/ Zope / Apsis / Pound Mailing List / Archive / 2008 / 2008-01 / SSL and 302 Location header issue

[ << ] [ >> ]

[ Inconsistent WebDAV support in 2.x versions / ... ] [ maintaining session when switching to https / ... ]

SSL and 302 Location header issue
"Tom Bowditch" <tom.bowditch(at)transite.com>		 2008-01-21 21:46:03 [ FULL ] 
We have been having an issue on one of our productions servers
for roughly the
past week.  It initially appeared after a
restart due to a change of the DNS
servers.

The problem
appears to be pound is not correctly rewriting the 302 Location
header field for one of our web servers.

For the working
server pound changes the Location
from
Location:
http://rodent.transite.com:443/fac/login
to
Location:
https://rodent.transite.com/fac/login

While on the non-working
server pound does not change the Location
from
Location:
http://demo.myoneportal.com:443/crossville/login
to
Location:
http://demo.myoneportal.com:443/crossville/login


To my
limited knowledge, there have been no configuration changes to pound
and the servers are setup as near identical as possible.  I believe
pound 1.4
is being used, but I have installed and upgraded to pound
2.3.2 with the
same behavior.

I have installed tcpwatch
and the Live HTTP Headers plugin for Firefox to
try and better
understand and see what is going on.  From my testing, the
web
servers appear to be generating identical output which pound is
handling
differently and causing the browsers to fail in one case.

In this example, the user is logging into the application. 
They successfully
log in and are sent a 302 to direct them to the
correct page.  The browser fails
to redirect on the nonworking
versions and succeeds on the working versions.

I am looking for
some direction in resolving this issue and clarification if
this is
really a pound issue or not.

Thank you for your help,

Tom


=================================================================


First, here is the tcpwatch of the bad server going to pound
(with tcpwatch in
the middle too).  Pound 2.3.2 is used



[00:00.000 - client 192.168.232.27:43296 forwarded to
192.168.232.27:80]
==>POST /register/user-login HTTP/1.1
==>Host: demo.serverA.com
==>User-Agent: Mozilla/5.0 (X11; U;
Linux i686; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
==>Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
==>Accept-Language: en-us,en;q=0.5
==>Accept-Encoding:
gzip,deflate
==>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
==>Keep-Alive: 300
==>Connection: keep-alive
==>Referer: https://demo.serverA.com/somesite/login
==>Cookie:
ad_session_id=13900002%2c0+%7b897+1200954339+D2D49EB9246DDCA7EF7254D9C11528653439AOTHERSITE%7d
==>Content-Type: application/x-www-form-urlencoded
==>Content-Length: 169
==>X-SSL-Request: 1
==>X-Forwarded-For: 1.2.3.4
==>
==>return_url=%2Fsomesite%2Flogin&time=1200939939&token_id=897&hash=058F7E5F7376EE891A6BFC4BF7B216353DF8C381&email=someuser%40someplace.com&password=something&login=Log+In
[00:00.001 - server connected]
<==HTTP/1.0 302 Found
<==Set-Cookie: ad_user_login=""; Path=/; Max-Age=0
<==Set-Cookie: ad_user_login_secure=""; Path=/;
Max-Age=0
<==Set-Cookie:
ad_session_id=13900002%2c569+%7b241+1200954353+0A96600216EDACC50827FD4918C242FEB03E93E2%7d;
Path=/; Max-Age=14400
<==Set-Cookie:
ad_secure_token=13900002%2c569%2c1200939953+%7b902+1201544753+09665662B508C6979E0CD09859A5DC072B7A55EA%7d;
Path=/; Secure
<==Location:
http://demo.serverA.com/somesite/login
<==MIME-Version: 1.0
<==Date: Mon, 21 Jan 2008 18:25:54 GMT
<==Server:
AOLserver/4.0.10
<==Content-Type: text/html
<==Content-Length: 326
<==Connection: close
<==
<==<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">
<==<HTML>
<==<HEAD>
<==<TITLE>Redirection</TITLE>
<==</HEAD>
<==<BODY>
<==<H2>Redirection</H2>
<==<A
HREF="http://demo.serverA.com/somesite/login">The
requested
URL has moved here.</A>
<==<P
ALIGN=RIGHT><SMALL><I>AOLserver/4.0.10 on
http://demo.serverA.com</I></SMALL></P>
<==
<==</BODY></HTML>
[00:00.092 - server closed]


And the headers at the browser.


https://demo.serverA.com/register/user-login

POST
/register/user-login HTTP/1.1
Host: demo.serverA.com
User-Agent:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071127
Firefox/2.0.0.11
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
https://demo.serverA.com/somesite/login
Cookie:
ad_session_id=13900002%2c0+%7b897+1200954339+D2D49EB9246DDCA7EF7254D9C11528653439AOTHERSITE%7d
Content-Type: application/x-www-form-urlencoded
Content-Length:
169
return_url=%2Fsomesite%2Flogin&time=1200939939&token_id=897&hash=058F7E5F7376EE891A6BFC4BF7B216353DF8C381&email=someuser%40someplace.com&password=something&login=Log+In
HTTP/1.x 302 Found
Set-Cookie: ad_user_login=""; Path=/;
Max-Age=0
Set-Cookie: ad_user_login_secure=""; Path=/;
Max-Age=0
Set-Cookie:
ad_session_id=13900002%2c569+%7b241+1200954353+0A96600216EDACC50827FD4918C242FEB03E93E2%7d;
Path=/; Max-Age=14400
Set-Cookie:
ad_secure_token=13900002%2c569%2c1200939953+%7b902+1201544753+09665662B508C6979E0CD09859A5DC072B7A55EA%7d;
Path=/; Secure
Location: http://demo.serverA.com/somesite/login
MIME-Version: 1.0
Date: Mon, 21 Jan 2008 18:25:54 GMT
Server:
AOLserver/4.0.10
Content-Type: text/html
Content-Length: 326
Connection: close


And the pound configuration

User       "pound"
Group      "web"
LogLevel   3
Alive      20
Client     30
TimeOut    60
Daemon     0

#
#ListenHTTPS 
192.168.230.20,443 /usr/local/etc/serverA.com/serverA.com.pem
#
ListenHTTPS
       
Address         192.168.230.20
       
Port           
443
       
xHTTP           2
       
Cert           
"/usr/local/etc/serverA.com/serverA.com.pem"
       
Ciphers        
"ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
       
HeadRemove      "X-SSL-Request"
       
AddHeader       "X-SSL-Request:
1"

       
RewriteLocation 1

       
Service
               
Backend
                       
Address 192.168.232.27
                       
Port    81
               
End
               
Session
                       
Type    IP
                       
TTL     600
               
End
        End
End



==========================================================================================

And using the old version of pound on the non-working server


[00:00.000 - client 192.168.232.27:42704 forwarded to
192.168.232.27:80]
==>POST /register/user-login HTTP/1.1
==>Host: demo.serverA.com:443
==>User-Agent: Mozilla/5.0
(X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071127
Firefox/2.0.0.11
==>Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
==>Accept-Language: en-us,en;q=0.5
==>Accept-Encoding:
gzip,deflate
==>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
==>Keep-Alive: 300
==>Connection: keep-alive
==>Referer: https://demo.serverA.com/somesite/login
==>Cookie:
ad_session_id=13910101%2c0+%7b895+1200953166+F60FBD064D3EEB54EED7CF7B04136F01879EA42E%7d
==>Content-Type: application/x-www-form-urlencoded
==>Content-Length: 169
==>X-SSL-Request: 1
==>X-Forwarded-For: 1.2.3.4
==>
==>return_url=%2Fsomesite%2Flogin&time=1200938791&token_id=241&hash=E8B34EF06AB40BEA7B0B1E16B3D05ED76002D3B3&email=someuser%40someplace.com&password=something&login=Log+In
[00:00.001 - server connected]
<==HTTP/1.0 302 Found
<==Set-Cookie: ad_user_login=""; Path=/; Max-Age=0
<==Set-Cookie: ad_user_login_secure=""; Path=/;
Max-Age=0
<==Set-Cookie:
ad_session_id=13910101%2c569+%7b904+1200953208+6C0A68D1E45FC57192A89E21DB5D6523836DD677%7d;
Path=/; Max-Age=14400
<==Set-Cookie:
ad_secure_token=13910101%2c569%2c1200938808+%7b905+1201543608+5F1A43B9FB1EC71AC57D8DF5E62D2ADC54DE6731%7d;
Path=/; Secure
<==Location:
http://demo.serverA.com:443/somesite/login
<==MIME-Version: 1.0
<==Date: Mon, 21 Jan 2008 18:06:48 GMT
<==Server:
AOLserver/4.0.10
<==Content-Type: text/html
<==Content-Length: 330
<==Connection: close
<==
<==<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">
<==<HTML>
<==<HEAD>
<==<TITLE>Redirection</TITLE>
<==</HEAD>
<==<BODY>
<==<H2>Redirection</H2>
<==<A
HREF="http://demo.serverA.com:443/somesite/login">The
requested URL has moved here.</A>
<==<P
ALIGN=RIGHT><SMALL><I>AOLserver/4.0.10 on
http://demo.serverA.com</I></SMALL></P>
<==
<==</BODY></HTML>
[00:00.105 - server closed]


And the headers at the browser


https://demo.serverA.com/register/user-login

POST
/register/user-login HTTP/1.1
Host: demo.serverA.com
User-Agent:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071127
Firefox/2.0.0.11
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
https://demo.serverA.com/somesite/login
Cookie:
ad_session_id=13910101%2c0+%7b895+1200953166+F60FBD064D3EEB54EED7CF7B04136F01879EA42E%7d
Content-Type: application/x-www-form-urlencoded
Content-Length:
169
return_url=%2Fsomesite%2Flogin&time=1200938791&token_id=241&hash=E8B34EF06AB40BEA7B0B1E16B3D05ED76002D3B3&email=someuser%40someplace.com&password=something&login=Log+In
HTTP/1.x 302 Found
Set-Cookie: ad_user_login=""; Path=/;
Max-Age=0
Set-Cookie: ad_user_login_secure=""; Path=/;
Max-Age=0
Set-Cookie:
ad_session_id=13910101%2c569+%7b904+1200953208+6C0A68D1E45FC57192A89E21DB5D6523836DD677%7d;
Path=/; Max-Age=14400
Set-Cookie:
ad_secure_token=13910101%2c569%2c1200938808+%7b905+1201543608+5F1A43B9FB1EC71AC57D8DF5E62D2ADC54DE6731%7d;
Path=/; Secure
Location:
http://demo.serverA.com:443/somesite/login
MIME-Version: 1.0
Date: Mon, 21 Jan 2008 18:06:48 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 330
Connection:
close


Pound configuration


ListenHTTPS
192.168.230.20,443 /usr/local/etc/serverA.com/serverA.com.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

LogLevel 3

HeadRemove "X-SSL-Request"
HTTPSHeaders 0 "X-SSL-Request: 1"

User pound
Group web

Alive 20
Server 900

UrlGroup
".*"
#HeadRequire Host ".*demo.serverA.com.*"
HeadRequire Host ".*serverA.com.*"
BackEnd
192.168.232.27,81,1
Session IP -600
EndGroup


===================================================================

These are the headers from a working server with an older version
of pound.


[00:00.000 - client 127.0.0.1:23055 forwarded
to :80]
[00:00.000 - server connected]
==>POST
/register/user-login HTTP/1.1
==>Host: prod.serverB.com:443
==>User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11)
Gecko/20071127 Firefox/2.0.0.11
==>Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
==>Accept-Language: en-us,en;q=0.5
==>Accept-Encoding:
gzip,deflate
==>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
==>Keep-Alive: 300
==>Connection: keep-alive
==>Referer: https://prod.serverB.com/othersite/login
==>Content-Type: application/x-www-form-urlencoded
==>Content-Length: 162
==>X-SSL-Request: 1
==>X-Forwarded-For: 1.2.3.4
==>
==>return_url=%2Fothersite%2Flogin&time=1200938902&token_id=960&hash=6A80C539815E65369AFAAE5B52B2552B08386FD4&email=someuser%40someplace.com&password=something&login=Log+In
<==HTTP/1.0 302 Found
<==Set-Cookie:
ad_user_login=""; Path=/; Max-Age=0
<==Set-Cookie:
ad_user_login_secure=""; Path=/; Max-Age=0
<==Set-Cookie:
ad_session_id=17403407%2c569+%7b954+1200953316+2836B40DF376246119138A083FE12DA8393F37E5%7d;
Path=/; Max-Age=14400
<==Set-Cookie:
ad_secure_token=17403407%2c569%2c1200938916+%7b953+1201543716+7DB81A3EE10C43E3242B8C1C15B031E980AAC9DC%7d;
Path=/; Secure
<==Location:
http://prod.serverB.com:443/othersite/login
<==MIME-Version:
1.0
<==Date: Mon, 21 Jan 2008 18:08:36 GMT
<==Server:
AOLserver/4.0.10
<==Content-Type: text/html
<==Content-Length: 321
<==Connection: close
<==
<==<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">
<==<HTML>
<==<HEAD>
<==<TITLE>Redirection</TITLE>
<==</HEAD>
<==<BODY>
<==<H2>Redirection</H2>
<==<A
HREF="http://prod.serverB.com:443/othersite/login">The
requested URL has moved here.</A>
<==<P
ALIGN=RIGHT><SMALL><I>AOLserver/4.0.10 on
http://prod.serverB.com</I></SMALL></P>
<==
<==</BODY></HTML>
[00:00.075 - server closed]


And from the browser headers


https://prod.serverB.com/register/user-login

POST
/register/user-login HTTP/1.1
Host: prod.serverB.com
User-Agent:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071127
Firefox/2.0.0.11
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
https://prod.serverB.com/othersite/login
Content-Type:
application/x-www-form-urlencoded
Content-Length: 162
return_url=%2Fothersite%2Flogin&time=1200938902&token_id=960&hash=6A80C539815E65369AFAAE5B52B2552B08386FD4&email=someuser%40someplace.com&password=something&login=Log+In
HTTP/1.x 302 Found
Set-Cookie: ad_user_login=""; Path=/;
Max-Age=0
Set-Cookie: ad_user_login_secure=""; Path=/;
Max-Age=0
Set-Cookie:
ad_session_id=17403407%2c569+%7b954+1200953316+2836B40DF376246119138A083FE12DA8393F37E5%7d;
Path=/; Max-Age=14400
Set-Cookie:
ad_secure_token=17403407%2c569%2c1200938916+%7b953+1201543716+7DB81A3EE10C43E3242B8C1C15B031E980AAC9DC%7d;
Path=/; Secure
Location: https://prod.serverB.com/othersite/login
MIME-Version: 1.0
Date: Mon, 21 Jan 2008 18:08:36 GMT
Server:
AOLserver/4.0.10
Content-Type: text/html
Content-Length: 321
Connection: close


Pound configuration


ListenHTTPS 2.3.4.5,443 /usr/local/etc/server.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

HeadRemove "X-SSL-Request"
HTTPSHeaders 0
"X-SSL-Request: 1"

User pound
Group web

Alive 20
Server 900

UrlGroup ".*"
BackEnd
127.0.0.1,81,1
#BackEnd 127.0.0.1,80,1
#BackEnd
192.168.255.17,80,1
#Session IP -600
EndGroup
Attachments:  
text.html text/html 18512 Bytes
Re: SSL and 302 Location header issue
"Tom Bowditch" <tom.bowditch(at)transite.com>		 2008-01-22 19:23:46 [ FULL ] 
As an update, I was able to get the 302s to process correctly by going in
and hacking the python script tcpwatch to rewrite the Location information
coming back out of the server.

    def
write(self, data):
        if
data:
           
fixed_data = data.replace('\nLocation:
http://demo.serverA.com/','\nLocation:
https://demo.serverA.com/',1)
           
#print '>----%s----<' % (fixed_data)
           
self._outbuf.append(fixed_data)
           
self.handle_write()

After this change, the browsers are now
correctly following the 302.

So as near as I can tell, pound is
currently doing this change for all of our servers but one and I can't
figure out why it is not rewriting it for that server.

Tom
Attachments:  
text.html text/html 1048 Bytes
Re: [Pound Mailing List] SSL and 302 Location header issue
Robert Segall <roseg(at)apsis.ch>		 2008-01-23 16:30:01 [ FULL ] 
On Mon, 2008-01-21 at 15:46 -0500, Tom Bowditch wrote:[...]

If for some reason the names (requester and backend!) cannot be
resolved, Pound won't change the header. Check if the names can be
resolved correctly on the host Pound is running.[...]
Re: [Pound Mailing List] SSL and 302 Location header issue
"Tom Bowditch" <tom.bowditch(at)transite.com>		 2008-01-23 17:34:20 [ FULL ] 
This was it.  I went back and looked at the IP the DNS resolved to,
something I did 20+ times already, and finally realized it was
wrong.  Fixed it, took out the tcpwatch hack and everything is
running fine again.

Thanks,

Tom

On Wed,
January 23, 2008 10:30 am, Robert Segall wrote:[...]
Mon, 2008-01-21 at 15:46 -0500, Tom Bowditch wrote:[...]
of our productions servers[...]
change of the DNS[...]
problem[...]
302 Location[...][...]
cannot be[...]
names can be[...]
Uetikon am See, CH-8707[...]
unsubscribe to pound(at)apsis.ch.[...]
questions.[...]
Attachments:  
text.html text/html 1395 Bytes
MailBoxer