must admit I have no idea what the actual reason is, especially since
other people reported good performance on other RH versions. Prime
suspects would be the RH pthreads library (I seem to recall that RH
tried at some point to do something like NPTL on 2.4), the TCP stack or
some unrelated factor (like generic hardware or networking problems).

Additional suggestions and results are welcome.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904


-- 
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2007/2007-03/1172871937000/1174325321000

Also, I suggest to try this hack mentioned by RedHat (maybe the 2.4.1 value at
compile time):



If an application does not work properly with NPTL, it can be run using the old
LinuxThreads implementation by setting the following environment variable:

LD_ASSUME_KERNEL=<kernel-version>

The following versions are available:

- 2.4.1 - Linuxthreads with floating stacks

- 2.2.5 - Linuxthreads without floating stacks




Sergio Freire


-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch] 
Sent: segunda-feira, 19 de Março de 2007 17:29
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Slow transfer

On Fri, 2007-02-16 at 17:41 +0100, Robert Segall wrote:
> Given the number of complaints we have seen I'd like to have an informal
> poll (pun not intentional) for the performance problem. This is
> addressed to everybody, regardless of having a performance problem or
> not. Please mail me directly the following information and I'll
> summarise to the list.

All of the answers received - with one exception - indicated good
performance, comparable to direct back-end access (within a few
percentage points).

The one exception is Pound 2.2.1 running on an RH9 system (Linux kernel
2.4). The back-end tested is Apache 2 on Debian. Pound is about 5 times
slower than direct back-end access.

I must admit I have no idea what the actual reason is, especially since
other people reported good performance on other RH versions. Prime
suspects would be the RH pthreads library (I seem to recall that RH
tried at some point to do something like NPTL on 2.4), the TCP stack or
some unrelated factor (like generic hardware or networking problems).

Additional suggestions and results are welcome.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904


-- 
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2007/2007-03/1172871937000/1174325321000

Hi,

michael.ringler(at)itecplus.de wrote:
> Hello
>
> I would like to rewrite a http-session to a https-session. For Example:
> A user called a website with http://www.abc.de and should automatically 
> redirected to https://www.abc.de and the further connection is also via 
> https.
> I tried the following config:
> ...
> ...
> ListenHTTP
>         Address 1.1.1.1
>         Port 80
>                 Service
>                         HeadRequire "Host: *.www.abc.de.*"
>                         Redirect "https://www.abc.de"
>                 End
> End
>
> ListenHTTPS
>         Address 1.1.1.1
>         Port 443
>         Cert "cert.pem"
>                 Service
>                         HeadRequire "Host: .*www.abc.de.*"
>                         Backend
>                                 Address 2.2.2.2
>                                 Port 80
>                         End
>                 End
> End
> ...
> ...
> But the result is:
> Is the Backend-Website a static site with  .html, it works. Is the 
> Backend-Website a dynamic site with  .php, stylesheets and more it works 
> not. It will result in a loop and the site never come.
> Does anyone an idea why this happened or other idea to make this?
>
> Thanks Michael
>
>   
Probably your backends return HTTP not HTTPS links, so you just create a 
loop.
If you want this to work you need to rewrite the URL which can be done 
on the backend.
If you are using apache httpd server, then mod_rewrite is your solution :)

-- 
Best Wishes,
Stefan Lambrev
ICQ# 24134177