Robert Segall wrote:
> We would like to officially release the stable version of 2.4. For the
> moment 2.4f looks clean, but your feedback would be appreciated: please
> help us fix any problems you may have ran into with it.

I've been running it for a while with no regressions.  +1 on marking it 
stable.

Regards,
-- 
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/

Yup:

ListenHTTPS
  Address X.Y.Z.W
  Port    443
  Cert    "/etc/pound/nsol/mycert.pem"
  VerifyList "/etc/pound/nsol/ca/nsol_ca_list.pem"
  CAlist "/etc/pound/nsol/ca/nsol_ca_list.pem"
  AddHeader "HTTPS: ON"

-- Jake
 

> -----Original Message-----
> From: McClain Looney [mailto:m(at)loonsoft.com] 
> Sent: Friday, February 01, 2008 6:51 AM
> To: pound(at)apsis.ch
> Subject: [Pound Mailing List] network solutions ssl cert
> 
> Hi Folks,
> 
> Has anyone managed to figure out which certs in what order 
> are needed to get pound working with a network solutions 
> certificate? Their certs ship with a total of 4(!) 
> certificates. I'd previously managed to get a verisign w/ 
> intermediate cert working, but no luck so far with nsi.
> 
> The current error is
> 
> SSL_CTX_use_PrivateKey_file "/etc/pound/ssl/new.pem" failed - aborted
> 
> 
> 
> The key is decrypted (tried pkcs8 format too).
> 
> 
> Regards,
> 
> -mml
> 
> --
> To unsubscribe send an email with subject unsubscribe to 
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> 

Oh, that nsol_ca_list.pem file is just:

<private key>
<AddTrustExtrenalCARoot.crt>
<NetworkSolutions_CA.crt>
<UTNAddTrustServer_CA.crt>

all concatenated into the pem file.

-- Jake
 

> -----Original Message-----
> From: McClain Looney [mailto:m(at)loonsoft.com] 
> Sent: Friday, February 01, 2008 6:51 AM
> To: pound(at)apsis.ch
> Subject: [Pound Mailing List] network solutions ssl cert
> 
> Hi Folks,
> 
> Has anyone managed to figure out which certs in what order 
> are needed to get pound working with a network solutions 
> certificate? Their certs ship with a total of 4(!) 
> certificates. I'd previously managed to get a verisign w/ 
> intermediate cert working, but no luck so far with nsi.
> 
> The current error is
> 
> SSL_CTX_use_PrivateKey_file "/etc/pound/ssl/new.pem" failed - aborted
> 
> 
> 
> The key is decrypted (tried pkcs8 format too).
> 
> 
> Regards,
> 
> -mml
> 
> --
> To unsubscribe send an email with subject unsubscribe to 
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> 

On Feb 1, 2008, at 9:43 AM, Jacob Anderson wrote:

> Yup:
>
> ListenHTTPS
>  Address X.Y.Z.W
>  Port    443
>  Cert    "/etc/pound/nsol/mycert.pem"
>  VerifyList "/etc/pound/nsol/ca/nsol_ca_list.pem"
>  CAlist "/etc/pound/nsol/ca/nsol_ca_list.pem"
>  AddHeader "HTTPS: ON"
>
> -- Jake


so in the Cert directive, is the privkey and my cert (btw, is the  
pkcs8 format for the privkey now required?),  but where can i find the  
right bytes for the netsol ca list?

-mml

On Feb 1, 2008, at 9:45 AM, Jacob Anderson wrote:

> Oh, that nsol_ca_list.pem file is just:
>
> <private key>
> <AddTrustExtrenalCARoot.crt>
> <NetworkSolutions_CA.crt>
> <UTNAddTrustServer_CA.crt>
>
> all concatenated into the pem file.


ah, great! ignore that reply i just sent.

thanks,

-mml

Hi, I am also interested in this.  It is not possible with Pound 
currently however.

Rick

tyntas wrote:
> Hi,
>
> Is there a way to set up such a thing:
> There are configured two groups of BackEnds - group A (backend A1 and 
> A2) and group B (backend B1 and B2)
>
> 1) In normal state group A is queried and load distributed as 
> specified in priorities inside group A, but group B stays absolutely 
> passive.
> 2) If all BackEnds in group A goes down, then pound starts using 
> BackEnd's in group B with priorities specified in their group 
> respectively.
> 3) If later any BackEnd in group A become active, then group B should 
> be left passive again.
> 4) When no group is available, Emergency service should be used.
>
> Is it possible?
>
> j.
>
>
> -- 
> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.

>> Is there a way to set up such a thing:
>> There are configured two groups of BackEnds - group A (backend A1 and 
>> A2) and group B (backend B1 and B2)
>>
>> 1) In normal state group A is queried and load distributed as 
>> specified in priorities inside group A, but group B stays absolutely 
>> passive.
>> 2) If all BackEnds in group A goes down, then pound starts using 
>> BackEnd's in group B with priorities specified in their group 
>> respectively.
>> 3) If later any BackEnd in group A become active, then group B should 
>> be left passive again.
>> 4) When no group is available, Emergency service should be used.

I'm curious - whats the use case here?  Why do you want something like that?

-- 
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/

For me I have a pound proxy, apache backend, and lighttpd backend. I 
would like all the requests to hit lighttpd normally. if light is dead, 
overloaded, or otherwise not answering requests, I would like apache to 
answer requests. Lighttpd is much much faster but apache can run for 
years without a restart.

Rick



Dave Steinberg wrote:
>>> Is there a way to set up such a thing:
>>> There are configured two groups of BackEnds - group A (backend A1 
>>> and A2) and group B (backend B1 and B2)
>>>
>>> 1) In normal state group A is queried and load distributed as 
>>> specified in priorities inside group A, but group B stays absolutely 
>>> passive.
>>> 2) If all BackEnds in group A goes down, then pound starts using 
>>> BackEnd's in group B with priorities specified in their group 
>>> respectively.
>>> 3) If later any BackEnd in group A become active, then group B 
>>> should be left passive again.
>>> 4) When no group is available, Emergency service should be used.
>
> I'm curious - whats the use case here?  Why do you want something like 
> that?
>

Rick Blundell wrote:
> For me I have a pound proxy, apache backend, and lighttpd backend. I 
> would like all the requests to hit lighttpd normally. if light is dead, 
> overloaded, or otherwise not answering requests, I would like apache to 
> answer requests. Lighttpd is much much faster but apache can run for 
> years without a restart.

To play devil's advocate for a moment, why not simply de-prioritize your 
apache backends down to 1?  Wouldn't that achieve the desired effect?

-- 
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/

J,
 
We setup a front end using relayd (also called hoststatd) in openbsd. We
have two groups of hosts; A is compromised of 3 primary web server machines
and B comprising of 2 emergency backup web server machines.

The balancers are all running pound. Just like your example, if all hosts
in A go down then B comes up. When any machine is A comes back up then
machines in B go unused.  We also have scripts to look at the request load
to make sure that at least 2 machines in A come up before the switch is
initiated.
                                  |- Group A, webserver 1
                      |- pound A -|- Group A, webserver 2 
                      |           |- Group A, webserver 3
internet -- openbsd --|
(sourcex2)  (CARPx3)  |- pound B -|- Group B, webserver 1 
                                  |- Group B, webserver 2

This is a bit complicated solution, but allows us to take machines down on
a whim. The users or staff never notice a problem. We can also loose as
many as 2 openbsd CARP's, one pound box and 4 web servers and can still be
considered up and serving data. 

I have never tried to setup pound to to the job of relayd, but it may be
possible. Even the solution above requires many extra scripts to make sure
all machines know about the status of the cluster.

You can find a lot of this information at http://calomel.org

--
 Calomel (at) http://calomel.org
 Open Source Research and Reference


On Mon, Feb 11, 2008 at 04:40:13PM +0200, tyntas wrote:
>Hi,
>
>Is there a way to set up such a thing:
>There are configured two groups of BackEnds - group A (backend A1 and 
>A2) and group B (backend B1 and B2)
>
>1) In normal state group A is queried and load distributed as specified 
>in priorities inside group A, but group B stays absolutely passive.
>2) If all BackEnds in group A goes down, then pound starts using 
>BackEnd's in group B with priorities specified in their group respectively.
>3) If later any BackEnd in group A become active, then group B should be 
>left passive again.
>4) When no group is available, Emergency service should be used.
>
>Is it possible?
>
>j.
>
>
>--
>To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
>Please contact roseg(at)apsis.ch for questions.

My case is alittle bit different.

I have international website which has one backend and proxies 
distributed in a few countries. There are dedicated international links 
for local proxies to query central backends. I use pound because there 
are a few central servers as well as a few proxies in each locale.

The problem would be if my dedicated link fails. It has quite high SLA, 
but still - if it would fail - I would like the queries to travel via 
public internet rather than site being out of service, because i have no 
security concerns here moving traffic publicaly.

Local pound can see central backends as internal IP's which are routed 
internaly, but it can also reach te same backends by querying their 
public addresses which are route via global Internet. If pound would 
support BackEnd groups I could setup group A of internal IP's, and group 
B of external ones. I think it's clear what would it mean if the servers 
in group A are not reachible, but in group B they are.

In this case pound would be doing "link failover" instead of "BackEnd 
failover" actully and it might be already out of pounds scope, but still 
a very nice addition to it's value.

j.

Rick Blundell rašė:
> For me I have a pound proxy, apache backend, and lighttpd backend. I 
> would like all the requests to hit lighttpd normally. if light is dead, 
> overloaded, or otherwise not answering requests, I would like apache to 
> answer requests. Lighttpd is much much faster but apache can run for 
> years without a restart.
> 
> Rick
> 
> 
> 
> Dave Steinberg wrote:
>>>> Is there a way to set up such a thing:
>>>> There are configured two groups of BackEnds - group A (backend A1 
>>>> and A2) and group B (backend B1 and B2)
>>>>
>>>> 1) In normal state group A is queried and load distributed as 
>>>> specified in priorities inside group A, but group B stays absolutely 
>>>> passive.
>>>> 2) If all BackEnds in group A goes down, then pound starts using 
>>>> BackEnd's in group B with priorities specified in their group 
>>>> respectively.
>>>> 3) If later any BackEnd in group A become active, then group B 
>>>> should be left passive again.
>>>> 4) When no group is available, Emergency service should be used.
>>
>> I'm curious - whats the use case here?  Why do you want something like 
>> that?
>>
> 
> 
> -- 
> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> 
> 

Hello,

I think you want pound to do a networking infrastructure's job. I'm sure 
you can setup your network so that it will always serve the internal 
address, but in case of link failure it'll tunnel the address(es) to 
your remote location.

Pound is indeed a backend load balancer. The failover functionality is 
kind of a side-effect of that. Doing a link failover would be out of the 
scope for it, I suppose.

MT.

tyntas napsal(a):
> My case is alittle bit different.
> 
> I have international website which has one backend and proxies 
> distributed in a few countries. There are dedicated international links 
> for local proxies to query central backends. I use pound because there 
> are a few central servers as well as a few proxies in each locale.
> 
> The problem would be if my dedicated link fails. It has quite high SLA, 
> but still - if it would fail - I would like the queries to travel via 
> public internet rather than site being out of service, because i have no 
> security concerns here moving traffic publicaly.
> 
> Local pound can see central backends as internal IP's which are routed 
> internaly, but it can also reach te same backends by querying their 
> public addresses which are route via global Internet. If pound would 
> support BackEnd groups I could setup group A of internal IP's, and group 
> B of external ones. I think it's clear what would it mean if the servers 
> in group A are not reachible, but in group B they are.
> 
> In this case pound would be doing "link failover" instead of "BackEnd 
> failover" actully and it might be already out of pounds scope, but still 
> a very nice addition to it's value.
> 
> j.
> 
> Rick Blundell ra¹e.:
>> For me I have a pound proxy, apache backend, and lighttpd backend. I 
>> would like all the requests to hit lighttpd normally. if light is 
>> dead, overloaded, or otherwise not answering requests, I would like 
>> apache to answer requests. Lighttpd is much much faster but apache can 
>> run for years without a restart.
>>
>> Rick
>>
>>
>>
>> Dave Steinberg wrote:
>>>>> Is there a way to set up such a thing:
>>>>> There are configured two groups of BackEnds - group A (backend A1 
>>>>> and A2) and group B (backend B1 and B2)
>>>>>
>>>>> 1) In normal state group A is queried and load distributed as 
>>>>> specified in priorities inside group A, but group B stays 
>>>>> absolutely passive.
>>>>> 2) If all BackEnds in group A goes down, then pound starts using 
>>>>> BackEnd's in group B with priorities specified in their group 
>>>>> respectively.
>>>>> 3) If later any BackEnd in group A become active, then group B 
>>>>> should be left passive again.
>>>>> 4) When no group is available, Emergency service should be used.
>>>
>>> I'm curious - whats the use case here?  Why do you want something 
>>> like that?

-- 
Michal Táborský
chief systems architect
Internet Mall, a.s.

Internet Mall - obchody, které si oblíbíte
<http://www.MALL.cz>
----------------------
STALE HLEDAME NOVE KOLEGY - chcete se stat soucasti dynamicky se rozvijejici
spolecnosti? Internet Mall a.s. hleda do sveho tymu nove spolupracovniky.
Nabizime vam zazemi nejvetsiho tuzemskeho internetoveho obchodnika pusobiciho v
peti zemich Evropy. Vice informaci zde: http://www.hledame-vas.cz/
----------------------