|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2009
/
2009-10
/
Can't get X-SSL-cipher header
[
using pound behind Squid / Gareth Allen ... ]
[
Mysterious "Success" error messages... ... ]
Can't get X-SSL-cipher header
"Eric B." <ebenze(at)hotmail.com> |
2009-10-09 07:21:41 |
[ FULL ]
|
Hi,
According to the man pages and the web site, the X-SSL-cipher is added if
the client connects via HTTPS. However, my redirected requests don't seem
to contain any such headers even if the client is connecting via SSL.
Additionally, according to the website, it says the X-SSL-cipher is added if
the HTTPSHeaders is set. I didn't find anything such instructions in the
man pages, but tried adding it in anyhow. However, pound doesn't start up,
complaining that HTTPSHeaders 1 is an unknown directive.
Has anybody used these headers before? Am I doing something wrong trying to
get them added to my requests?
Thanks,
Eric
|
|
|
Re: [Pound Mailing List] Can't get X-SSL-cipher header
Mattias Berge <mattiasb(at)travellab.com> |
2009-10-09 09:11:41 |
[ FULL ]
|
Did you try 'AddHeader X-SSL-cipher'?
On Fri, Oct 9, 2009 at 7:21 AM, Eric B. <ebenze(at)hotmail.com> wrote:
[...]
[...]
|
|
|
|
|
Re: [Pound Mailing List] Can't get X-SSL-cipher header
"Eric B." <ebenze(at)hotmail.com> |
2009-10-09 17:45:17 |
[ FULL ]
|
I didn't understand that I needed to do that based on the man pages, so I
just tried it, but still get an unknown directive error:
[root(at)charliebrown ~]# /usr/sbin/pound
starting...
line 30: unknown directive "AddHeader X-SSL-cipher" - aborted
I tried both
AddHeader X-SSL-cipher
and
AddHeader "X-SSL-cipher"
in the config file, but neither seemed to work.
According to the man pages, the X-SSL* headers are supposed to be
automaticcaly appended to the headers if it is an SSL request, but I can't
seem to get any such headers added.
Any ideas?
Thanks,
Eric
"Mattias Berge" <mattiasb(at)travellab.com> wrote in
message news:MailBoxer.1266.1255072798.69.pound(at)apsis.ch...[...][...][...]
|
|
|
Re: [Pound Mailing List] Can't get X-SSL-cipher header
Mattias Berge <mattiasb(at)travellab.com> |
2009-10-11 11:02:50 |
[ FULL ]
|
Is it in a ListenHTTP directive? About the X-SSL-cipher, it says "...if it
(the client) presents a client certificate Pound adds the following
headers.."
Post your config and pound version, you've probably added the AddHeader
incorrectly
On Fri, Oct 9, 2009 at 5:45 PM, Eric B. <ebenze(at)hotmail.com> wrote:
[...]
[...]
|
|
|
|
|
Re: [Pound Mailing List] Can't get X-SSL-cipher header
"Eric B." <ebenze(at)hotmail.com> |
2009-10-21 03:34:49 |
[ FULL ]
|
Hi Mattias,
Maybe I was misunderstanding the man page. I reread it, and indeed, I see
the statement that you wrote below.
But does that mean that if the certificate is on the server, there is no way
to determine which cipher the client used?
Furthermore, is there any way to get additional information in the X-
headers? It would be nice to have X-forwarded-proto for instance (ie: http
or https), cipher, cipher strength, the proxy's ip address itself.
Are additional headers such as those existant and/or configurable?
Thanks,
Eric
"Mattias Berge" <mattiasb(at)travellab.com> wrote in
message news:MailBoxer.1268.1255253133.1.pound(at)apsis.ch...[...][...][...]
|
|
|
Re: [Pound Mailing List] Can't get X-SSL-cipher header
Mattias Berge <mattiasb(at)travellab.com> |
2009-10-21 08:49:22 |
[ FULL ]
|
Hi Eric,
I was wrong, this is what I see on my backends:
X-SSL: yes
X-SSL-cipher: CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA
Enc=Camellia(256) Mac=SHA1
X-Forwarded-For: 196.15.188.178
'X-SSL: yes' is a custom header I add in the ListenHTTPS, to tell the
backends that the protocol is HTTPS. You can do the same way in ListenHTTP.
The trick is to add a 'AddHeader "You-Custom-Header: value'. You probably
need to use "RewriteLocation 2" if you intend to identify the protocol by
the custom header, and do a redirect if protocol is not https.
I can give you an example if you like
You can also force the ciphers using "Ciphers" directive, see the man page
for more information
On Wed, Oct 21, 2009 at 3:34 AM, Eric B. <ebenze(at)hotmail.com> wrote:
[...]
[...]
|
|
|
|
|
Re: [Pound Mailing List] Can't get X-SSL-cipher header
"Eric B." <ebenze(at)hotmail.com> |
2009-10-21 18:53:22 |
[ FULL ]
|
Hi Mattias,
Thanks for the tip. As per your suggetion, I added in AddHeader directive
into my ListenHTTP and ListenHTTPS listeners and now can determine which
request(s) were HTTP originated and which were https.
I also looked at the RewriteLocation definition in the man pages, but really
can't understand what it means. I must have reread it a dozen times but
still don't understand it.
I am also seemingly completely incapable of getting the X-SSL-cipher headers
to be displayed. For a server where the certificate is server based, is
there no way to get that information out?
My Listeners are defined as follows:
######################################################################
## Listeners
ListenHTTP
Address charliebrown.domain.com
Port 80
xHTTP 0
AddHeader "X-forwarded-proto:http"
End
ListenHTTPS
Address charliebrown.domain.com
Port 443
Cert "/etc/pound/wildcard.domain.com.pem"
AddHeader "X-forwarded-proto:https"
End
I have tried adding an AddHeader: X-ssl-cipher in the ListenHTTPS listener
but to no avail.
Any suggestions what/where that belongs? Do you have a sample config file
that you can share that does produce it?
I am running pound 2.4.3.
Thanks,
Eric
"Mattias Berge" <mattiasb(at)travellab.com> wrote in
message news:MailBoxer.1287.1256108521.56.pound(at)apsis.ch...[...][...][...]
|
|
|
Re: [Pound Mailing List] Can't get X-SSL-cipher header
Robert Segall <roseg(at)apsis.ch> |
2009-10-23 17:49:20 |
[ FULL ]
|
On Wed, 2009-10-21 at 12:53 -0400, Eric B. wrote:[...]
You don't need to do anything - if it is an HTTPS connection and it uses
some encryption (not the NULL cypher) then Pound will show the
X-SSL-Cyphers.[...]
|
|
|
|
