All,
 
I just can't seem to get my pound working. (Please see my pound.cfg below). 
When my users to go the "172.29.1.22" server, they receive this error
message: "The service is not available. Please try again later."
 
As you can see from my pound.cfg, it's supposed to redirect it to a url at
one of the two backend servers (which are Linux and have port 4443 for SSL.)

 
Any idea what I'm doing wrong here?
 
Thank you for any help you're willing to provide.
 
Anne
 
######################################################
ListenHTTP
    Address 172.29.1.222
    Port    80
    xHTTP   1
    HeadRemove "X-SSL-Request"
    HeadRemove "X-Forwarded-For"
    AddHeader  "X-SSL-Request: 1"
End
 
# redirect all requests for /forbidden

Service
  Url         " <http://TTHR3.helpme.org> http://TTHR3.helpme.org"
  Redirect    " <https://TTHR3.helpme.org/myapp>
https://TTHR3.helpme.org/myapp"
End

# Catch-all server(s)
Service
    BackEnd
        Address  <https://TTRH1.helpme.org:4443:/myapp>
https://TTRH1.helpme.org:4443:/myapp
        Port 4443
    End
    BackEnd
        Address  <https://TTRH2.helpme.org:4443/myapp>
https://TTRH2.helpme.org:4443/myapp

        Port 4443
  End
 Session
        Type    IP
        TTL     520
    End
End
###############################################################

Put the Service blocks inside the ListenHTTP block.

-zs


On 4/2/10 8:39 AM, Anne Moore wrote:[...]

1) If port 4443 is expecting SSL, you need to add HTTPS to your backends.
2) Backends are IPs, not URL's, and do not support paths at all.. (they're
passed through transparently)
3) URL matching in a service does not include the host, you'd need to use
HeadRequire for that.
4) You redirect to TTHR3 which I'm assuming is the load balancer, on SSL ports,
but the load balancer isn't listening on 443.

So you want something more like this.
######################################################
ListenHTTP
    Address 172.29.1.222
    Port    80
    xHTTP   1

    Service
      Url         ".*"
      Redirect    "https://TTHR3.helpme.org/myapp"
    End
End

ListenHTTPS
    Address 172.29.1.222
    Port    443
    xHTTP   1
    HeadRemove "X-SSL-Request"
    HeadRemove "X-Forwarded-For"
    AddHeader  "X-SSL-Request: 1"

    Cert "your_certificate_pem_file"


    # Catch-all server(s)
    Service
      BackEnd
          Address  TTRH1.helpme.org
          Port 4443
          HTTPS
      End
      BackEnd
          Address  TTRH2.helpme.org
          Port 4443
          HTTPS
      End
      Session
          Type    IP
          TTL     520
      End
    End
End 
###############################################################


Joe

[...]

Hi Zs

Unfortunately, that didn't work. I get this error message when trying to
start pound:

"/usr/local/etc/pound.cfg line 31: Port is supported only for INET/INET6
back-ends"

So it looks like it's saying port 4443 is not supported with pound? 

What do you think?

Thanks

Anne


-----Original Message-----
From: Zack Steinkamp [mailto:zack_steinkamp(at)symantec.com] 
Sent: Friday, April 02, 2010 12:06 PM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Help - Pound not redirecting to backend
servers

Put the Service blocks inside the ListenHTTP block.

-zs


On 4/2/10 8:39 AM, Anne Moore wrote:[...]
below).[...]


--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

I removed the lines "Port 4443" and now I get this error:

"The service is not available. Please try again later."

So, now I'm really stuck.

Is there any way to proxy to an SSL backend (on linux, so it's port 4443),
like this? (https://TTRH2.helpme.org:4443/myapp)
? 

Thanks
 

-----Original Message-----
From: Anne Moore [mailto:diabeticithink(at)yahoo.com] 
Sent: Friday, April 02, 2010 1:20 PM
To: 'pound(at)apsis.ch'
Subject: RE: [Pound Mailing List] Help - Pound not redirecting to backend
servers

Hi Zs

Unfortunately, that didn't work. I get this error message when trying to
start pound:

"/usr/local/etc/pound.cfg line 31: Port is supported only for INET/INET6
back-ends"

So it looks like it's saying port 4443 is not supported with pound? 

What do you think?

Thanks

Anne


-----Original Message-----
From: Zack Steinkamp [mailto:zack_steinkamp(at)symantec.com]
Sent: Friday, April 02, 2010 12:06 PM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Help - Pound not redirecting to backend
servers

Put the Service blocks inside the ListenHTTP block.

-zs


On 4/2/10 8:39 AM, Anne Moore wrote:[...]
below).[...]


--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

Hi Joe

Thanks for this great information. 

Unfortunately, no matter what I do, I can't get an SSL PEM file working with
POUND. Otherwise, like you mentioned, I probably could get this working like
that. (Only my backend servers have SSL certificates installed on them. I'm
just trying to forward to my backend SSL websites.)

Are there instructions anywhere that include how to make a PEM file, using a
root certificate authority that customers can recognize, that works with
POUND?

Also, isn't there anyway to forward incoming port 80 requests to backend
port 4443 (ssl) requests, without having the load balancers (pound) having
it's own SSL certificate?

Thank you

Anne



-----Original Message-----
From: Joe Gooch [mailto:mrwizard(at)k12system.com] 
Sent: Friday, April 02, 2010 1:18 PM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Help - Pound not redirecting to backend
servers

1) If port 4443 is expecting SSL, you need to add HTTPS to your backends.
2) Backends are IPs, not URL's, and do not support paths at all.. (they're
passed through transparently)
3) URL matching in a service does not include the host, you'd need to use
HeadRequire for that.
4) You redirect to TTHR3 which I'm assuming is the load balancer, on SSL
ports, but the load balancer isn't listening on 443.

So you want something more like this.
######################################################
ListenHTTP
    Address 172.29.1.222
    Port    80
    xHTTP   1

    Service
      Url         ".*"
      Redirect    "https://TTHR3.helpme.org/myapp"
    End
End

ListenHTTPS
    Address 172.29.1.222
    Port    443
    xHTTP   1
    HeadRemove "X-SSL-Request"
    HeadRemove "X-Forwarded-For"
    AddHeader  "X-SSL-Request: 1"

    Cert "your_certificate_pem_file"


    # Catch-all server(s)
    Service
      BackEnd
          Address  TTRH1.helpme.org
          Port 4443
          HTTPS
      End
      BackEnd
          Address  TTRH2.helpme.org
          Port 4443
          HTTPS
      End
      Session
          Type    IP
          TTL     520
      End
    End
End
###############################################################


Joe

[...]

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

Hi Anne,

SSL is always on port 443 unless you explicitly reset that port number to be
4443. If you are using a default configuration for your back end servers,
then change your pound config to proxy back to port 443 on your back end
servers.
[...]

See below
[...]

It's the same as mod_ssl:
http://www.modssl.org/docs/2.8/ssl_faq.html
(see "about certificates")

Basically, you need a plain text file with the PEM(base64) format of the
private key, followed by the PEM(base64) format of the certificate, followed by
any CA certificates in the chain in PEM format.
 [...]

Sure.    Move the services back outside the listener blocks, remove the 443
listenhttps block, and change the redirect URL matcher to "^/$"

However, by doing that, your clients will be talking HTTP to pound.  Pound will
talk HTTPS to backends.  You can't have pound load-balance SSL traffic, it
either has to terminate the SSL connection, or terminate a non-SSL connection
and speak to SSL backends.

Joe

Hi Jake

On Linux (red hat), the SSL port (by default) is normally on port 4443, (not
443).

Thanks

Anne  

-----Original Message-----
From: Jacob Anderson [mailto:jwa(at)beyond-ordinary.com] 
Sent: Friday, April 02, 2010 1:46 PM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Help - Pound not redirecting to backend
servers

Hi Anne,

SSL is always on port 443 unless you explicitly reset that port number to be
4443. If you are using a default configuration for your back end servers,
then change your pound config to proxy back to port 443 on your back end
servers.
[...]

> Hi Jake[...]

Huh, how comes? I have never seen that in my life and I'm a RedHat user
for more than a decade. Are we talking about the same, running apache with
SSL?

Regards,
Simon
[...][...][...][...][...]

Sorry, I meant red hat with Oracle. (Oracle has it's own Apache server, and
the default for ssl is port 443.) 

-----Original Message-----
From: Simon Matter [mailto:simon.matter(at)invoca.ch] 
Sent: Friday, April 02, 2010 2:38 PM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Help - Pound not redirecting to backend
servers
[...]

Huh, how comes? I have never seen that in my life and I'm a RedHat user for
more than a decade. Are we talking about the same, running apache with SSL?

Regards,
Simon
[...][...][...][...][...]


--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.