On Mon, 2009-12-14 at 10:37 -0500, (private) HKS wrote:[...]

I can't really imagine what the problem could be, unless you have
something strange in your libraries. Anybody else seen this?[...]

On Thu, 2009-12-10 at 16:51 +0100, Tobias Tom wrote:[...]

The reasons are HTTP standard compliance and security. No really easy
way to disable it - Pound wouldn't know how to deal with the headers.[...]

On Thu, 2009-12-10 at 11:47 +0100, Mattias Berge wrote:[...]

DynScale takes into account throughput rather than initial connect.[...]

FWIW, this is running on OpenBSD 4.4. It will be upgraded to 4.6 in
the coming weeks, and I'll let you know if the error persists.

-HKS

On Mon, Jan 4, 2010 at 11:29 AM, Robert Segall <roseg(at)apsis.ch>
wrote:[...][...][...]

Hey Robert,

2010/1/4 Robert Segall <roseg(at)apsis.ch>:
[...]
[...]

The standard explicitly defines a "extension-method" for the method
[1], which can be a TOKEN, which can be a user defined string [2]. So
standard compliance should be to allow user defined methods, otherwise
I would not even have requested this change.

I can understand your argument about security in a limited way. Still,
HTTP methods, which match the standard, does not do any harm then
performing actions on resources. If there are methods allowed on the
server which shouldn't be, the problem is configured on the server and
pound should not try to solve this issue.

Your website says »The Pound program is a reverse proxy, load balancer
and HTTPS front-end for Web server(s).«, so I assumed you just send
request (as they are) to the correct server.

Don't get me wrong, I really like pound. It does a fantastic job and
still I'm trying to give you my point of view here. I'm not even
requesting to change the default behavior – I really think it's good
as it is.
Still I would like to have the freedom to send (valid) HTTP methods of
any kind to the server. So my only request here is to add an
additional option (or use xHTTP with a special value) to path through
any (valid) HTTP method.

Thank for listening.
Tobias

[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1
[2] http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2

> 1                     Can pound fill this need ?

Yup!
[...]

Nope.  This is a pretty straightforward setup.  Normally I don't advise 
people doing things above their pay grade especially if the consequences 
are that your customers sites are busted and they are going to get 
pissed, but it sounds like you don't really have that freedom.
[...]

Sounds like you've got an outline of how to do it already.  Personally I 
would put your pound server in the new datacenter, test it, and then 
update your client's DNS to point to the pound server ahead of the 
larger move.

But that's just me.  You could set it up in the old datacenter and 
handle the IP-level migration later on when you're better established in 
the new datacenter.  No real difference at the end of the day.

Good luck!

Regards,[...]

Hi Dave

Thanks for replying.

I have actually made some good progress since I posted my mail.

You are correct; I do not have the luxury of doing it the sensible way. The
whole point of this is the first time we moved just 2 servers despite giving
our clients loads of warnings and information about the change and the move,
when push came to shove they failed. The next day the help desk was flooded
with calls like "the web server is down" etc..... This time we are moving 6
servers 1

Some clients made the changes OK and worked happily, most did not. In an effort
to give them more time for the respective IT department (quite a few are 3rd
party support so no internal IT know-how) we have gone down this route.

I now have my linux box listening on several internal IP addresses and passing
the HTTP requests to a windows IIS server in the new data centre on a number of
external IP addresses each with a holding page to mimic the respective web
sites.

I am in truth a bit chuffed that I sorted that bit.

I am now trying to get the certificate bit sorted so I can do HTTPS. Any tips
on this would be great. I have worked out I will have to convert the windows
cert to a linux one (using pkcs12 ?) and I am just playing with that. 

Many thanks again


Paul Farrar
Operations Engineer 
Tel:       +44 (0) 1582816483
Mobile:  +44 (0) 7841167934
Email:   paul.farrar(at)stepstone.com
http://www.stepstone.com 
StepStone Solutions (UK) Limited 
475 The Boulevard
Capability Green
Luton
LU1 3LU
England 
Registered in England and Wales


-----Original Message-----
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: Tuesday 19 January 2010 15:23
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Help Please
[...]

Yup!
[...]

Nope.  This is a pretty straightforward setup.  Normally I don't advise 
people doing things above their pay grade especially if the consequences 
are that your customers sites are busted and they are going to get 
pissed, but it sounds like you don't really have that freedom.
[...]

Sounds like you've got an outline of how to do it already.  Personally I 
would put your pound server in the new datacenter, test it, and then 
update your client's DNS to point to the pound server ahead of the 
larger move.

But that's just me.  You could set it up in the old datacenter and 
handle the IP-level migration later on when you're better established in 
the new datacenter.  No real difference at the end of the day.

Good luck!

Regards,[...]

> Some clients made the changes OK and worked happily, most did not. In[...]

Always a fun situation to be in.  :-/
[...]

Good stuff!
[...]

One thing to keep in mind is that pound does HTTPS offloading, which may 
be different than what you've got now.  That means pound speaks https to 
the browser, but only HTTP to the backend webserver (unless you go 
through some gymnastics).  Converting the cert should just be a matter 
of using the appropriate openssl commands, but I'm not familiar with the 
details of pkcs12 certs.  Google surely can help there.

One note on pound's certs.  They need to be in PEM format, so:

== rsa private key, ideally w/o a passphrase ==
== site certificate ==
== intermediate certs, if any ==

Regards,[...]

Paul,
 
This is what I used.
 
To test with a self signed x.509 cert:
openssl req -x509 -newkey rsa:2048 -keyout allugi.pem -out allugi.pem
-days 365 -nodes
 
When done testing, then for the real deal:
Make a CSR
openssl req -newkey rsa:2048 -out allugicsr.pem -keyout privkey.pem
then, remove the passphrase from your private key file
openssl rsa -in private.key -out privatekey.pem
 
then combine them all into one final cert file:
 
cat privatekey.pem wildcardcert.crt intermediatecert.pem rootcacert.pem[...]
 
 
I got https working in 15 minutes using the method above, which I got
from here:
 
http://www.apsis.ch/pound/pound_list/archive/2008/2008-05/1212145288000

 
 
Cheers,
John
 
 
John Folkers, CCNP, NCTS
Sr. Network Architect
UGI Utilities, Inc.
225 Morgantown Road
Reading, PA 19612-3009
610.736.5413


>>> On 1/19/2010 at 10:44 am, in message
<MailBoxer.1392.1263915871.53.pound(at)apsis.ch>, "Paul Farrar"
<paul.farrar(at)stepstone.com> wrote:
Hi Dave

Thanks for replying.

I have actually made some good progress since I posted my mail.

You are correct; I do not have the luxury of doing it the sensible way.
The whole point of this is the first time we moved just 2 servers
despite giving our clients loads of warnings and information about the
change and the move, when push came to shove they failed. The next day
the help desk was flooded with calls like "the web server is down"
etc..... This time we are moving 6 servers 1

Some clients made the changes OK and worked happily, most did not. In
an effort to give them more time for the respective IT department (quite
a few are 3rd party support so no internal IT know-how) we have gone
down this route.

I now have my linux box listening on several internal IP addresses and
passing the HTTP requests to a windows IIS server in the new data centre
on a number of external IP addresses each with a holding page to mimic
the respective web sites.

I am in truth a bit chuffed that I sorted that bit.

I am now trying to get the certificate bit sorted so I can do HTTPS.
Any tips on this would be great. I have worked out I will have to
convert the windows cert to a linux one (using pkcs12 ?) and I am just
playing with that.

Many thanks again


Paul Farrar
Operations Engineer
Tel:       +44 (0) 1582816483
Mobile:  +44 (0) 7841167934
Email:   paul.farrar(at)stepstone.com 
http://www.stepstone.com 
StepStone Solutions (UK) Limited
475 The Boulevard
Capability Green
Luton
LU1 3LU
England
Registered in England and Wales


-----Original Message-----
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: Tuesday 19 January 2010 15:23
To: pound(at)apsis.ch 
Subject: Re: [Pound Mailing List] Help Please
[...]

Yup!
[...]
noobe

Nope.  This is a pretty straightforward setup.  Normally I don't
advise
people doing things above their pay grade especially if the
consequences
are that your customers sites are busted and they are going to get
pissed, but it sounds like you don't really have that freedom.
[...]

Sounds like you've got an outline of how to do it already.  Personally
I
would put your pound server in the new datacenter, test it, and then
update your client's DNS to point to the pound server ahead of the
larger move.

But that's just me.  You could set it up in the old datacenter and
handle the IP-level migration later on when you're better established
in
the new datacenter.  No real difference at the end of the day.

Good luck!

Regards,
--
Dave Steinberg
http://www.geekisp.com/ 
http://www.steinbergcomputing.com/


--
To unsubscribe send an email with subject unsubscribe to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

--
To unsubscribe send an email with subject unsubscribe to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
[...]

[...]
The latest version of pound does support HTTPS protocol with backend 
webservers.  Granted the version is still labeled experimental, but 
we've been running it in production (with HTTPS to backend) for a month 
now, with no problems (we're running version 2.5d, earlier versions of 
2.5 branch had a bug).

Thanks for that info, I may have to use it. As a quick extra question just how
can you tell what version of pound you have ?

Paul Farrar
Operations Engineer 
Tel:       +44 (0) 1582816483
Mobile:  +44 (0) 7841167934
Email:   paul.farrar(at)stepstone.com
http://www.stepstone.com 
StepStone Solutions (UK) Limited 
475 The Boulevard
Capability Green
Luton
LU1 3LU
England 
Registered in England and Wales


-----Original Message-----
From: Albert [mailto:pound(at)alacra.com] 
Sent: Tuesday 19 January 2010 17:01
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Help Please


[...]
The latest version of pound does support HTTPS protocol with backend 
webservers.  Granted the version is still labeled experimental, but 
we've been running it in production (with HTTPS to backend) for a month 
now, with no problems (we're running version 2.5d, earlier versions of 
2.5 branch had a bug).



--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

pound -V

Paul Farrar wrote:[...][...][...]

Albert

Thanks for the version Tip.

Without giving away any confidential info, is there any way you could just send
a example of your HTTPS entries in your conf file. 

If I had more time I would try to figure it out but the clock is ticking and I
am close but not close enough for testing and sign off before we do the move.

Many thanks again 

Paul

Paul Farrar
Operations Engineer 
Tel:       +44 (0) 1582816483
Mobile:  +44 (0) 7841167934
Email:   paul.farrar(at)stepstone.com
http://www.stepstone.com 
StepStone Solutions (UK) Limited 
475 The Boulevard
Capability Green
Luton
LU1 3LU
England 
Registered in England and Wales


-----Original Message-----
From: Albert [mailto:pound(at)alacra.com] 
Sent: Tuesday 19 January 2010 17:01
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Help Please


[...]
The latest version of pound does support HTTPS protocol with backend 
webservers.  Granted the version is still labeled experimental, but 
we've been running it in production (with HTTPS to backend) for a month 
now, with no problems (we're running version 2.5d, earlier versions of 
2.5 branch had a bug).



--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

I'm not sure which example you're referring to (there is incoming HTTPS 
directives via ListenHTTPS, and connecting to backend via HTTPS).  I'll 
give both examples:

#Listen to incoming HTTP requests on port 80
ListenHTTP
        Address         10.0.0.1
        Port               80
End

#Listen to incoming HTTPS requests on port 443
ListenHTTPS
        Address         10.0.0.1
        Port               443
        xHTTP           1
        Cert              "permfile.pem"
End

Service
        BackEnd
                Address 192.168.0.1
                Port    443
                HTTPS
        End
End

#------------- end of example
Couple of notes:
1. In this specific example, all incoming HTTPS & HTTPS requests will be 
passed over to the backend over HTTPS.
2. You can put the "Service" inside ListenHTTPS, if you wanted to talk 
HTTPS to backend only on secure requests.
3. The backend doesn't need a third-party certificate, as pound will 
make a connection with backend with a self-signed cert.


Paul Farrar wrote:[...][...][...]

I used 64bit ubuntu 9.10 Karmic Koala released October 2009 and
supported until April 2011.
 
John
 
 
John Folkers, CCNP, NCTS
Sr. Network Architect
UGI Utilities, Inc.
225 Morgantown Road
Reading, PA 19612-3009
610.736.5413


>>> On 1/27/2010 at  9:46 am, in message
<MailBoxer.1416.1264603564.09.pound(at)apsis.ch>, "Maze, Jeffrey S."
<JMaze(at)CO.GEAUGA.OH.US> wrote:
Hello,
I was wondering what distro most people are using.  Which seems
to be the most secure and easiest to setup pound "out of the box"?
Thanks.. -Jeff

--
To unsubscribe send an email with subject unsubscribe to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
[...]

Maze, Jeffrey S. wrote:[...]

OpenBSD.  :)

Regards,[...]

I tried oBSD 4.5 (if I remember correctly) and couldn't get things
working properly.  Sadly, I spent almost 3 weeks trying to get it
working and it wouldn't for me; trying to get pound connected to
external IP cameras and display their video images, etc.  I then tried
ISA server and had things working properly in about 2 hours.  :(

Did you follow a guide or anything similar to get it configured and
working properly?

Thanks..

-----Original Message-----
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: Wednesday, January 27, 2010 10:12 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Best Distro to try

Maze, Jeffrey S. wrote:[...]
to be [...]

OpenBSD.  :)

Regards,
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

Maze, Jeffrey S. wrote:[...]

Marc Balmer wrote a short guide on getting a threaded openssl going. 
 From that I wrote my own port (port as in, the OpenBSD ports 
collection) to make maintenance easy.  Its been pretty much hassle free 
from there, but I'm not using IP cameras.

http://azbsd.org/~marco/openbsd/pound/

The bottom part with the pound config is old, the part about building 
OpenSSL is the interesting part of that page.

Regards,[...]

Centos with the google regex library wasn't too bad to set up.


Alfonso Espitia, Senior Web Developer
direct 919.657.6933 | e-mail aespitia(at)castleworldwide.com
Castle Worldwide, Inc. | 900 Perimeter Park Drive, Suite G |
Morrisville, NC 27560 USA
www.castleworldwide.com | main 919.572.6880 | fax 919.361.2426

This e-mail message is confidential and is intended only for the named
recipient(s) above.  If you are not an intended recipient, you are
hereby notified that any dissemination, distribution, or copying of this
e-mail and any attachment(s) is strictly prohibited.  If you have
received this e-mail in error, please immediately notify the sender by
replying to this e-mail and delete the message and any attachment(s)
from your system

-----Original Message-----
From: Maze, Jeffrey S. [mailto:JMaze(at)CO.GEAUGA.OH.US] 
Sent: Wednesday, January 27, 2010 9:46 AM
To: pound(at)apsis.ch
Subject: [Pound Mailing List] Best Distro to try

Hello,
	I was wondering what distro most people are using.  Which seems
to be the most secure and easiest to setup pound "out of the box"?
	Thanks.. -Jeff

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
[...]

I'm using red hat enterprise Linux 5.2 kernel 2.6 with http and https
Listeners in Pound and it is ok.

I configured in the past Pound v1 with Debian 3 and https Listeners and good
results

 I use to select  my favorite distro for configure pound, now the company
demand Red Hat.. :(

Regards.

2010/1/27 Alfonso Espitia <aespitia(at)castleworldwide.com>
[...]