On 2/3/2010 8:33 AM, Farhan Ahmed wrote:
> I have installed a new entrust SSL certificate for a site. It looks
> like that the root certificate is now present in all the browsers and
> I need to install the Chain certificate for it. I am using the
> following but it seems like the users are still getting prompted for
> the untrusted certificate.
>
>           Cert    "/usr/local/openssl/certificate.cert.pem"
>           CAlist "/usr/local/openssl/ca.crt"

I think CAlist isn't what you need, just use the cert directive, and 
'cat' the intermediate cert onto your own.  So:

$ ca foo.key foo.crt intermediate.cert > foo.pem

That's all there is to it.

-- 
Dave Steinberg

----- Original Message ----- 
From: "Farhan Ahmed" <farhan.mobin(at)gmail.com>
To: <pound(at)apsis.ch>
Sent: Wednesday, February 03, 2010 8:33 AM
Subject: [Pound Mailing List] Chain Certificate


>I have installed a new entrust SSL certificate for a site. It looks
> like that the root certificate is now present in all the browsers and
> I need to install the Chain certificate for it. I am using the
> following but it seems like the users are still getting prompted for
> the untrusted certificate.
>
>         Cert    "/usr/local/openssl/certificate.cert.pem"
>         CAlist "/usr/local/openssl/ca.crt"


I had to install a new chained cert recently and I had to have them in this 
order for it to work, other orders did not work:

-----BEGIN PRIVATE KEY-----
Server key (pasted in the new key here)
-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
Server certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
 Intermediate CA
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Root CA
-----END CERTIFICATE----- 


>
>
> Thanks,
> Farhan
>
> --
> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>


--------------------------------------------------------------------------------



Internal Virus Database is out of date.
Checked by AVG - www.avg.com
Version: 8.5.421 / Virus Database: 270.14.16/2435 - Release Date: 10/14/09 
06:33:00

Thanks

Sent from my iPhone

On Feb 3, 2010, at 9:11 AM, "Brian Mastrobuono" <brianm(at)winkflash.com>  
wrote:

>
> ----- Original Message ----- From: "Farhan Ahmed" <farhan.mobin(at)gmail.com 
> >
> To: <pound(at)apsis.ch>
> Sent: Wednesday, February 03, 2010 8:33 AM
> Subject: [Pound Mailing List] Chain Certificate
>
>
>> I have installed a new entrust SSL certificate for a site. It looks
>> like that the root certificate is now present in all the browsers and
>> I need to install the Chain certificate for it. I am using the
>> following but it seems like the users are still getting prompted for
>> the untrusted certificate.
>>
>>        Cert    "/usr/local/openssl/certificate.cert.pem"
>>        CAlist "/usr/local/openssl/ca.crt"
>
>
> I had to install a new chained cert recently and I had to have them  
> in this order for it to work, other orders did not work:
>
> -----BEGIN PRIVATE KEY-----
> Server key (pasted in the new key here)
> -----END PRIVATE KEY-----
>
> -----BEGIN CERTIFICATE-----
> Server certificate
> -----END CERTIFICATE-----
>
> -----BEGIN CERTIFICATE-----
> Intermediate CA
> -----END CERTIFICATE-----
>
> -----BEGIN CERTIFICATE-----
> Root CA
> -----END CERTIFICATE-----
>
>>
>>
>> Thanks,
>> Farhan
>>
>> --
>> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch 
>> .
>> Please contact roseg(at)apsis.ch for questions.
>>
>
>
> --- 
> --- 
> --- 
> --- 
> --------------------------------------------------------------------
>
>
>
> Internal Virus Database is out of date.
> Checked by AVG - www.avg.com
> Version: 8.5.421 / Virus Database: 270.14.16/2435 - Release Date:  
> 10/14/09 06:33:00
>
>
> --
> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch 
> .
> Please contact roseg(at)apsis.ch for questions.

Thanks Brian. It worked for me.

Farhan

Sent from my iPhone

On Feb 3, 2010, at 9:11 AM, "Brian Mastrobuono" <brianm(at)winkflash.com>  
wrote:

>
> ----- Original Message ----- From: "Farhan Ahmed" <farhan.mobin(at)gmail.com 
> >
> To: <pound(at)apsis.ch>
> Sent: Wednesday, February 03, 2010 8:33 AM
> Subject: [Pound Mailing List] Chain Certificate
>
>
>> I have installed a new entrust SSL certificate for a site. It looks
>> like that the root certificate is now present in all the browsers and
>> I need to install the Chain certificate for it. I am using the
>> following but it seems like the users are still getting prompted for
>> the untrusted certificate.
>>
>>        Cert    "/usr/local/openssl/certificate.cert.pem"
>>        CAlist "/usr/local/openssl/ca.crt"
>
>
> I had to install a new chained cert recently and I had to have them  
> in this order for it to work, other orders did not work:
>
> -----BEGIN PRIVATE KEY-----
> Server key (pasted in the new key here)
> -----END PRIVATE KEY-----
>
> -----BEGIN CERTIFICATE-----
> Server certificate
> -----END CERTIFICATE-----
>
> -----BEGIN CERTIFICATE-----
> Intermediate CA
> -----END CERTIFICATE-----
>
> -----BEGIN CERTIFICATE-----
> Root CA
> -----END CERTIFICATE-----
>
>>
>>
>> Thanks,
>> Farhan
>>
>> --
>> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch 
>> .
>> Please contact roseg(at)apsis.ch for questions.
>>
>
>
> --- 
> --- 
> --- 
> --- 
> --------------------------------------------------------------------
>
>
>
> Internal Virus Database is out of date.
> Checked by AVG - www.avg.com
> Version: 8.5.421 / Virus Database: 270.14.16/2435 - Release Date:  
> 10/14/09 06:33:00
>
>
> --
> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch 
> .
> Please contact roseg(at)apsis.ch for questions.

Hi All,
Can anybody please help me on understanding the logic of source ip-hashing
followed in Pound.From the documentation it is not clear to me and I am
newbie to C language.
Thanks in advance.
-Raj.

On Thu, Jan 28, 2010 at 6:57 PM, Dave Steinberg <dave(at)redterror.net> wrote:

> Raj Ganguly wrote:
>
>> Hi All,
>> I am sorry to resend it again as it was not present in the acrhive.Presume
>> it didn't went to correct distro earlier.
>>
>> I am attaching the configuration below and somewhat it looks to be
>> working.But not clear as how the backend's are selected.I am having to
>> ipaddress ending with even and odd numbers but still it gets routed to the
>> same backend.
>>
>
> Try reading pound's source code.  It reads pretty easily as far as C goes.
>
>
>  Also
>> is it possible to have infinite TTL value and what would be its impact ?
>>
>
> I don't believe this is possible.  Just set it to some very high number and
> move on with life.
>
> Regards,
> --
> Dave Steinberg
> http://www.geekisp.com/
> http://www.steinbergcomputing.com/
>
>
> --
> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>

On Feb 2, 2010, at 23:31 , Joe Gooch wrote:

> You set errnossl in parseHTTP but not parseHTTPS... Which means it throws
signal 11's unless the user provides an ErrNoSsl option in the config file.
> 
> I copied your initialization line from parseHTTP to parseHTTPS and it worked
beautifully!

This turned out to be a diffutils issue, not an error in my code :)

Cheers, Peter

On Tue, 2010-02-02 at 22:53 +0000, Joe Gooch wrote:
> It's that time again... Pound 2.5 is out, and I need to look at the current
version of Pound and see what I can do to make it work better in my
environment.  As such, I've done a couple patches for Pound 2.5 which others
may benefit from.
> 
> They're hosted at http://users.k12system.com/mrwizard/pound/pound25.html
> 
> So far we have:
> 1) Case Insensitive URL and CheckURL matching through an additional
directive, URLNoCase and CheckURLNoCase... I know, we have IgnoreCase now...
But it doesn't work on CheckURL (within listeners) and I like the NoCase
versions I introduced in my 2.4 line better.
> 2) Enhanced Force HTTP/1.0 handling - based on User Agent.  Also provides
SSLUncleanShutdown matching against user agent.  (port of my 2.4 patch)
> 3) IncludeDir Directive - Support inclusion of directories of cfg files. 
(i.e. conf.d/)  Pound 2.5 now supports Include natively, but this allows for
directory-based includes.
> 5) Linux Capabilites Support - I think I'm the only one who uses this.  But
it's a port of the 2.2 patch I did.
> 6) Control Socket permissions/ownership directives - Ability to set user,
group and mode on the control socket when it's created (ported from my 2.2
patch)
> 
> Feel free to try them out, test, etc.  I use them.  Other than that I take no
responsibility for them.  I mean, they should work.  But I'm not liable. :)
> 
> Joe Gooch

Thanks Joe. Would it be OK to put the link on the Pound page?
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-32-512 30 19

On Tue, 2010-02-02 at 21:54 +0000, Joe Gooch wrote:
> When you disable a backend, it can still receive requests that are already
"stuck" to the backend.  Which is fine, that's what I would prefer as well.
> 
> However, the comment in svc.c is wrong, around line 572:
> disable_only == 1:  mark as disabled, remove sessions
> 
> Since it does not remove sessions.

Correct. We'll fix that in the next release.

> In addition, the get_backend call does not do the right thing if all backends
are dead or disabled.  Because the tot_pri of the service is <=0, it always
returns svc->emergency.  Which is fine, UNLESS one of the backends is disabled,
and a session exists for that connection.  In that case, it should return the
disabled backend.

I don't think that's right. Disabled is disabled.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-32-512 30 19

> -----Original Message-----
> From: Robert Segall [mailto:roseg(at)apsis.ch]
> Sent: Thursday, February 11, 2010 11:32 AM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Disabling a Backend w/ PoundCtl
> 
> On Tue, 2010-02-02 at 21:54 +0000, Joe Gooch wrote:
> > When you disable a backend, it can still receive requests that are
> already "stuck" to the backend.  Which is fine, that's what I would
> prefer as well.
> >
> > However, the comment in svc.c is wrong, around line 572:
> > disable_only == 1:  mark as disabled, remove sessions
> >
> > Since it does not remove sessions.
> 
> Correct. We'll fix that in the next release.
> 
> > In addition, the get_backend call does not do the right thing if all
> backends are dead or disabled.  Because the tot_pri of the service is
> <=0, it always returns svc->emergency.  Which is fine, UNLESS one of
> the backends is disabled, and a session exists for that connection.  In
> that case, it should return the disabled backend.
> 
> I don't think that's right. Disabled is disabled.

In this case, disabled is not disabled. :)

Use case 1) 2 Backends, 1 of which is Disabled

Tot_pri is >0
Sessions are consulted
All new requests (session cache misses) are sent to the active backend.
All requests that match a session to the disabled backend are still sent to the
disabled backend.
   (hence, disabled is not disabled, it just means it isn't receiving NEW
sessions)

Use case 2)  2 Backends, Both are disabled
Tot_pri = 0
Sessions are NOT consulted.  get_backend ALWAYS returns svc->emergency. 
Existing sessions are NOT sent to their "stuck" backend.  This is inconsistent
with case 1.



Expected behavior:
Sessions are consulted
All new requests (session cache misses) are sent to the svc->emergency backend.
All requests that match a session are still sent to their appropriate disabled
backend.



The existing code is only correct when sessions are not used.  Unless my
expected behavior is not the intended behavior, in which case, use case 1 is,
at best, inconsistent.


Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540

Sure!

Thanks.

Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540


> -----Original Message-----
> From: Robert Segall [mailto:roseg(at)apsis.ch]
> Sent: Thursday, February 11, 2010 11:29 AM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Patches/Goodies
> 
> On Tue, 2010-02-02 at 22:53 +0000, Joe Gooch wrote:
> > It's that time again... Pound 2.5 is out, and I need to look at the
> current version of Pound and see what I can do to make it work better
> in my environment.  As such, I've done a couple patches for Pound 2.5
> which others may benefit from.
> >
> > They're hosted at
> http://users.k12system.com/mrwizard/pound/pound25.html
> >
> > So far we have:
> > 1) Case Insensitive URL and CheckURL matching through an additional
> directive, URLNoCase and CheckURLNoCase... I know, we have IgnoreCase
> now... But it doesn't work on CheckURL (within listeners) and I like
> the NoCase versions I introduced in my 2.4 line better.
> > 2) Enhanced Force HTTP/1.0 handling - based on User Agent.  Also
> provides SSLUncleanShutdown matching against user agent.  (port of my
> 2.4 patch)
> > 3) IncludeDir Directive - Support inclusion of directories of cfg
> files.  (i.e. conf.d/)  Pound 2.5 now supports Include natively, but
> this allows for directory-based includes.
> > 5) Linux Capabilites Support - I think I'm the only one who uses
> this.  But it's a port of the 2.2 patch I did.
> > 6) Control Socket permissions/ownership directives - Ability to set
> user, group and mode on the control socket when it's created (ported
> from my 2.2 patch)
> >
> > Feel free to try them out, test, etc.  I use them.  Other than that I
> take no responsibility for them.  I mean, they should work.  But I'm
> not liable. :)
> >
> > Joe Gooch
> 
> Thanks Joe. Would it be OK to put the link on the Pound page?
> --
> Robert Segall
> Apsis GmbH
> Postfach, Uetikon am See, CH-8707
> Tel: +41-32-512 30 19
> 
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.

Let's try that again...

Sure!

Thanks.

Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540


> -----Original Message-----
> From: Robert Segall [mailto:roseg(at)apsis.ch]
> Sent: Thursday, February 11, 2010 11:29 AM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Patches/Goodies
> 
> On Tue, 2010-02-02 at 22:53 +0000, Joe Gooch wrote:
> > It's that time again... Pound 2.5 is out, and I need to look at the
> current version of Pound and see what I can do to make it work better
> in my environment.  As such, I've done a couple patches for Pound 2.5
> which others may benefit from.
> >
> > They're hosted at
> http://users.k12system.com/mrwizard/pound/pound25.html
> >
> > So far we have:
> > 1) Case Insensitive URL and CheckURL matching through an additional
> directive, URLNoCase and CheckURLNoCase... I know, we have IgnoreCase
> now... But it doesn't work on CheckURL (within listeners) and I like
> the NoCase versions I introduced in my 2.4 line better.
> > 2) Enhanced Force HTTP/1.0 handling - based on User Agent.  Also
> provides SSLUncleanShutdown matching against user agent.  (port of my
> 2.4 patch)
> > 3) IncludeDir Directive - Support inclusion of directories of cfg
> files.  (i.e. conf.d/)  Pound 2.5 now supports Include natively, but
> this allows for directory-based includes.
> > 5) Linux Capabilites Support - I think I'm the only one who uses
> this.  But it's a port of the 2.2 patch I did.
> > 6) Control Socket permissions/ownership directives - Ability to set
> user, group and mode on the control socket when it's created (ported
> from my 2.2 patch)
> >
> > Feel free to try them out, test, etc.  I use them.  Other than that I
> take no responsibility for them.  I mean, they should work.  But I'm
> not liable. :)
> >
> > Joe Gooch
> 
> Thanks Joe. Would it be OK to put the link on the Pound page?
> --
> Robert Segall
> Apsis GmbH
> Postfach, Uetikon am See, CH-8707
> Tel: +41-32-512 30 19
> 
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.

Hopefully this isn't garbled...

> -----Original Message-----
> From: Robert Segall [mailto:roseg(at)apsis.ch]
> Sent: Thursday, February 11, 2010 11:32 AM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Disabling a Backend w/ PoundCtl
> 
> On Tue, 2010-02-02 at 21:54 +0000, Joe Gooch wrote:
> > When you disable a backend, it can still receive requests that are
> already "stuck" to the backend.  Which is fine, that's what I would
> prefer as well.
> >
> > However, the comment in svc.c is wrong, around line 572:
> > disable_only == 1:  mark as disabled, remove sessions
> >
> > Since it does not remove sessions.
> 
> Correct. We'll fix that in the next release.
> 
> > In addition, the get_backend call does not do the right thing if all
> backends are dead or disabled.  Because the tot_pri of the service is
> <=0, it always returns svc->emergency.  Which is fine, UNLESS one of
> the backends is disabled, and a session exists for that connection.  In
> that case, it should return the disabled backend.
> 
> I don't think that's right. Disabled is disabled.

In this case, disabled is not disabled. :)

Use case 1) 2 Backends, 1 of which is Disabled

Tot_pri is >0
Sessions are consulted
All new requests (session cache misses) are sent to the active backend.
All requests that match a session to the disabled backend are still sent to the
disabled backend.
   (hence, disabled is not disabled, it just means it isn't receiving NEW
sessions)

Use case 2)  2 Backends, Both are disabled
Tot_pri = 0
Sessions are NOT consulted.  get_backend ALWAYS returns svc->emergency. 
Existing sessions are NOT sent to their "stuck" backend.  This is inconsistent
with case 1.



Expected behavior:
Sessions are consulted
All new requests (session cache misses) are sent to the svc->emergency backend.
All requests that match a session are still sent to their appropriate disabled
backend.



The existing code is only correct when sessions are not used.  Unless my
expected behavior is not the intended behavior, in which case, use case 1 is,
at best, inconsistent.


Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540

Let's try that again...

Sure!

Thanks.

Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540


> -----Original Message-----
> From: Robert Segall [mailto:roseg(at)apsis.ch]
> Sent: Thursday, February 11, 2010 11:29 AM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Patches/Goodies
> 
> On Tue, 2010-02-02 at 22:53 +0000, Joe Gooch wrote:
> > It's that time again... Pound 2.5 is out, and I need to look at the
> current version of Pound and see what I can do to make it work better
> in my environment.  As such, I've done a couple patches for Pound 2.5
> which others may benefit from.
> >
> > They're hosted at
> http://users.k12system.com/mrwizard/pound/pound25.html
> >
> > So far we have:
> > 1) Case Insensitive URL and CheckURL matching through an additional
> directive, URLNoCase and CheckURLNoCase... I know, we have IgnoreCase
> now... But it doesn't work on CheckURL (within listeners) and I like
> the NoCase versions I introduced in my 2.4 line better.
> > 2) Enhanced Force HTTP/1.0 handling - based on User Agent.  Also
> provides SSLUncleanShutdown matching against user agent.  (port of my
> 2.4 patch)
> > 3) IncludeDir Directive - Support inclusion of directories of cfg
> files.  (i.e. conf.d/)  Pound 2.5 now supports Include natively, but
> this allows for directory-based includes.
> > 5) Linux Capabilites Support - I think I'm the only one who uses
> this.  But it's a port of the 2.2 patch I did.
> > 6) Control Socket permissions/ownership directives - Ability to set
> user, group and mode on the control socket when it's created (ported
> from my 2.2 patch)
> >
> > Feel free to try them out, test, etc.  I use them.  Other than that I
> take no responsibility for them.  I mean, they should work.  But I'm
> not liable. :)
> >
> > Joe Gooch
> 
> Thanks Joe. Would it be OK to put the link on the Pound page?
> --
> Robert Segall
> Apsis GmbH
> Postfach, Uetikon am See, CH-8707
> Tel: +41-32-512 30 19
> 
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.

Forcing western European... hopefully outlook and the pound list won't choke on
this one.

A lot of effort to tell Rob that yes, he can post a link to my patches!

My apologies for the garbles messages fellow netizens.

Joe


> -----Original Message-----
> From: Robert Segall [mailto:roseg(at)apsis.ch]
> Sent: Thursday, February 11, 2010 11:29 AM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Patches/Goodies
> 
> On Tue, 2010-02-02 at 22:53 +0000, Joe Gooch wrote:
> > It's that time again... Pound 2.5 is out, and I need to look at the
> current version of Pound and see what I can do to make it work better
> in my environment.  As such, I've done a couple patches for Pound 2.5
> which others may benefit from.
> >
> > They're hosted at
> http://users.k12system.com/mrwizard/pound/pound25.html
> >
> > So far we have:
> > 1) Case Insensitive URL and CheckURL matching through an additional
> directive, URLNoCase and CheckURLNoCase... I know, we have IgnoreCase
> now... But it doesn't work on CheckURL (within listeners) and I like
> the NoCase versions I introduced in my 2.4 line better.
> > 2) Enhanced Force HTTP/1.0 handling - based on User Agent.  Also
> provides SSLUncleanShutdown matching against user agent.  (port of my
> 2.4 patch)
> > 3) IncludeDir Directive - Support inclusion of directories of cfg
> files.  (i.e. conf.d/)  Pound 2.5 now supports Include natively, but
> this allows for directory-based includes.
> > 5) Linux Capabilites Support - I think I'm the only one who uses
> this.  But it's a port of the 2.2 patch I did.
> > 6) Control Socket permissions/ownership directives - Ability to set
> user, group and mode on the control socket when it's created (ported
> from my 2.2 patch)
> >
> > Feel free to try them out, test, etc.  I use them.  Other than that I
> take no responsibility for them.  I mean, they should work.  But I'm
> not liable. :)
> >
> > Joe Gooch
> 
> Thanks Joe. Would it be OK to put the link on the Pound page?
> --
> ?Robert Segall
> Apsis GmbH
> Postfach, Uetikon am See, CH-8707
> Tel: +41-32-512 30 19
> 
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.

Resend, ungarbled.

> -----Original Message-----
> From: Robert Segall [mailto:roseg(at)apsis.ch]
> Sent: Thursday, February 11, 2010 11:32 AM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Disabling a Backend w/ PoundCtl
> 
> On Tue, 2010-02-02 at 21:54 +0000, Joe Gooch wrote:
> > When you disable a backend, it can still receive requests that are
> already "stuck" to the backend.  Which is fine, that's what I would
> prefer as well.
> >
> > However, the comment in svc.c is wrong, around line 572:
> > disable_only == 1:  mark as disabled, remove sessions
> >
> > Since it does not remove sessions.
> 
> Correct. We'll fix that in the next release.
> 
> > In addition, the get_backend call does not do the right thing if all
> backends are dead or disabled.  Because the tot_pri of the service is
> <=0, it always returns svc->emergency.  Which is fine, UNLESS one of
> the backends is disabled, and a session exists for that connection.  In
> that case, it should return the disabled backend.
> 
> I don't think that's right. Disabled is disabled.

In this case, disabled is not disabled. :)

Use case 1) 2 Backends, 1 of which is Disabled

Tot_pri is >0
Sessions are consulted
All new requests (session cache misses) are sent to the active backend.
All requests that match a session to the disabled backend are still sent to the
disabled backend.
   (hence, disabled is not disabled, it just means it isn't receiving NEW
sessions)

Use case 2)  2 Backends, Both are disabled
Tot_pri = 0
Sessions are NOT consulted.  get_backend ALWAYS returns svc->emergency. 
Existing sessions are NOT sent to their "stuck" backend.  This is inconsistent
with case 1.



Expected behavior:
Sessions are consulted
All new requests (session cache misses) are sent to the svc->emergency backend.
All requests that match a session are still sent to their appropriate disabled
backend.



The existing code is only correct when sessions are not used.  Unless my
expected behavior is not the intended behavior, in which case, use case 1 is,
at best, inconsistent.

Joe

Upgrading to OpenBSD 4.6 and Pound 2.5 has *not* changed this behavior.

-HKS

On Wed, Jan 6, 2010 at 5:38 PM, (private) HKS <hks.private(at)gmail.com> wrote:
> FWIW, this is running on OpenBSD 4.4. It will be upgraded to 4.6 in
> the coming weeks, and I'll let you know if the error persists.
>
> -HKS
>
> On Mon, Jan 4, 2010 at 11:29 AM, Robert Segall <roseg(at)apsis.ch> wrote:
>> On Mon, 2009-12-14 at 10:37 -0500, (private) HKS wrote:
>>> This message recently began appearing in my logs. It tends to come in
>>> clumps of 3-4 within a minute.
>>>
>>> pound: (7db89400) Can't read BIO_f_base64
>>>
>>> This message appears in the authorization-header-handling code if
>>> Pound can't read the username (or something - my C skills are very
>>> subpar). What generally causes this?
>>
>> I can't really imagine what the problem could be, unless you have
>> something strange in your libraries. Anybody else seen this?
>> --
>> Robert Segall
>> Apsis GmbH
>> Postfach, Uetikon am See, CH-8707
>> Tel: +41-44-920 4904
>>
>>
>> --
>> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
>> Please contact roseg(at)apsis.ch for questions.
>>
>
> --
> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>

Please download and apply
http://users.k12system.com/mrwizard/pound/pound-2.5-base64.patch.bz2

NOTE: this will add additional log messages that will include user/password
information in your logs... but it'll also give you a better idea of what's
going on.

I've found a couple cases where this type of error occurs:
1) A browser or server putting the base64 value in ""
2) A browser URL escaping + and / characters as %2b and %2d

This patch takes care of the second... I ran into the first only when I changed
authentication to read a cookie, so it shouldn't be a problem for Auth Basic. 
If it is, you'll see it in the logs.

Joe


> -----Original Message-----
> From: (private) HKS [mailto:hks.private(at)gmail.com]
> Sent: Monday, February 15, 2010 10:08 AM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Can't read BIO_f_base64
> 
> Upgrading to OpenBSD 4.6 and Pound 2.5 has *not* changed this behavior.
> 
> -HKS
> 
> On Wed, Jan 6, 2010 at 5:38 PM, (private) HKS <hks.private(at)gmail.com>
> wrote:
> > FWIW, this is running on OpenBSD 4.4. It will be upgraded to 4.6 in
> > the coming weeks, and I'll let you know if the error persists.
> >
> > -HKS
> >
> > On Mon, Jan 4, 2010 at 11:29 AM, Robert Segall <roseg(at)apsis.ch>
> wrote:
> >> On Mon, 2009-12-14 at 10:37 -0500, (private) HKS wrote:
> >>> This message recently began appearing in my logs. It tends to come
> in
> >>> clumps of 3-4 within a minute.
> >>>
> >>> pound: (7db89400) Can't read BIO_f_base64
> >>>
> >>> This message appears in the authorization-header-handling code if
> >>> Pound can't read the username (or something - my C skills are very
> >>> subpar). What generally causes this?
> >>
> >> I can't really imagine what the problem could be, unless you have
> >> something strange in your libraries. Anybody else seen this?
> >> --
> >> Robert Segall
> >> Apsis GmbH
> >> Postfach, Uetikon am See, CH-8707
> >> Tel: +41-44-920 4904
> >>
> >>
> >> --
> >> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> >> Please contact roseg(at)apsis.ch for questions.
> >>
> >
> > --
> > To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> > Please contact roseg(at)apsis.ch for questions.
> >
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.

Please download and apply
http://users.k12system.com/mrwizard/pound/pound-2.5-base64.patch.bz2

NOTE: this will add additional log messages that will include user/password
information in your logs... but it'll also give you a better idea of what's
going on.

I've found a couple cases where this type of error occurs:
1) A browser or server putting the base64 value in ""
2) A browser URL escaping + and / characters as %2b and %2d

This patch takes care of the second... I ran into the first only when I changed
authentication to read a cookie, so it shouldn't be a problem for Auth Basic. 
If it is, you'll see it in the logs.

Joe


> -----Original Message-----
> From: (private) HKS [mailto:hks.private(at)gmail.com]
> Sent: Monday, February 15, 2010 10:08 AM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Can't read BIO_f_base64
> 
> Upgrading to OpenBSD 4.6 and Pound 2.5 has *not* changed this behavior.
> 
> -HKS
> 
> On Wed, Jan 6, 2010 at 5:38 PM, (private) HKS <hks.private(at)gmail.com>
> wrote:
> > FWIW, this is running on OpenBSD 4.4. It will be upgraded to 4.6 in
> > the coming weeks, and I'll let you know if the error persists.
> >
> > -HKS
> >
> > On Mon, Jan 4, 2010 at 11:29 AM, Robert Segall <roseg(at)apsis.ch>
> wrote:
> >> On Mon, 2009-12-14 at 10:37 -0500, (private) HKS wrote:
> >>> This message recently began appearing in my logs. It tends to come
> in
> >>> clumps of 3-4 within a minute.
> >>>
> >>> pound: (7db89400) Can't read BIO_f_base64
> >>>
> >>> This message appears in the authorization-header-handling code if
> >>> Pound can't read the username (or something - my C skills are very
> >>> subpar). What generally causes this?
> >>
> >> I can't really imagine what the problem could be, unless you have
> >> something strange in your libraries. Anybody else seen this?
> >> --
> >> ?Robert Segall
> >> Apsis GmbH
> >> Postfach, Uetikon am See, CH-8707
> >> Tel: +41-44-920 4904
> >>
> >>
> >> --
> >> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> >> Please contact roseg(at)apsis.ch for questions.
> >>
> >
> > --
> > To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> > Please contact roseg(at)apsis.ch for questions.
> >
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.

Hello,

So I did the export:

export ac_cv_func_malloc_0_nonnull=yes

Then I did "make clean", "./configure", and "make clean" and then make.
Success:

gcc  -pthread -o pound pound.o http.o config.o svc.o -lssl -lcrypto -lresolv
-ldl   -lm -ltcmalloc
gcc -DF_CONF=\"/usr/local/etc/pound.cfg\" -DVERSION=\""2.5"\" -DC_SSL=\"""\"
-DC_T_RSA=\""0"\" -DC_MAXBUF=\""0"\" -DC_OWNER=\"""\" -DC_GROUP=\"""\"
-DC_SUPER=\""0"\" -DC_CERT1L=\"""\" -g -O2 -pthread -DUPER -DNEED_STACK
-DHAVE_SYSLOG_H=1 -pthread  -D_REENTRANT -D_THREAD_SAFE -Wstrict-prototypes
-pipe   -c -o poundctl.o poundctl.c
gcc  -pthread -o poundctl poundctl.o -lssl -lcrypto -lresolv -ldl   -lm
-ltcmalloc

Thanks!

-- jake



-----Original Message-----
From: Simon Matter [mailto:simon.matter(at)invoca.ch] 
Sent: Wednesday, February 03, 2010 2:39 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] rpl_malloc

> Hello,
>
> I just installed an updated Centos 5 distro with the new google perftools
> (1.5) and PCRE and pound 2.5. Ran configure and make with pound. The make
> finished with a link error on rpl_malloc (undefined symbol). I commented
> out
> the re-def of malloc to rpl_malloc in the config.h generated by configure
> and make/make-install was successful.
>
> FYI.
>
> I did not use any special command line options. I did a
> configure/make/make-install on perftools and then did the pound build.

Interesting, I don't need anything special with google perftools 1.5 on
CentOS 5.4, but I need the following hack before the configure call on
CentOS 3.9 (on x86_64 only):

export ac_cv_func_malloc_0_nonnull=yes

Could you try this?

Regards,
Simon


--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.