|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2008
/
2008-05
/
Pound changes in v2.4.x
[
How to debug "session stickiness" ... ]
[
Proxying OWA / "Odhiambo Washington" ... ]
Pound changes in v2.4.x
Albert <pound(at)alacra.com> |
2008-05-28 00:11:29 |
[ FULL ]
|
Last weekend, we upgraded pound from version 2.3.2 to 2.4.2 (to take
advantage of few features added in between). I found couple of issues,
and wanted to address them:
1. We changed our "Redirect" directives to use "301". However, there
are couple of minor bugs in the code. First, when these responses are
logged, they still say "302" in the pound.log. IT should really have
the HTTP code (301/302 or 307), which I believe is be_type of that
service. Secondly, though pound returns "301" it says "Found" in
description, instead of "Moved Permanently". This is not really a big
deal, but this should probably be consistent with HTTP spec.
2. I noticed that the MAXBUF default length was changed to 1024 from
2048. I know this can be overridden with the configure flag, but was
there a reason this was done? Some of our links stopped working, and I
had to rebuild with the config flag. Can this be changed back for
backward compatibility?
Albert
|
|
|
|
|
Re: [Pound Mailing List] Pound changes in v2.4.x
Robert Segall <roseg(at)apsis.ch> |
2008-05-31 12:40:23 |
[ FULL ]
|
On Tue, 2008-05-27 at 18:11 -0400, Albert wrote:[...]
Thanks - it is now fixed in 2.4.3.
[...]
I would best like to lower it even more - it is one of the ways we can
limit the possibility of exploits against web servers. For the moment it
is set at 1024 as a compromise solution - I would like to hear more
opinions on this.[...]
|
|
|
Re: [Pound Mailing List] Pound changes in v2.4.x
Albert <pound(at)alacra.com> |
2008-05-31 16:15:01 |
[ FULL ]
|
Robert Segall wrote:[...][...][...]
Thank you.[...][...][...]
I see your point. But maybe its better to have a Listener or Service
directive which would limit the size -- a combination of CheckURL and
MaxRequest for URL lengths (CheckURLSize?). You could set the default
value on the directive to be 1024, and send 414 if the URL exceed the value.
|
|
|
|
|
RE: [Pound Mailing List] Pound changes in v2.4.x
"Aigner" <VooDoo(at)ganjacru.de> |
2008-05-31 22:58:41 |
[ FULL ]
|
> I would best like to lower it even more - it is one of the [...]
We run some server applications with Pound and we suffered from many different
problems :
- Servers did not recognized login cookies always (especially when more
informations where stored in the cookie than just the username and password)
This happened with a "pure" Zope server, with a Plone server and with a phpBB2
board.
- Servers did not recognized (=back end server does not seem to receive the
full form content) very long forms (no matter if send by Get or Post method)
We were able to solve these problems completely by increasing MAXBUF. The Zope
and Plone servers are happy with 8KB now but
for the phpBB2 board we had to set the value to 16KB.
Somebody recently on this mailing list suggested using "dynamic" MAXBUF with no
maximum value. We
also think that this might be the best solution. If security is an issue :
Actually the back end servers are
secured good enough I think. Or how is eg. Apache handling this ?
--
Oliver
[...]
|
|
|
Re: [Pound Mailing List] Pound changes in v2.4.x
Alessio <a.cervellin(at)acm.org> |
2008-05-31 23:38:29 |
[ FULL ]
|
Robert Segall wrote:
[...][...]
i don't think it is up to Pound to be concerned about this kind of
security issues: they should be responsibility of what is in the
frontend (eg. firewalls, ids, ...) or in the backend (web servers).
what i mean is that Pound should be only worried about its own possible
exploits, not about the ones of any other product it balances to...
that's the /separation of concerns principle/.
|
|
|
|
