I was wrong, this is not a bug in pound :)

i debug it a lot of hours and i found the problem
it caused low Timeout directive in httpd.conf
i have it set to 60 seconds

when you request file, apache write at first many data to socket (tcp
buffer fill) and then poll() this socket with timeout 60 secs (if he can
write another data)

but if poll() return with timeout then apache close connection to client

so solution is raise Timeout, i set it to default value 300 seconds

--
Pavel Stano

Jacob Anderson wrote:[...][...][...]

Pavel, et.al,

I've done the same diagnosis with my tomcat backend, and have tuned the
timeouts between pound and the backend servers. Regardless of my efforts, I
still see these errors. This may be a problem with the network topology, a
bad NIC, or something other than pound. 

Is there an easier way to fine-tune these errors so that this chunk problem
is mitigated in pound? Maybe the only tuning point for pound is the BE
timeout.
[...]

In older versions of pound, it would send the request to the backend as
www.website.com:443, so some apps would check for that and perform the
rewrite to https if it wasn't 443.  Now, even though you're coming in on
443, pound now sends the request to the backend either blank
(www.website.com) or as (www.website.com:80), I don't remember which
way.  This got us too, since the behavior changed between 1.x and 2.x.  

Now we use a custom header in the pound config for SSL (front-end-https:
on) and check for that. 

--Alfonso



-----Original Message-----
From: william pink [mailto:will.pink(at)gmail.com] 
Sent: Monday, August 04, 2008 7:08 AM
To: pound(at)apsis.ch
Subject: [Pound Mailing List] Problems with SSL

Hello all,

I have a Linux firewall server that is running pound that load balances
to a Windows Server which has a .NET App running on it, What I am having
problems with is the SSL termination for this server. I have placed the
cert on the Pound server and it listens on port 443 fine but when I try
and access the site with https it responds with An internal server error
occurred. Please try again later.
when I try http it says Firefox has detected that the server is
redirecting the request for this address in a way that will never
complete.
I know the app on the Windows server will do a rewrite from http to
https so I think this maybe the problem but is there a way of getting
this to work with pound? The way I thought of doing it would be to have
the cert on the Windows server and have pound listen on 443 and let
Windows serve the cert but I haven't been succesful so far.

Any help most appreciated,

Thanks,
Will


--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

--
This message has been scanned for viruses and dangerous content by
SecureMail, and is believed to be clean.

We are using pound Version 2.3.2, For the header I am using AddHeader
"X_FORWARDED_proto: https" does that look correct?

Thanks,
Will


On Mon, Aug 4, 2008 at 1:56 PM, Alfonso Espitia <
aespitia(at)castleworldwide.com> wrote:
[...]

Ya, I don't think it matters what you call it as long as you're checking
for it, and not the incoming port number.

--Alfonso 

-----Original Message-----
From: william pink [mailto:will.pink(at)gmail.com] 
Sent: Monday, August 04, 2008 9:16 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Problems with SSL

We are using pound Version 2.3.2, For the header I am using AddHeader
"X_FORWARDED_proto: https" does that look correct?

Thanks,
Will


On Mon, Aug 4, 2008 at 1:56 PM, Alfonso Espitia <
aespitia(at)castleworldwide.com> wrote:
[...]
[...]
(front-end-https:[...]
[...]
pound(at)apsis.ch.[...]
pound(at)apsis.ch.[...]

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

--
This message has been scanned for viruses and dangerous content by
SecureMail, and is believed to be clean.

Yeah that's what I thought, I have tried as many combos I can think of and
have had no result as yet.

On Mon, Aug 4, 2008 at 3:15 PM, Alfonso Espitia <
aespitia(at)castleworldwide.com> wrote:
[...]

You might want to take a look at the raw header info.

I know that even though we added it as "front-end-https: on"  I think it
actually adds it as "X_FRONT_END_HTTPS" or something like that.  

-----Original Message-----
From: william pink [mailto:will.pink(at)gmail.com] 
Sent: Monday, August 04, 2008 10:37 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Problems with SSL

Yeah that's what I thought, I have tried as many combos I can think of
and have had no result as yet.

On Mon, Aug 4, 2008 at 3:15 PM, Alfonso Espitia <
aespitia(at)castleworldwide.com> wrote:
[...]
[...]
[...]
2.x.[...]
[...]
[...]
far.[...]
pound(at)apsis.ch.[...]
pound(at)apsis.ch.[...]

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

--
This message has been scanned for viruses and dangerous content by
SecureMail, and is believed to be clean.

Thanks for the reply, Tried that also but no luck

I have included the pound configuration just to see if anyone can point out
anything obvious that maybe going wrong

ListenHTTPS
    Address 82.211.89.133
    Port    443
    RewriteLocation 0
    cert    "/etc/pound/esiskills.co.uk.pem"
    AddHeader "front-end-https: on"
Service
HeadRequire ".*"
BackEnd
    Address 192.168.57.34
    Port 80
    Priority 1
    TimeOut 20
End
End
End

Thanks,
Will

On Mon, Aug 4, 2008 at 4:00 PM, Alfonso Espitia <
aespitia(at)castleworldwide.com> wrote:
[...]

I don't remember the reason, but I also have the following, right after
the the addheader.

HeadRemove "Front-End-Https" 


Did you make sure your app isn't looking for the incoming port number?

-----Original Message-----
From: william pink [mailto:will.pink(at)gmail.com] 
Sent: Tuesday, August 05, 2008 10:47 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Problems with SSL

Thanks for the reply, Tried that also but no luck

I have included the pound configuration just to see if anyone can point
out anything obvious that maybe going wrong

ListenHTTPS
    Address 82.211.89.133
    Port    443
    RewriteLocation 0
    cert    "/etc/pound/esiskills.co.uk.pem"
    AddHeader "front-end-https: on"
Service
HeadRequire ".*"
BackEnd
    Address 192.168.57.34
    Port 80
    Priority 1
    TimeOut 20
End
End
End

Thanks,
Will

On Mon, Aug 4, 2008 at 4:00 PM, Alfonso Espitia <
aespitia(at)castleworldwide.com> wrote:
[...]
[...]
[...]
pound(at)apsis.ch.[...]
pound(at)apsis.ch.[...]

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

--
This message has been scanned for viruses and dangerous content by
SecureMail, and is believed to be clean.

On Mon, 2008-08-04 at 12:07 +0100, william pink wrote:[...]

Disable your application redirection - after all the .Net application
will only receive requests on HTTP (from Pound).

Once you use an external application for SSL wrapping it doesn't make
much sense to have the internal server dealing with that.

Suggestion: use a proxy like tcpwatch between Pound and your server to
see what exactly happens.[...]

Just to round this off, I got them to turn off the rewrite at the
application and voila it works! Thanks for your all inputs

Thank you for your suggestion of tcpwatch also very handy tool indeed!

Will

On Tue, Aug 5, 2008 at 5:09 PM, Robert Segall <roseg(at)apsis.ch> wrote:
[...]

-----Original Message-----
From: william pink [mailto:will.pink(at)gmail.com] 
Sent: Tuesday, August 05, 2008 2:52 PM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Problems with SSL

Just to round this off, I got them to turn off the rewrite at the application
and voila it works! Thanks for your all inputs

Thank you for your suggestion of tcpwatch also very handy tool indeed!

Will

On Tue, Aug 5, 2008 at 5:09 PM, Robert Segall <roseg(at)apsis.ch> wrote:
[...]
--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.