Yes, I've seen the many, many multitudes of posts on this topic, but nothing
I've tried seems to fix it.  I pull up the link just fine, but as soon as I
do anything within the application, it immediately drops to HTTP.  I can
throw the "S" in there and hit enter and the page loads fine, but the next
action I do in the app takes me back to HTTP.  See below for config, any
ideas?

It almost sounds like the issue described on the pound homepage with regard
to zope:

  " A special problem arises when you try using *Pound* as an SSL wrapper:
Zope assumes that the requests are made via HTTP and insists on prepending
'http://' to the (correct) address in the replies, including in the tag and
the absolute URLs it generates (for images for example). This is clearly an
undesirable behavior. "

::::CONFIGURATION::::

Pound version - 2.4.5-3 on Ubuntu server 10.04

I'm using an application called JDEdwards EnterpriseOne that sits on Oracle
Application Server and Apache 1.3

I have the application running on HTTP port 8101.  I have pound running on a
separate server as HTTPS on port 4433, below is my config:

ListenHTTPS
     Address 0.0.0.0
     Port 4433
     Cert "/usr/local/etc/jdewebcert.pem"
     RewriteLocation 2
     Service
           BackEnd
                  Address 192.168.1.100
                  Port 8101
           End
     End
End

Hall,

 

If you ONLY have an HTTPS directive in your config, and you are being
redirected back to http, then it sounds like you are (a) testing from your
LAN, and (b) your BE is sending a redirect that is LAN addressed instead of
pound addressed.

 

Make sure that your application always redirects using the pound URL, and
that it always preserves the protocol being requested or forces https.

 

If you only have https in your pound config then any http action will not
work.

 

Post your entire pound config file if there is more to it .

 

ALSO - very important - check that your DNS for the pound server to resolve
to the correct IP addresses. I had a similar problem to yours because I had
not kept my internal DNS updated and so the pound server was not able to
find itself in DNS and so I always got http instead of https.

 
[...]

Thanks for the reply.

Yes, I only have HTTPS directive in my config, the rest of my .cfg file is
as it comes by default.  I'm just trying to get HTTPS working before I move
on to load balancing, etc.  I originally started with just HTTP and it
worked fine, so moved on to HTTPS.  Yes, I am testing all from within my LAN
right now.  I have my BE Apache setup with usecanonicalname no, so it should
be using whatever is passed in the URL.

Unfortunately I don't have that much control over the application, it's a
big box ERP system.  DNS appears to be sound.

On Mon, Jul 25, 2011 at 2:32 PM, Jacob Anderson
<jwa(at)beyond-ordinary.com>wrote:
[...]

Hi Hall,

 

Login to your pound machine and type "nslookup my_pound_machine_fqdn"

 

Does it resolve to the correct IP address?

 

Get rid of everything except the https directive in your pound config and
see if it works. Then make sure that you have your back ends bound ONLY on
the IP addresses that are proxied by pound.

 
[...]

I'm sure this is where I find out I'm doing something stupid...so let me
clarify.

I don't have my pound server configured to use DNS, I'm just using the
/etc/hosts file for now...mainly b/c I don't have the liberty of messing
with the DNS at the site I'm at.

I'll check the IP binding and get back w/ an answer.

On Mon, Jul 25, 2011 at 3:21 PM, Jacob Anderson
<jwa(at)beyond-ordinary.com>wrote:
[...]

unless things have changed, pound does not work correctly when using just 
the hosts file.  It must have access to reliable DNS

Jeffrey Brown
Cambridge Systematics, Inc.
100 CambridgePark Drive
Cambridge, MA 02140
(617) 354-0167

Hall Barricklow <hallbarricklow(at)gmail.com> wrote on 07/25/2011
05:03:38 
PM:
[...]

OK - since I didn't have the control I wanted on that site, I've now setup
the exact same config on a site I have complete control of.  NSLOOKUP works
fine, pound server is integrated with DNS, attached config file below...what
am I missing?  Is it my pre-boxed ERP system that's hosing me?  If I setup
an HTTP listener in pound, it works, but only b/c when it gets redirected to
HTTP, there's a listener there to handle it, so NOT the desired outcome.

root(at)frontend:~# vi /etc/pound/pound.cfg


## global options:

User            "www-data"
Group           "www-data"
#RootJail       "/chroot/pound"

## Logging: (goes to syslog by default)
##      0       no logging
##      1       normal
##      2       extended
##      3       Apache-style (common log format)
LogLevel        1

## check backend every X secs:
Alive           30

## use hardware-accelleration card supported by openssl(1):
#SSLEngine      "<hw>"

# poundctl control socket
Control "/var/run/pound/poundctl.socket"



ListenHTTPS
        Address 0.0.0.0
        Port 8443
        Cert "/root/jdewebcert.pem"
        Service
                BackEnd
                        Address 192.168.0.63
                        Port 8082
                End
        End
End


On Mon, Jul 25, 2011 at 3:21 PM, Jacob Anderson
<jwa(at)beyond-ordinary.com>wrote:
[...]

Hello Hall,

Hall Barricklow <hallbarricklow(at)gmail.com> (Mon Jul 25 21:18:37
2011):[...]
…[...]

I'm not sure about my understanding here. But -- IFF I understand well,
then everything sounds as it should.

If your applications insists on being more clever then you (read: if
your application thinks, it knows the complete URL, not only the path, 
the client used), you need to fix the application. But this seems to be
no option for you. 

The next option I see, is using HTTPS for connecting
from Pound to your Apache box.  Recent Pounds are capable of doing this.
Of course, you loose the benefit from offloading SSL operations to the
pound, but still you can have private/unofficial certificates for the
backend connection, saving licence costs for officially signed certs.


The last and most fragile option would be a content filter, rewriting
all URLs, your backend generates. But this is a hard job and error
prone. Rewriting redirects is easy (and can be done by pound, I think),
but rewriting content embedded URLs is almost always incomplete.
[...]

OK- just to update, I figured out how to get it to work with my weblogic
instance.  I had to add a header:

AddHeader "WL-Proxy-SSL: true"

Now if only I could find out the equivalent header to add for Oracle
Application server(which is nothing but Apache HTTP) and Oracle Portal
Server(which I also think is nothing but Apache HTTP).



On Tue, Jul 26, 2011 at 2:24 AM, Heiko Schlittermann
<hs(at)schlittermann.de>wrote:
[...]

Hall Barricklow <hallbarricklow(at)gmail.com> (Tue Jul 26 15:57:01
2011):[...]

IMHO it is part of the application logic, not part of the webserver used
for servicing the requests. The webserver just passes the protocol
information to the application. (MAY be, somebody can write an apache
mod for faking this protocol information. Writing this: MAY be
mod_rewrite with it's endless magic could even do this. I think(!), it's
just the content of some environment variables you need to set…)

    Plan A) find a config option in your application for telling the
            "external" URL used to access it

    PLAN B) find the source of your application and fix the source
            "may the source be with you" ☺

    PLAN C) read about mod_rewrite, if it is possible to lie about
            the used protocol (by setting/changing some ENV variables)

    PLAN D) use pound for proxying HTTPS to HTTPS … 

    PLAN E) do not use pound at all - if you need load balancing,
            check out LVS (linux virtual server) or check Linux
            iptables -m cluster (load balancing w/o load balancer)


… or re-order/extend the plans as you want ;-)
[...]

For what it's worth, figured I'd update everyone once again.  I got this to
work with Oracle Application server by configuring my httpd.conf file like
the below...obviously I tweaked it a bit for my application.  Basically it
was the certheaders module that allowed it to simulatehttps.  Pretty sure
this is specific to Oracle HTTP Server, which is based on Apache with some
extras.  I believe the same can be done with standard Apache, it just
requires patching to be able to use the mod_urlscheme -
http://rmc.home.xs4all.nl/mod_urlscheme.html

Listen 4430
# SSL on the front-end (terminating there) requires certain responses.
# Load correct module before the VirtualHost configuration:
# UNIX:
# LoadModule certheaders_module libexec/mod_certheaders.so
# WINDOWS (two lines):
# LoadModule certheaders_module modules/ApacheModuleCertHeaders.dll
# AddModule mod_certheaders.c
# Important: AddModule line is best included with other AddModule
NameVirtualHost *:4430
    <VirtualHost *:4430>
        # Front-end name
        ServerName www.company.com
        # Front-End Port
        Port 443
        # SSL on the front-end (terminating there) requires certain
responses.
        # (See LoadModule and AddModule lines above)
        AddCertHeader HTTPS
        # For use with other load balancers and front-end devices:
        SimulateHttps On
        # Applications such as SSO and Portal will require the following:
        RewriteEngine On
        RewriteOptions inherit
    </VirtualHost>



On Tue, Jul 26, 2011 at 9:22 AM, Heiko Schlittermann
<hs(at)schlittermann.de>wrote:
[...]