Hello together,

I am reading through the pound mailing list archive for some time now and I am
stuck with a strange problem.

We have following traffic flow:

Client / Browser  --- https ---> Firewall --- https ---> Pound --- http
----> haproxy ----http ----> node_x

We are calling a tomcat webservlet running on the node_x which returns a HTTP
302 when the client hits a location.


The strange thing is when I call the external IP (as there is no DNS name so
far) it fails:
---------------------------------------------------------------------------
# wget --no-check-certificate "https://67.123.123.123"
Connecting to 67.123.123.123:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://67.123.123.123/get/
[following]
---------------------------------------------------------------------------

So the redirect to /get is correct but the https was changed into http.
When I run another test directly on the node where pound is running then the
Location rewrite works like a charm:
---------------------------------------------------------------------------
# wget --no-check-certificate "https://10.223.205.152"
Connecting to 10.223.205.152:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://10.223.205.152/get/
[following]
---------------------------------------------------------------------------

So this looks very strange to me.
I read about problem when DNS is not working properly, but as I am using the
direct IP what shouldn't be an issue.
To be sure I added a DNS name for the public IP (67.123.123.123) in /etc/hosts
in case it's doing reverse lookup, but this didn't help either.


Here's my config:


User            "www-data"
Group           "www-data"
LogLevel        1
Alive           30
Control "/var/run/pound/poundctl.socket"

ListenHTTPS
        Address 10.223.205.152
        Port    443
        Cert    "/etc/pound/testcert.pem"
        ## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
        xHTTP           4
        RewriteLocation 1
#10.223.205.152 is the IP of the haproxy which is doing some addition load
balancing.
Service
        BackEnd
                Address 10.223.205.152
                Port    80
        End
End
End


Do you have any idea?
It's strange that the reqrite is working in one case and not in the other.

I'm happy for any feedback / suggestion I could get.
Best Regards
Karsten

Pound will only rewrite the location if it can be sure the redirect is
referencing either the backend IP address or the listener IP address... Since
your outside IP is NAT-ed... it can't be sure that that IP refers to the box.
(for instance, you could redirect to www.cnn.com... Pound would know not to
rewrite that.)

Once you have DNS set up you can work around this with /etc/hosts.  When a
client comes in, either from outside or inside, it'll be something like:
GET / HTTP/1.0
Host: yourhost.domain.org

And when your backend redirects to yourhost.domain.org/get/, or even
yourbackend/get/, it'll know based on the host requested that
yourhost.domain.org resolves to your 67 address and 10 address, and would deal
with the rewrite properly.

If the IP is specified and Pound doesn’t know about it (i.e. it's not a
listener), I'm not sure what recourse you have.  Since it'll go away with DNS
maybe you don't have to worry about it.

Pound's behavior in this regard appears to be inline with other commercial load
balancers... For instance, the CoyotePoint Equalizer works the same way.

Joe
[...]

Hi Joe, 

Thank you lot for your feedback!

So basically what solved my problem was following:

1) I added the planned DNS name to the hosts file of the client (where I issued
wget from using that dns name)
67.123.123.123 planned-dns.com

2) added the planned DNS name to the node running pound, resolving to the IP
where my Backend (in my case haproxy) is running
10.223.205.152 planned-dns.com

So the dns is resolved on the client to the public IP and that same dns name
resolved to the backend (haproxy) on the pound server (for reverse lookup)

Thanks a million for that hint and warm greetings from Berlin
Karsten

Karsten Brusch
www.synchronica.com

-----Original Message-----
From: Joe Gooch [mailto:mrwizard(at)k12system.com] 
Sent: Dienstag, 21. September 2010 23:26
To: pound(at)apsis.ch
Subject: [Pound Mailing List] RE: Strange Location rewrite problem

Pound will only rewrite the location if it can be sure the redirect is
referencing either the backend IP address or the listener IP address... Since
your outside IP is NAT-ed... it can't be sure that that IP refers to the box.
(for instance, you could redirect to www.cnn.com... Pound would know not to
rewrite that.)

Once you have DNS set up you can work around this with /etc/hosts.  When a
client comes in, either from outside or inside, it'll be something like:
GET / HTTP/1.0
Host: yourhost.domain.org

And when your backend redirects to yourhost.domain.org/get/, or even
yourbackend/get/, it'll know based on the host requested that
yourhost.domain.org resolves to your 67 address and 10 address, and would deal
with the rewrite properly.

If the IP is specified and Pound doesn't know about it (i.e. it's not a
listener), I'm not sure what recourse you have.  Since it'll go away with DNS
maybe you don't have to worry about it.

Pound's behavior in this regard appears to be inline with other commercial load
balancers... For instance, the CoyotePoint Equalizer works the same way.

Joe
[...]

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

Glad you got it working!

Take care.
Joe

[...]