Hi,

I'm trying to use RewriteLocation to redirect HTTP to HTTPS on the same server,
but I'm failing and can't find a single example of how to use this directive
successfully. The man page hasn't illuminated me at all.

If anyone could share a link or an example to get me started I would be very
grateful.

Regards
Iain

I think other people have done it by adding headers in the config,
something like this:

http://www.apsis.ch/pound/pound_list/archive/2005/2005-08/1124442763000

and then in the application, you can check for the headers and redirect
appropriately (if front-end-https:on then...else...)

--Alfonso

-----Original Message-----
From: Iain Barnett [mailto:iainspeed(at)gmail.com] 
Sent: Monday, December 06, 2010 11:25 PM
To: pound(at)apsis.ch
Subject: [Pound Mailing List] Redirect HTTP to HTTPS

Hi,

I'm trying to use RewriteLocation to redirect HTTP to HTTPS on the same
server, but I'm failing and can't find a single example of how to use
this directive successfully. The man page hasn't illuminated me at all.

If anyone could share a link or an example to get me started I would be
very grateful.

Regards
Iain
--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

Thanks very much for the help and the link.

Regards,
Iain


On 7 Dec 2010, at 13:51, Alfonso Espitia wrote:
[...]

Hi,

I'm doing something similar, but it doesn't work as I expected.  This is 
my configuration:

--------------------------------------------------------
ListenHTTP

   Address W.X.Y.Z
   Port 80

   RewriteLocation 2

   Service "PORTAL_REDIRECTHTTPS"
     HeadRequire "Host: portal\.dominio\.pri"
     URL "/privado/.*"
     Redirect "https://portal.dominio.pri"
   End

   Service "PORTAL"
     HeadRequire "Host: portal\.dominio\.pri"

     Backend
       Address A.B.C.D
       Port 80
     End
   End
End

ListenHTTPS

   Address W.X.Y.Z
   Port 443
   Cert "/etc/pound/cert/portal/portal.pem"

   ClientCert 3 9

   CAlist "/etc/pound/cert/ca/CApublicas.pem"
   VerifyList "/etc/pound/cert/ca/CApublicas.pem"

   NoHTTPS11 2

   # Add this header to inform the backend server that this comes from a 
https request
   AddHeader "X-Forwarded-HTTPS: on"
   AddHeader "X-Forwarded-Proto: https"

   Service "PORTAL_HTTPS"
     HeadRequire "Host: portal\.dominio\.pri"
     URL "/privado/.*"

     # Avoid SSL forgeries when client certificates used
     HeadDeny "X-SSL-Subject: .*"
     HeadDeny "X-SSL-Issuer: .*"
     HeadDeny "X-SSL-notBefore: .*"
     HeadDeny "X-SSL-notAfter: .*"
     HeadDeny "X-SSL-serial: .*"
     HeadDeny "X-SSL-cipher: .*"
     HeadDeny "X-SSL-certificate: .*"

     Backend
       Address O.P.Q.R
       Port 80
     End
   End
End
--------------------------------------------------------

I'm trying to force SSL when the client go into the URL "/privado/", but 
the location the browser recives when it is redirected is 
"http://portal.domino.pri/privado/":
Pound has switched https to http. 
The browser is redirected several times and finally it says there must 
be a loop in my site.

I would apreciate your help and experience.

Regards,
Francisco


El 09/12/2010 21:12, Iain Barnett escribió:[...][...][...]

You added the header information, but in the application are you checking for
the new header?

-----Original Message-----
From: Francisco Ruiz [mailto:francisco.ruiz(at)juntaextremadura.es] 
Sent: Friday, December 17, 2010 3:21 PM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Redirect HTTP to HTTPS

Hi,

I'm doing something similar, but it doesn't work as I expected.  This is my
configuration:

--------------------------------------------------------
ListenHTTP

   Address W.X.Y.Z
   Port 80

   RewriteLocation 2

   Service "PORTAL_REDIRECTHTTPS"
     HeadRequire "Host: portal\.dominio\.pri"
     URL "/privado/.*"
     Redirect "https://portal.dominio.pri"
   End

   Service "PORTAL"
     HeadRequire "Host: portal\.dominio\.pri"

     Backend
       Address A.B.C.D
       Port 80
     End
   End
End

ListenHTTPS

   Address W.X.Y.Z
   Port 443
   Cert "/etc/pound/cert/portal/portal.pem"

   ClientCert 3 9

   CAlist "/etc/pound/cert/ca/CApublicas.pem"
   VerifyList "/etc/pound/cert/ca/CApublicas.pem"

   NoHTTPS11 2

   # Add this header to inform the backend server that this comes from a https
request
   AddHeader "X-Forwarded-HTTPS: on"
   AddHeader "X-Forwarded-Proto: https"

   Service "PORTAL_HTTPS"
     HeadRequire "Host: portal\.dominio\.pri"
     URL "/privado/.*"

     # Avoid SSL forgeries when client certificates used
     HeadDeny "X-SSL-Subject: .*"
     HeadDeny "X-SSL-Issuer: .*"
     HeadDeny "X-SSL-notBefore: .*"
     HeadDeny "X-SSL-notAfter: .*"
     HeadDeny "X-SSL-serial: .*"
     HeadDeny "X-SSL-cipher: .*"
     HeadDeny "X-SSL-certificate: .*"

     Backend
       Address O.P.Q.R
       Port 80
     End
   End
End
--------------------------------------------------------

I'm trying to force SSL when the client go into the URL "/privado/", but the
location the browser recives when it is redirected is
"http://portal.domino.pri/privado/":
Pound has switched https to http. 
The browser is redirected several times and finally it says there must be a
loop in my site.

I would apreciate your help and experience.

Regards,
Francisco


El 09/12/2010 21:12, Iain Barnett escribió:[...][...][...]
--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

Hi,

Not exactly, but we use relative URL in the site.

Any way, my problem is when somebody click on 
http://portal.dominio.pri/privado/index.jsp,
he should be redirected to 
https://portal.dominio.pri/privado/index.jsp
but the "Location" header 
in the pound reply says "http://portal.dominio.pri/privado/index.jsp".

Of course, Pound redirect the browser again and again till firefox says 
there is a loop in my site.

So Pound is changing "https" with "http" in the redirect. However, if I 
change the host in Redirect directive it works perfectly. I mean with

      Redirect "https://portal2.dominio.pri"

the "Location" header in the replay says 
"https://portal2.dominio.pri/privado/index.jsp"

Thanks for your help.

Regards,
Francisco


El 17/12/10 21:40, Alfonso Espitia escribió:[...][...]
>>> something like this:
>>>
>>> http://www.apsis.ch/pound/pound_list/archive/2005/2005-08/11244427630
>>> 00
>>>
>>> and then in the application, you can check for the headers and
>>> redirect appropriately (if front-end-https:on then...else...)
>>>
>>> --Alfonso
>>>
>>> -----Original Message-----
>>> From: Iain Barnett [mailto:iainspeed(at)gmail.com]
>>> Sent: Monday, December 06, 2010 11:25 PM
>>> To: pound(at)apsis.ch
>>> Subject: [Pound Mailing List] Redirect HTTP to HTTPS
>>>
>>> Hi,
>>>
>>> I'm trying to use RewriteLocation to redirect HTTP to HTTPS on the
>>> same server, but I'm failing and can't find a single example of
how
>>> to use this directive successfully. The man page hasn't
illuminated me at all.
>>>
>>> If anyone could share a link or an example to get me started I
would
>>> be very grateful.
>>>
>>> Regards
>>> Iain
>>> --
>>> To unsubscribe send an email with subject unsubscribe to
pound(at)apsis.ch.
>>> Please contact roseg(at)apsis.ch for questions.
>>>
>>> --
>>> To unsubscribe send an email with subject unsubscribe to
pound(at)apsis.ch.
>>> Please contact roseg(at)apsis.ch for questions.[...][...]

Try using the RewriteLocation directive, or fix the backend so that 
links go to the proper protocol.

Regards,[...]

On 18 Dec 2010, at 16:41, Dave Steinberg wrote:
[...]


Fix? That's quite a presumption. The links in the backend I was using were
going to the proper protocol, this is a Pound issue.

I gave up in the end and switched to Nginx, it works now. No "fixing" of
backends required.


Regards,
Iain

On 12/18/2010 12:13 PM, Iain Barnett wrote:[...][...][...]

Sorry if I misread your mail, but there's really no reason to get all 
huffy about it.  Nobody on this list gets paid to help you, so I am not 
sure why you seem so offended.

Regards,[...]

On 18 Dec 2010, at 17:29, Dave Steinberg wrote:
[...][...]
>>> Try using the RewriteLocation directive, or fix the backend so
>>> that links go to the proper protocol.[...][...]

Paid or not, suggesting it's anything other than Pound without further
information is presumptuous, so telling somebody to fix their backend is hardly
helpful, is it?

There's also a lack of documentation on RewriteLocation, one entry in the man
page and zero examples. Even for Open Source, that's poor, especially for an
8(?) year old project.

So perhaps I do sound huffy, but should anyone sound grateful?

Regards,
Iain

On Mon, Dec 6, 2010 at 8:25 PM, Iain Barnett <iainspeed(at)gmail.com>
wrote:[...]


## www.DOMAIN.com
ListenHTTP
    Address AAA.BBB.CCC.DDD
    Port    80
    Client  10
    Service
        redirect "https://www.DOMAIN.com"
    End
End

On 18 Dec 2010, at 22:00, Chris Knight wrote:
[...][...][...]

Thanks for that. That redirects all http to https, but if an http request goes
through the backend and it responds with a redirect and a location with https
scheme then Pound will still push it through to http. I'm not sure why, I
checked that the backend was setting the location field properly in the header,
but couldn't find a Pound config that worked. Moved over to Nginx and it works
so I can only say that it is a problem with Pound.

Regards,
Iain

My $0.02 worth here. I had a similar problem recently when I switched our
network over to a routed network instead of drop-in. The DNS needed to
change, but I didn't change it, so pound redirected all https back to http,
no matter what. When I fixed the DNS (the pound machine had to resolve its
name to its IP address correctly), the https redirect always worked.

Your experience, Iain, may have been just a DNS configuration. From the
pound machine, do a nslookup on its name and domain combination. If you get
the IP of the pound machine, then my advice is not relevant. Otherwise, fix
the DNS.
[...]