/ Zope / Apsis / Pound Mailing List / Archive / 2012 / 2012-02 / Re: [Pound Mailing List] Pound 2.7

[ << ] [ >> ]

[ Changing Host Headers / "Dale J. ... ] [ Modified startup / =?windows-1252?Q?Jean-Pierre?= ... ]

Re: [Pound Mailing List] Pound 2.7
Robert Segall <roseg(at)apsis.ch>
2012-02-04 17:50:22 [ FULL ]
So here is a summary of all the feature requests I have seen until now,
as well as some comments on my part:

* protocol selection (SSL v2/v3/TLS)/Martin Meredith
  good idea - accepted for 2.7

* thread load instrumentation/Leo
  accepted for 2.7

* dynamically growing number of threads/Leo
  I don't really see what do you gain by it. Care to clarify?

* detect -Wno-unused-result support/Joe Gooch
  already done - will be in 2.7a (slipped out of 2.6 by mistake)

* dynamic back-end address (DNS) or change via poundctl/Rob Moore
  we'll need to look at how complex the implementation is
  for regular back-ends probably OK, for SSL may be a little tricky
  probably OK for 2.7

* SSL Ciphers (BEAST)/Joe Gooch
  accepted for 2.7

* Client Renegotiation/Joe Gooch
  accepted for 2.7

* SSLv2 should be disabled by default/Joe Gooch
  superseded by protocol selection
 
* CSRF issue w/ invalid tags/et al in redirects/Joe Gooch
  accepted for 2.7

* config reload/Erik Hensema
  not as easy as it looks - suggestions are welcome

* session cookies by Pound/Francisco Ruiz
  needs more discussion. It would break the proxy transparency

* enhanced alive test: 200/503 reply rather than connect/Francisco Ruiz
  needs more discussion. Can be easily supported now via external
  scripts, so it's not clear we need it

* include file, include dir/Joe Gooch
  include file is already supported
  include dir is dangerous, as the file inclusion order is unpredictable
  - rejected

* ForceHTTP10/ssl unclean shutdown functionality based on user agent/Joe
  Gooch
  needs more analysis, but looks OK
  
* Socket ownership and permissions/Joe Gooch
  accepted for 2.7

* PCRE-based dynamic redirects/Joe Gooch
  needs more analysis

* NoSSL redirect/Joe Gooch
  I think it is (mostly ?) supported by existing redirect mechanism

* back-end clusters/Todd Freeman
  can be done via multiple includes of same file - rejected

Please feel free to comment on the above, or any other features I
missed.[...]

RE: Re: [Pound Mailing List] Pound 2.7
=?windows-1252?Q?Jean-Pierre?= <jp(at)mirmana.com>
2012-02-04 18:08:07 [ FULL ]
* include file, include dir/Joe Gooch include file is already supported include
dir is dangerous, as the file inclusion order is unpredictable - rejected

 

Can't this be alphabetically?

 
-----Original message-----
From: Robert Segall <roseg(at)apsis.ch>
Sent: Sat 04-02-2012 17:55
To: pound(at)apsis.ch; 
Subject: Re: [Pound Mailing List] Pound 2.7


So here is a summary of all the feature requests I have seen until now,
as well as some comments on my part:

* protocol selection (SSL v2/v3/TLS)/Martin Meredith
 good idea - accepted for 2.7

* thread load instrumentation/Leo
 accepted for 2.7

* dynamically growing number of threads/Leo
 I don't really see what do you gain by it. Care to clarify?

* detect -Wno-unused-result support/Joe Gooch
 already done - will be in 2.7a (slipped out of 2.6 by mistake)

* dynamic back-end address (DNS) or change via poundctl/Rob Moore
 we'll need to look at how complex the implementation is
 for regular back-ends probably OK, for SSL may be a little tricky
 probably OK for 2.7

* SSL Ciphers (BEAST)/Joe Gooch
 accepted for 2.7

* Client Renegotiation/Joe Gooch
 accepted for 2.7

* SSLv2 should be disabled by default/Joe Gooch
 superseded by protocol selection

* CSRF issue w/ invalid tags/et al in redirects/Joe Gooch
 accepted for 2.7

* config reload/Erik Hensema
 not as easy as it looks - suggestions are welcome

* session cookies by Pound/Francisco Ruiz
 needs more discussion. It would break the proxy transparency

* enhanced alive test: 200/503 reply rather than connect/Francisco Ruiz
 needs more discussion. Can be easily supported now via external
 scripts, so it's not clear we need it

* include file, include dir/Joe Gooch
 include file is already supported
 include dir is dangerous, as the file inclusion order is unpredictable
 - rejected

* ForceHTTP10/ssl unclean shutdown functionality based on user agent/Joe
 Gooch
 needs more analysis, but looks OK
 
* Socket ownership and permissions/Joe Gooch
 accepted for 2.7

* PCRE-based dynamic redirects/Joe Gooch
 needs more analysis

* NoSSL redirect/Joe Gooch
 I think it is (mostly ?) supported by existing redirect mechanism

* back-end clusters/Todd Freeman
 can be done via multiple includes of same file - rejected

Please feel free to comment on the above, or any other features I
missed.[...]
Attachments:  
text.html text/html 4019 Bytes

Re: [Pound Mailing List] Pound 2.7
Dave Steinberg <dave(at)redterror.net>
2012-02-04 18:20:48 [ FULL ]
I had requested some ability to select load balancing policy apart from 
priorities, specifically I was hoping for a 'least-connections' policy.

Clustering via multiple includes of the same file is clever.  I'd 
suggest a note in the man page about that, since I think it's a common 
thing.

Re: include_dir - if you sort the files alphabetically, then order is 
defined.
[...]

RE: [Pound Mailing List] Pound 2.7
Joe Gooch <mrwizard(at)k12system.com>
2012-02-05 16:24:15 [ FULL ]
> -----Original Message-----[...]

Patches for the above submitted	
[...]

It's not... This specifically covers http://www.website.com:443/ situations.
(http protocol to a HTTPS port)
Patch allows for a pound-style a la Err503 type directive (ErrNoSsl) or the use
of a RedirectNoSsl directive. (i.e. redirect to https://www.website.com)

Patch 7/8 in the patchset
[...]

I'm pretty sure this isn't true, but I welcome further clarification so I can
modify the patch if necessary....

I run readdir and add all the .cfg and .conf files in whatever order they're
found into an array.
However, when it goes to read the files, it pulls the maximum file (using
strcmp).  That file is then added to the f_in array and cur_fin is incremented
as if that file had been supplied to Include.  It then loops and pulls the next
maximum, and so on.  

Since Include is essentially a stack implementation (LIFO), as we add the
maximum file name to the stack it will end up in the stack in sorted
alphabetical order min to max.  Since we're using the same facility as Include,
it will work even if the included file includes or includedir's other files.

So, if you looked at the readdir implementation and figured it wasn't sorted,
that's correct, but the loop below that adds to the Include stack takes care of
that.

Essentially:
conf.d/ has files A.conf B.conf c.conf D.conf
IncludeDir "conf.d/"

Will include files A.conf B.conf D.conf c.conf in that order. (case sensitive,
though it could easily be changed to casecmp... I just prefix with numbers)

Still have to rebase this patch against 2.6 before submission.
[...]

Will rebase patch and provide.  Here's the modified man page... note
RedirectAppend and RedirectDynamic.

       [Redirect | RedirectAppend | RedirectDynamic] [code] "url"              
                                                    
              This is a special type of back-end. Instead of sending the
request to a back-end Pound  replies  immedi-
              ately  with a redirection to the given URL. You may define
multiple redirectors in a service, as well as
              mixing them with regular back-ends.
                                                                               
                                                    
              The address the client is redirected to is determined by the
command you specify.  If you specify  Redi-
              rect,  the  url  is  taken  as an absolute host and path to
redirect to.  If you use RedirectAppend, the
              original request path will be appended to the host and path you
specified.  If you use  RedirectDynamic,
              then  url  can  contain  RegEx replacements in the form $1
through $9 which indicate expression captured
              from the original request path. You must have a URL directive,
and the first URL directive for the  ser-
              vice is the one used for capturing expressions.
                                                                               
                                                    
              Examples: if you specified                                       
                                                    

                  Redirect "http://abc.example"                              
                                                      
                                                                               
                                                    
              and  the  client requested http://xyz/a/b/c then it will be redirected to http://abc.example, but if you
              specified
                                                                               
                                                    
                  RedirectAppend "http://abc.example"
                                                                               
                                                    
              it will be sent to http://abc.example/a/b/c.                 
                                                        
                                                                               
                                                    
              If you specified                                                 
                                                    
                  URL "^/a(/([^/]*)(/[^/]*)"
                  RedirectDynamic "http://abc.example$2$1/index.html"
                                                                               
                                                    
              it will be sent to http://abc.example/c/b/index.html.
                                                                
                                                                               
                                                    
              Technical note: in an ideal world Pound should reply with a "307
Temporary  Redirect"  status.  Unfortu-
              nately,  that  is  not  yet  supported  by all clients (in
particular HTTP 1.0 ones), so Pound currently
              replies by default with a "302 Found" instead. You may override
this behaviour by specifying the code to
              be used (301, 302 or 307).                                       
                                                     
[...]

It doesn't even look easy to me. :)  I'd welcome discussion on the thread I
started to discuss this, but there haven't been any responses.
[...]

Need to rebase my backend cookies patch against v2.6 and submit.  By breaking
proxy transparency do you mean the proxy is adding a cookie that the backend
isn't?  If so, I think (if configured to do so) this isn't necessarily a bad
thing... There are certainly situations where it's appropriate or desired. 
Generally accepted as a useful way to do affinity (coyote, a10, kemp, et al)
[...]

Just my $.02.... I've tried a couple times to make a useful connect-based
script, and have run into all sorts of issues. It's just not an easy thing to
do.  It would be so much easier if pound had a connect/send text A/expect text
B/close type check feature.  (like the Coyote or A10 or other load balancers
do)


Joe

Re: [Pound Mailing List] Pound 2.7
Albert <pound(at)alacra.com>
2012-02-05 21:40:01 [ FULL ]
Robert,

I didn't see my request on your list.  I was hoping that when a Session
directive is not provided, and random back-end selection is used, pound
would try to re-use back-end for requests made on HTTP keep-alive
connection.  For example, if a client makes a request for a web page,
and then subsequent requests for images/css/js, I'd like to have an
option to tell pound to reuse the original backend on its original
connection (for that client's request).  Currently, when the subsequent
requests come in, pound randomly selects a new backend.  If its a
different back-end, it disconnects, and connects to the new machine, and
continues this cycle (where the original backend might be chosen
again).  For this reason, to cut down on the number of
connects/disconnects, we use IP Session type, to "bind" a client's
request to a specific server.  This leads to other problems, like worse
distribution, as randomness is now based on the client's IP addresses.

Also, this week we've been dealing with a client who claims they've made
requests to us, but I couldn't account for them.  After looking in log
files for specific time of the request, I found the errors in our
LOG_NOTICE log file.  Client's IP address wasn't logged, and because it
was a POST, it was difficult to find the request.

I'd like to see better error reporting.  If pound encounters a problem
with a backend during a transaction, it logs a message in LOG_NOTICE,
and doesn't log the response like it would after a normal response. 
This leads to problems when a client reports an error, but the request
can't be found in normal log files.

I'd like to see couple of improvements in this area:
1. Better/consistent information logged for the error in LOG_NOTICE -
perhaps all of the fields covered by regular logging (LogLevel=1) plus
the error message.
2. Log the response in LOG_INFO.  This is very important, as it would
make sure all of the requests are account for in the log files.

Thanks.

Albert


On 2/4/2012 11:50 AM, Robert Segall wrote:[...]
Attachments:  
text.html text/html 4820 Bytes

Re: [Pound Mailing List] Pound 2.7
Robert Segall <roseg(at)apsis.ch>
2012-02-06 16:50:59 [ FULL ]
On Sun, 2012-02-05 at 15:40 -0500, Albert wrote:[...]

When possible, Pound avoids closing connections. If the client uses
HTTP/1.1 Pound will open a new connection only if it has no other
choice. This includes keep-alive. The session mechanism has priority.
[...]

What is logged to which file is a function of how you configure your
syslog. Nothing prevents you from writing NOTICE and INFO to the same
file, or writing the same message to more than one file.

I'll add "expanded error details" to the list, but this is not always
possible. To be checked.[...]

Re: [Pound Mailing List] Pound 2.7
Robert Segall <roseg(at)apsis.ch>
2012-02-06 17:00:09 [ FULL ]
On Sat, 2012-02-04 at 12:20 -0500, Dave Steinberg wrote:[...]

Several remarks here:

- Pound never used round-robin. It still does not.

- Connection counting is not a very useful metric. The same back-end may
be used in several contexts (perhaps even with different addresses or
ports), so the number of connections is not very informative.

- you may want to look at the DynScale code - it probably does some of
what you need.
[...]

...and at a later date you add one file by accident to that directory
and nothing works any longer. Besides, think of the next sysadmin, who
will need to work with your installation.

I would also question the use case for it: do you really need hundreds
of files included? If it is just a handful it is not so difficult to
include them explicitly.[...]

Re: [Pound Mailing List] Pound 2.7
Martin Meredith <mez(at)debian.org>
2012-02-06 17:16:30 [ FULL ]
On 06/02/12 16:00, Robert Segall wrote:[...][...][...][...][...]
I'd say that if they add a file and break it - then surely it's their 
fault??

Most systems with an IncludeDir will work on an numerical/alphebetised 
list..  this is why you see things like the following:-

mez(at)supine % ls -1 /etc/apt/apt.conf.d
00trustcdrom
01autoremove
01proxy
10periodic
15update-stamp
20archive
20changelog
20dbus
50unattended-upgrades
70debconf
99update-notifier

If someone adds in a file that breaks the system - it's their fault!

With regards to the next sysadmin thing - I know I personally would, 
rather have things seperated out into manageable chunks, rather than 
have one MASSIVE configuration file. (think what would happen if you put 
all your apache config into a single file...)
[...]
Same could be said for apache.  It allows us to 1) develop a similar 
system like a2ensite a2enmod et al, and 2) means if we want to add, say, 
a new listener, we only have to add a file, not edit multiple files.  
Therefore, reducing the possibility that we break something. (typoing 
the filename for example)

As, in theory, we should have already tested the new file on a dev 
environment - then putting it up to live is as simple as adding a new 
file - rather than potentially editing in a typo into the main config to 
include the new file.

Yes, I know dev environment/RCS negates that, but seriously - how many 
sysadmins do you know who actually use RCS properly for their configs?

I currently have 12 listeners, each with at least 3 services, some with 
up to 20 - most of these have at least 2 backends, and we generally add 
a new site every 3 months or so...  my singular config files is already 
becoming unwieldy and unmanageable... and on at least 3 occasions I've 
edited the wrong bit because the file is such a hassle to maintain as it is.

RE: [Pound Mailing List] Pound 2.7
Joe Gooch <mrwizard(at)k12system.com>
2012-02-06 18:07:19 [ FULL ]
> -----Original Message-----[...]

I would expect any system admin using a recent Linux distribution would be
familiar with conf.d style directories.  Every new distribution I install has
*more* packages using this syntax, not less.

Apache, init.d, apt (sources and preferences), logrotate, rsyslog, the list
goes on and on.

By all means, pound should be able to tell you the filename and the line where
the parser goes awry.

However, 0 files, 1 file, or 10 files, or a hundred files in a directory...
doesn't matter.  The point is the flexibility of using files for chunks of
reusable configuration blocks and allowing the user to set their own
convention.  I can think of 3-4 different conventions that would be useful.

Indeed, the one I use would be something like:
/etc/pound/mainbackends.d/
 (one file per backend)

Which I can then include within several service definitions.  If I want to
disable a backend, rename the file from .conf to .disabled.  The filename is
clearly marked with the backend name.  Simple, clear, easy to understand and
use.  And if for whatever reason that backend has multiple ports in different
services (like mine do), having several folders is not a problem... merely use
find or glob matching to rename the correct set of files.

Given a NAT environment, one might have several listeners with global service
definitions... but the port 80's should only have redirect services, so maybe
global services aren't appropriate.  No problem, drop your global service files
into a directory, includedir them within your 443 listeners.. On your 80
listeners, include another directory with a file for your redirects.  Simple,
elegant.  And then if you need a non-redirect service, it's merely add the file
and all the 80 listeners get it.

While I see the use case is more about having files that contain entire blocks
(i.e. Listener, Service, Backend)... they don't have to.  Sure, someone could
put a file with invalid syntax in the folder.  If they have access to the
config.  And to write the config.  And restart pound.  But if they do, they're
an admin.  So really, as Martin says... that's on them.  With any great power
comes great responsibility!  It's up to the admin to define their convention. 
They'd have the power and flexibility to take to whatever makes most sense in
their environment. 


Joe

Re: [Pound Mailing List] Pound 2.7
Albert <pound(at)alacra.com>
2012-02-06 20:32:29 [ FULL ]
[...]
This is not always the case.  If Session directive is not used, then
pound tries to get a random backend (with priority values used to
determine randomness).  If the backend is the same, then it'll reuse it,
otherwise, it'll close the connection to the first backend, and open a
new connection to the second backend.  Here's an example:

Lets say you have something like this in the config file:

Service
    BackEnd
        Address backend1
        Port 80
    End
    BackEnd
        Address backend2
        Port 80
    End
End

request comes in to index.html (with HTTP/1.1 & keep-alive), which also
has image1.gif and image2.gif.  Pound will randomly select a machine
from the list, lets say backend1, and request index.html, and send back
the response to client.  The client will then make a request to
image1.gif, at which point pound will call get_backend(), and since
SESS_NONE is the session type, it will randomly select a backend.  Now,
if the backend1 is selected, then you're correct, connection is not
closed.  But if backend2 is selected, then backend1 connection is
closed, a new connection is opened to backend2.  This cycle will repeat
for image2.gif.

The only way to avoid this, is to use some sort of Session Type, and we
use IP type.  This forces pound to "bind" requests from specific IP
address to specific backend.  This keeps the number of open/close
connections to the minimum.  However, I'd like to avoid using Session
Type altogether, to get a more even distribution of requests to our
backends.

The other side effect of using Session, is when a connection to backend
fails (if the backend just died), you have a retry mechanism to go to
another machine.  But it doesn't really work if HAPort is defined.  In
such case, get_backend() call will return the same machine (remember its
IP session bound), and the retry to the same backend will fail again.

[...]

Its not an issue of logging into different files.  The issue is that a
response to the client is not logged in INFO log on an error condition. 
Basically, anytime err_reply() is called, the response is sent back with
some HTTP code (either 414,500,501, or 503).  From client's and pound's
perspective, the request was serviced with a response.  But the response
itself is not logged in INFO log.  My preference would be to add all of
the fields applicable to the LOG_LEVEL selected, and I understand that
some of them might not be available, depending on the error location. 

If this is very difficult to do, and I'd like to see consistent
LOG_NOTICE messages, with the following fields: Client's IP address,
request (if available), HTTP code response, backend IP (if available),
and error description.  A good example, is copy_bin() failure is logged
differently depending on where the failure occurred.

Albert

RE: [Pound Mailing List] Pound 2.7
Joe Gooch <mrwizard(at)k12system.com>
2012-02-06 21:38:24 [ FULL ]
Patches have been submitted for:

* SSL Ciphers (BEAST)/Joe Gooch
* Client Renegotiation/Joe Gooch
* CSRF issue w/ invalid tags/et al in redirects/Joe Gooch
* ForceHTTP10/ssl unclean shutdown functionality based on user agent/Joe Gooch
* Socket ownership and permissions/Joe Gooch
* NoSSL redirect/Joe Gooch
* IncludeDir directive/Joe Gooch
* PCRE-based dynamic redirects/Joe Gooch
* session cookies by Pound/Joe Gooch (not Francisco Ruiz)

(Francisco Ruiz +1'd the session cookies and supplied the AddHeader patch which
made it into 2.6.)

Anything else or anything that needs reworked let me know.

Joe

RE: [Pound Mailing List] HTTPS backend
Joe Gooch <mrwizard(at)k12system.com>
2012-02-07 22:39:23 [ FULL ]
HTTPS backends were added in v2.5c... Are you having an issue configuring the
feature, or are you using a pound that is older than that, or is it something
else?

Joe[...]

Re: RE: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder
fatcharly(at)gmx.de
2012-02-08 14:22:51 [ FULL ]
Hi Joe,

I´ve just installed a new pound-system with an CentOS 6 64-bit and a pound
2.6f with your new patch v2 an it works fine.

Thank you very much for your fast and helpful support.

Kind Regards

fatcharly

-------- Original-Nachricht --------[...]
[...]
[...]

RE: [Pound Mailing List] HTTPS backend
=?windows-1252?Q?Jean-Pierre?= <jp(at)mirmana.com>
2012-02-08 14:51:36 [ FULL ]
Hi Joe,

 

I'm using 2.6f

 

I did see the possibility to do a redirect, but this is AFAIK only possible
outside the backend-scope.

 

ListenHTTPS

        Address 0.0.0.0

        Port    4443


 


        Cert       "/root/.ssh/cert.pem"

        CAList     "/root/.ssh/godaddy-class2.pem"

        xHTTP 3


 


        Service "pfsense"

                BackEnd

                        Address 82.172.139.149

                        Port 61080

                End

                BackEnd

                       Address 89.250.170.164

                        Port 61080

                End

                BackEnd

                        Address 89.250.169.117

                        Port 61080

                End

        End

End

 

This is my config...

How should it look if these backends were https backend?


 
-----Original message-----
From: Joe Gooch <mrwizard(at)k12system.com>
Sent: Tue 07-02-2012 22:45
To: 'pound(at)apsis.ch' <pound(at)apsis.ch>; 
Subject: RE: [Pound Mailing List] HTTPS backend


HTTPS backends were added in v2.5c... Are you having an issue configuring the
feature, or are you using a pound that is older than that, or is it something
else?

Joe[...]

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
Attachments:  
text.html text/html 5533 Bytes

RE: RE: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder
Joe Gooch <mrwizard(at)k12system.com>
2012-02-08 14:58:11 [ FULL ]
No problem.  You may want to consider using 2.6 final though.  Patch should
still apply.

Joe
[...]

RE: [Pound Mailing List] HTTPS backend
Joe Gooch <mrwizard(at)k12system.com>
2012-02-08 15:39:49 [ FULL ]
See lines below.
Joe
[...]
                          HTTPS[...]
                          HTTPS[...]
                          HTTPS[...]

Re: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder
Martin Meredith <mez(at)debian.org>
2012-02-08 15:47:16 [ FULL ]
It does, with a little wiggling.

(patch offset)

On 08/02/12 13:58, Joe Gooch wrote:[...][...]
>>> Datum: Thu, 2 Feb 2012 18:24:55 +0000
>>> Von: Joe Gooch<mrwizard(at)k12system.com>
>>> An: "\'pound(at)apsis.ch\'"<pound(at)apsis.ch>
>>> CC: \'Martin Meredith\'<mez(at)debian.org>
>>> Betreff: RE: [Pound Mailing List] Pound 2.6f and
SSLHonorCipherOrder
>>> Use this one instead.
>>>[...]
>>> ch
>>>
>>> Should start with hash 1698011920aa9c.
>>>
>>> Changes -
>>> Remove the SNI logging information (that never belonged as part of
>>> this patch and caused segfaults) Redo the whitespace to use spaces
>>> instead of tabs to be consistent with pound best practices
>>>
>>> Joe
>>>
>>>>> -----Original Message-----
>>>>> From: Joe Gooch [mailto:mrwizard(at)k12system.com]
>>>>> Sent: Thursday, February 02, 2012 10:41 AM
>>>>> To: 'pound(at)apsis.ch'
>>>>> Subject: RE: [Pound Mailing List] Pound 2.6f and
>>>>> SSLHonorCipherOrder
>>>>>
>>>>> No worries. You can PM the information to me, or really,
what
>>>>> Pound extracts is the CN information.  Or at least that's
what[...]
>>>>> regex is supposed to pull.  I was hoping to see the
subject line
>>>>> so I could
>>>> see
>>>>> if it's in a format pound should parse properly, or if
it's
>>>>> something else it's not expecting.
>>>>>
>>>>> My thought is either your cert's subject line isn't being
parsed
>>>>> properly, which is causing a problem in fnmatch, or the
value
>>>>> isn't being initialized at all (but I'm not sure how that
would[...]
>>>>> Or somehow turning on the honor cipher order option causes
some
>>>>> other type of callback to occur with SNI.... But I can't
see how
>>>>> Cipher Suites would be related to SNI servername
extensions.
>>>>>
>>>>> But I certainly don't want to compromise your SSL
security.
>>>>>
>>>>> Joe
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: fatcharly(at)gmx.de [mailto:fatcharly(at)gmx.de]
>>>>>> Sent: Thursday, February 02, 2012 10:29 AM
>>>>>> To: pound(at)apsis.ch
>>>>>> Subject: Re: RE: [Pound Mailing List] Pound 2.6f and
>>>>>> SSLHonorCipherOrder
>>>>>>
>>>>>> Hi Joe,
>>>>>>
>>>>>> good news, after we applied the line "#undef
>>>>>> SSL_CTRL_SET_TLSEXT_SERVERNAME_CB"  in the config.c
and a new
>>>>> compile,
>>>>>> we don´t see any segfaults. I´m afraid, but it´s
not possible
>>>>>> for
>>>> me
>>>>>> to send you all of the x509-Information. But I can
tell you[...]
>>>>>> we have 2 EV-SSL´s and two "normal" SSL-Certificates.
Do you
>>>>>> need some more information or maybe some information
than won´t
>>>>>> show any
>>>>> company
>>>>>> information of the SSL-Certificate ?
>>>>>>
>>>>>> Kind Regards
>>>>>>
>>>>>> fatcharly
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -------- Original-Nachricht --------
>>>>>>> Datum: Thu, 2 Feb 2012 14:07:12 +0000
>>>>>>> Von: Joe Gooch<mrwizard(at)k12system.com>
>>>>>>> An:
"\'pound(at)apsis.ch\'"<pound(at)apsis.ch>
>>>>>>> Betreff: RE: [Pound Mailing List] Pound 2.6f and
>>>>> SSLHonorCipherOrder
>>>>>>> Also, perhaps running it with -v, or setting
LogFacility -,
>>>>>>> (or
>>>>>>> both) will yield a bigger picture... That'll
output all the
>>>>>>> logs on the console. (so you'll see debug and info
and
>>>>>>> everything else on the
>>>>>> same
>>>>>>> screen)  In your msg below I'm not seeing the
LOG_DEBUG
>>>>>>> messages from SNI... So maybe syslog is filtering
those out,
>>>>>>> or saving
>>>> them
>>>>>> elsewhere...
>>>>>>> Joe
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Joe Gooch
>>>>>>>> Sent: Thursday, February 02, 2012 9:00 AM
>>>>>>>> To: 'pound(at)apsis.ch'
>>>>>>>> Subject: RE: [Pound Mailing List] Pound 2.6f
and
>>>>>> SSLHonorCipherOrder
>>>>>>>> It still won't segfault for me. :-/
>>>>>>>>
>>>>>>>> "ip" in this context means instruction
pointer, not[...]
>>>>>> protocol.
>>>>>>>> http://stackoverflow.com/questions/2549214/interpreting-
>>>> segfault
>>>>>>>> -
>>>>>>>> messages
>>>>>>>>
>>>>>>>> addr2line -e pound 08051f5c
>>>>>>>> /root/download/Pound-2.6f/config.c:808
>>>>>>>>
>>>>>>>> Which, is square in the middle of the SNI
checking.
>>>>>>>>
>>>>>>>> At the top of your config.c (say around line
74) can you do
>>>>> #undef
>>>>>>>> SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
>>>>>>>>
>>>>>>>> And recompile?  That should disable SNI. 
(Which IIRC you
>>>>>>>> weren't using
>>>>>>>> anyway)
>>>>>>>>
>>>>>>>> And then let me know if you still see
segfaults.
>>>>>>>>
>>>>>>>> Further, could you provide the subject of all
the
>>>>>>>> certificates you're using?  I.e. the output
of:
>>>>>>>> openssl x509 -noout -in yourpemfile.pem
-subject
>>>>>>>>
>>>>>>>>
>>>>>>>> Joe
>>>>>>>>
>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: fatcharly(at)gmx.de
[mailto:fatcharly(at)gmx.de]
>>>>>>>>> Sent: Thursday, February 02, 2012 7:56 AM
>>>>>>>>> To: pound(at)apsis.ch
>>>>>>>>> Subject: Re: RE: RE: [Pound Mailing List]
Pound 2.6f and
>>>>>>>>> SSLHonorCipherOrder
>>>>>>>>>
>>>>>>>>> Hi Joe,
>>>>>>>>>
>>>>>>>>> yes we did fix the patchfile. I did some
further
>>>> investigation
>>>>>>>>> on
>>>>>>>> this
>>>>>>>>> and there are some news I have to share.
First some
>>>>>>>>> answers for your
>>>>>>>>> questions:
>>>>>>>>>> 1) Does this happen on every request
for you? Or is it
>>>>> sporadic?
>>>>>>>>> no, its much more than just sporadic, some
request get
>>>>>>>>> answered and some not.
>>>>>>>>>> 2) 32 or 64 bit?  I can whip up a i386
chroot if need be
>>>>>>>>> it´s plain 32 bit
>>>>>>>>>> 3) Looking at the packages below do
you see any blatant
>>>>>>>>>> differences between my setup and yours
>>>>>>>>> no, but I will put my list in a special
mail to send it
>>>>> directly
>>>>>>>>> with the tar-archive of our
pound-directory to you
>>>>>>>>>> 4 4) Anything else you can think of to
help me track[...]
>>>>>>>>>> down for
>>>>>>>>> you?
>>>>>>>>> Yes, I could zero in the problem a bit.
First a bit about
>>>>>>>>> our
>>>>>> setup:
>>>>>>>>> The pound is in dmz-A, the webserver is in
dmz-B, and the
>>>>>>>>> requesting Client comes a) from the
internet or b) from
>>>>>>>>> the
>>>>>> internal network.
>>>>>>>>> When we start the pound everything works
fine, as long as
>>>>>>>>> the
>>>>>>>> requests
>>>>>>>>> are coming from the internal network and
the request is
>>>>>>>>> send to
>>>>>> an
>>>>>>>>> IP of the dmz-A network. So everything
worked with this
>>>>>>>>> setup for the internal network. But when
there are
>>>>>>>>> requests from
>>>> the
>>>>>>>>> internet, we get segfaults. The request is
received from
>>>>>>>>> the firewall which does a NAT to pass the
external IP of
>>>>>>>>> the
>>>>> website
>>>>>>>>> to the internal IP of the dmz-A network.
And some[...]
>>>> are
>>>>>>>>> working (as I can see in the logfile of
>>>>>>>>> pound) and some cause segfaults. We can
only test this by
>>>>>>>>> switching between the pound and our
loadbalancer-[...]
>>>> (as
>>>>>>>>> this one works, we are sure the NAT is not
a problem) the
>>>>>>>>> productive path. So maybe there is a
problem with some
>>>>>>>>> IP´s which cause the segfault. The
segfaults appear even
>>>>>>>>> when
>>>> there
>>>>>>>>> is no
>>>>>> SSLHonorCipherOrder enabled.
>>>>>>>>> I´m not deep into this  segfault thing,
but there the[...]
>>>> "ip"
>>>>>>>> mentioned:
>>>>>>>>> Feb  2 11:45:52 pilotpound kernel:
pound[28641]: segfault
>>>>>>>>> at
>>>> 4
>>>>>>>>> ip 08051f5c sp b7610ce0 error 4 in
pound[8048000+18000]
>>>>>>>>>
>>>>>>>>> Is there anything else I can do to support
you ?
>>>>>>>>>
>>>>>>>>> Kind Regards
>>>>>>>>>
>>>>>>>>> fatcharly
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>   -------- Original-Nachricht --------
>>>>>>>>>>   Datum: Wed, 1 Feb 2012 21:18:04
+0000
>>>>>>>>>>   Von: Joe
Gooch<mrwizard(at)k12system.com>
>>>>>>>>>>   An:
"\'pound(at)apsis.ch\'"<pound(at)apsis.ch>
>>>>>>>>>>   Betreff: RE: RE: [Pound Mailing
List] Pound 2.6f and
>>>>>>>>>> SSLHonorCipherOrder
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Empfehlen Sie GMX DSL Ihren Freunden und
Bekannten und[...]
>>>>>>>>> belohnen Sie mit bis zu 50,- Euro!
>>>>>>>>> https://freundschaftswerbung.gmx.de
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe send an email with subject
unsubscribe to
>>>>>>>>> pound(at)apsis.ch.
>>>>>>>>> Please contact roseg(at)apsis.ch for
questions.
>>>>>> --
>>>>>> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und
wir
>>>>>> belohnen Sie mit bis zu 50,- Euro!
>>>>>> https://freundschaftswerbung.gmx.d[...][...]

Re: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder
Martin Meredith <mez(at)debian.org>
2012-02-08 15:48:13 [ FULL ]
Attached is the patch tweaked slightly so that it applies cleanly to 2.6 
final  (as applied in Debian)

On 08/02/12 13:58, Joe Gooch wrote:[...][...]
>>> Datum: Thu, 2 Feb 2012 18:24:55 +0000
>>> Von: Joe Gooch<mrwizard(at)k12system.com>
>>> An: "\'pound(at)apsis.ch\'"<pound(at)apsis.ch>
>>> CC: \'Martin Meredith\'<mez(at)debian.org>
>>> Betreff: RE: [Pound Mailing List] Pound 2.6f and
SSLHonorCipherOrder
>>> Use this one instead.
>>>[...]
>>> ch
>>>
>>> Should start with hash 1698011920aa9c.
>>>
>>> Changes -
>>> Remove the SNI logging information (that never belonged as part of
>>> this patch and caused segfaults) Redo the whitespace to use spaces
>>> instead of tabs to be consistent with pound best practices
>>>
>>> Joe
>>>
>>>>> -----Original Message-----
>>>>> From: Joe Gooch [mailto:mrwizard(at)k12system.com]
>>>>> Sent: Thursday, February 02, 2012 10:41 AM
>>>>> To: 'pound(at)apsis.ch'
>>>>> Subject: RE: [Pound Mailing List] Pound 2.6f and
>>>>> SSLHonorCipherOrder
>>>>>
>>>>> No worries. You can PM the information to me, or really,
what
>>>>> Pound extracts is the CN information.  Or at least that's
what[...]
>>>>> regex is supposed to pull.  I was hoping to see the
subject line
>>>>> so I could
>>>> see
>>>>> if it's in a format pound should parse properly, or if
it's
>>>>> something else it's not expecting.
>>>>>
>>>>> My thought is either your cert's subject line isn't being
parsed
>>>>> properly, which is causing a problem in fnmatch, or the
value
>>>>> isn't being initialized at all (but I'm not sure how that
would[...]
>>>>> Or somehow turning on the honor cipher order option causes
some
>>>>> other type of callback to occur with SNI.... But I can't
see how
>>>>> Cipher Suites would be related to SNI servername
extensions.
>>>>>
>>>>> But I certainly don't want to compromise your SSL
security.
>>>>>
>>>>> Joe
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: fatcharly(at)gmx.de [mailto:fatcharly(at)gmx.de]
>>>>>> Sent: Thursday, February 02, 2012 10:29 AM
>>>>>> To: pound(at)apsis.ch
>>>>>> Subject: Re: RE: [Pound Mailing List] Pound 2.6f and
>>>>>> SSLHonorCipherOrder
>>>>>>
>>>>>> Hi Joe,
>>>>>>
>>>>>> good news, after we applied the line "#undef
>>>>>> SSL_CTRL_SET_TLSEXT_SERVERNAME_CB"  in the config.c
and a new
>>>>> compile,
>>>>>> we don´t see any segfaults. I´m afraid, but it´s
not possible
>>>>>> for
>>>> me
>>>>>> to send you all of the x509-Information. But I can
tell you[...]
>>>>>> we have 2 EV-SSL´s and two "normal" SSL-Certificates.
Do you
>>>>>> need some more information or maybe some information
than won´t
>>>>>> show any
>>>>> company
>>>>>> information of the SSL-Certificate ?
>>>>>>
>>>>>> Kind Regards
>>>>>>
>>>>>> fatcharly
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -------- Original-Nachricht --------
>>>>>>> Datum: Thu, 2 Feb 2012 14:07:12 +0000
>>>>>>> Von: Joe Gooch<mrwizard(at)k12system.com>
>>>>>>> An:
"\'pound(at)apsis.ch\'"<pound(at)apsis.ch>
>>>>>>> Betreff: RE: [Pound Mailing List] Pound 2.6f and
>>>>> SSLHonorCipherOrder
>>>>>>> Also, perhaps running it with -v, or setting
LogFacility -,
>>>>>>> (or
>>>>>>> both) will yield a bigger picture... That'll
output all the
>>>>>>> logs on the console. (so you'll see debug and info
and
>>>>>>> everything else on the
>>>>>> same
>>>>>>> screen)  In your msg below I'm not seeing the
LOG_DEBUG
>>>>>>> messages from SNI... So maybe syslog is filtering
those out,
>>>>>>> or saving
>>>> them
>>>>>> elsewhere...
>>>>>>> Joe
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Joe Gooch
>>>>>>>> Sent: Thursday, February 02, 2012 9:00 AM
>>>>>>>> To: 'pound(at)apsis.ch'
>>>>>>>> Subject: RE: [Pound Mailing List] Pound 2.6f
and
>>>>>> SSLHonorCipherOrder
>>>>>>>> It still won't segfault for me. :-/
>>>>>>>>
>>>>>>>> "ip" in this context means instruction
pointer, not[...]
>>>>>> protocol.
>>>>>>>> http://stackoverflow.com/questions/2549214/interpreting-
>>>> segfault
>>>>>>>> -
>>>>>>>> messages
>>>>>>>>
>>>>>>>> addr2line -e pound 08051f5c
>>>>>>>> /root/download/Pound-2.6f/config.c:808
>>>>>>>>
>>>>>>>> Which, is square in the middle of the SNI
checking.
>>>>>>>>
>>>>>>>> At the top of your config.c (say around line
74) can you do
>>>>> #undef
>>>>>>>> SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
>>>>>>>>
>>>>>>>> And recompile?  That should disable SNI. 
(Which IIRC you
>>>>>>>> weren't using
>>>>>>>> anyway)
>>>>>>>>
>>>>>>>> And then let me know if you still see
segfaults.
>>>>>>>>
>>>>>>>> Further, could you provide the subject of all
the
>>>>>>>> certificates you're using?  I.e. the output
of:
>>>>>>>> openssl x509 -noout -in yourpemfile.pem
-subject
>>>>>>>>
>>>>>>>>
>>>>>>>> Joe
>>>>>>>>
>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: fatcharly(at)gmx.de
[mailto:fatcharly(at)gmx.de]
>>>>>>>>> Sent: Thursday, February 02, 2012 7:56 AM
>>>>>>>>> To: pound(at)apsis.ch
>>>>>>>>> Subject: Re: RE: RE: [Pound Mailing List]
Pound 2.6f and
>>>>>>>>> SSLHonorCipherOrder
>>>>>>>>>
>>>>>>>>> Hi Joe,
>>>>>>>>>
>>>>>>>>> yes we did fix the patchfile. I did some
further
>>>> investigation
>>>>>>>>> on
>>>>>>>> this
>>>>>>>>> and there are some news I have to share.
First some
>>>>>>>>> answers for your
>>>>>>>>> questions:
>>>>>>>>>> 1) Does this happen on every request
for you? Or is it
>>>>> sporadic?
>>>>>>>>> no, its much more than just sporadic, some
request get
>>>>>>>>> answered and some not.
>>>>>>>>>> 2) 32 or 64 bit?  I can whip up a i386
chroot if need be
>>>>>>>>> it´s plain 32 bit
>>>>>>>>>> 3) Looking at the packages below do
you see any blatant
>>>>>>>>>> differences between my setup and yours
>>>>>>>>> no, but I will put my list in a special
mail to send it
>>>>> directly
>>>>>>>>> with the tar-archive of our
pound-directory to you
>>>>>>>>>> 4 4) Anything else you can think of to
help me track[...]
>>>>>>>>>> down for
>>>>>>>>> you?
>>>>>>>>> Yes, I could zero in the problem a bit.
First a bit about
>>>>>>>>> our
>>>>>> setup:
>>>>>>>>> The pound is in dmz-A, the webserver is in
dmz-B, and the
>>>>>>>>> requesting Client comes a) from the
internet or b) from
>>>>>>>>> the
>>>>>> internal network.
>>>>>>>>> When we start the pound everything works
fine, as long as
>>>>>>>>> the
>>>>>>>> requests
>>>>>>>>> are coming from the internal network and
the request is
>>>>>>>>> send to
>>>>>> an
>>>>>>>>> IP of the dmz-A network. So everything
worked with this
>>>>>>>>> setup for the internal network. But when
there are
>>>>>>>>> requests from
>>>> the
>>>>>>>>> internet, we get segfaults. The request is
received from
>>>>>>>>> the firewall which does a NAT to pass the
external IP of
>>>>>>>>> the
>>>>> website
>>>>>>>>> to the internal IP of the dmz-A network.
And some[...]
>>>> are
>>>>>>>>> working (as I can see in the logfile of
>>>>>>>>> pound) and some cause segfaults. We can
only test this by
>>>>>>>>> switching between the pound and our
loadbalancer-[...]
>>>> (as
>>>>>>>>> this one works, we are sure the NAT is not
a problem) the
>>>>>>>>> productive path. So maybe there is a
problem with some
>>>>>>>>> IP´s which cause the segfault. The
segfaults appear even
>>>>>>>>> when
>>>> there
>>>>>>>>> is no
>>>>>> SSLHonorCipherOrder enabled.
>>>>>>>>> I´m not deep into this  segfault thing,
but there the[...]
>>>> "ip"
>>>>>>>> mentioned:
>>>>>>>>> Feb  2 11:45:52 pilotpound kernel:
pound[28641]: segfault
>>>>>>>>> at
>>>> 4
>>>>>>>>> ip 08051f5c sp b7610ce0 error 4 in
pound[8048000+18000]
>>>>>>>>>
>>>>>>>>> Is there anything else I can do to support
you ?
>>>>>>>>>
>>>>>>>>> Kind Regards
>>>>>>>>>
>>>>>>>>> fatcharly
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>   -------- Original-Nachricht --------
>>>>>>>>>>   Datum: Wed, 1 Feb 2012 21:18:04
+0000
>>>>>>>>>>   Von: Joe
Gooch<mrwizard(at)k12system.com>
>>>>>>>>>>   An:
"\'pound(at)apsis.ch\'"<pound(at)apsis.ch>
>>>>>>>>>>   Betreff: RE: RE: [Pound Mailing
List] Pound 2.6f and
>>>>>>>>>> SSLHonorCipherOrder
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Empfehlen Sie GMX DSL Ihren Freunden und
Bekannten und[...]
>>>>>>>>> belohnen Sie mit bis zu 50,- Euro!
>>>>>>>>> https://freundschaftswerbung.gmx.de
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe send an email with subject
unsubscribe to
>>>>>>>>> pound(at)apsis.ch.
>>>>>>>>> Please contact roseg(at)apsis.ch for
questions.
>>>>>> --
>>>>>> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und
wir
>>>>>> belohnen Sie mit bis zu 50,- Euro!
>>>>>> https://freundschaftswerbung.gmx.d[...][...]
Attachments:  
anti_beast.patch text/x-patch 11596 Bytes

RE: [Pound Mailing List] HTTPS backend
"Jean-Pierre van Melis" <jp(at)mirmana.com>
2012-02-08 16:19:28 [ FULL ]
Joe,

I tried that before....
I'm getting this error message....


Start service "pound" (/etc/rc2.d/S20pound)
service: Start service: "pound" (/etc/rc2.d/S20pound)
* Starting reverse proxy and load balancer pound                             
                                          starting...
line 47: unknown directive "                    HTTPS" - aborted

 


-----Original Message-----
From: Joe Gooch <mrwizard(at)k12system.com>
To: "'pound(at)apsis.ch'" <pound(at)apsis.ch>
Date: Wed, 8 Feb 2012 14:39:49 +0000
Subject: RE: [Pound Mailing List] HTTPS backend




See lines below.
Joe
[...]
                          HTTPS[...]
                          HTTPS[...]
                          HTTPS[...]

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
Attachments:  
text.html text/html 7505 Bytes

RE: [Pound Mailing List] HTTPS backend
"Jean-Pierre van Melis" <jp(at)mirmana.com>
2012-02-08 16:28:19 [ FULL ]
Joe,

Sorry for wasting your time...
It seems I'm using 2.4.5

I always install pound from source...
Now I've installed pound using apt-get in Ubuntu 10.4 TLS.

I will install it from source and it will probably work.
During installation I was too focused on my modified script that NATs the 
incoming ports automatically.

I am already running Varnish on that system and at first I thought I could 
use that one for HTTPS, but it seems it doesn't even support incoming https.

Thanks


 


-----Original Message-----
From: Joe Gooch <mrwizard(at)k12system.com>
To: "'pound(at)apsis.ch'" <pound(at)apsis.ch>
Date: Wed, 8 Feb 2012 14:39:49 +0000
Subject: RE: [Pound Mailing List] HTTPS backend




See lines below.
Joe
[...]
                          HTTPS[...]
                          HTTPS[...]
                          HTTPS[...]

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
Attachments:  
text.html text/html 7211 Bytes

RE: [Pound Mailing List] HTTPS backend
Joe Gooch <mrwizard(at)k12system.com>
2012-02-08 17:41:49 [ FULL ]
man pound

It should be there.

BackEnd
       A  back-end  is  a  definition  of  a single back-end server Pound will
use to reply to incoming requests.  All configuration directives enclosed
between BackEnd and End are specific to a single service. The following
       directives are available:

       Address address
              The address that Pound will connect to. This can be a numeric IP
address, or a symbolic host name that must be resolvable at run-time. If the
name cannot be resolved to a valid address, Pound will  assume  that
              it represents the path for a Unix-domain socket. This is a
mandatory parameter.

       Port port
              The port number that Pound will connect to. This is a mandatory
parameter for non Unix-domain back-ends.

       HTTPS [ "cert" ]
              The back-end is using HTTPS. If the optional parameter cert is
specified, Pound will present this certificate to the back-end.


If it isn’t, your installed pound does not have that feature.  Don’t know what
else to tell you.

Joe

From: Jean-Pierre van Melis [mailto:jp(at)mirmana.com]
Sent: Wednesday, February 08, 2012 10:19 AM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] HTTPS backend

Joe,

I tried that before....
I'm getting this error message....


Start service "pound" (/etc/rc2.d/S20pound)
service: Start service: "pound" (/etc/rc2.d/S20pound)
* Starting reverse proxy and load balancer pound                               
                                       starting...
line 47: unknown directive "                    HTTPS" - aborted




-----Original Message-----
From: Joe Gooch
<mrwizard(at)k12system.com<mailto:mrwizard(at)k12system.com>>
To: "'pound(at)apsis.ch'"
<pound(at)apsis.ch<mailto:pound(at)apsis.ch>>
Date: Wed, 8 Feb 2012 14:39:49 +0000
Subject: RE: [Pound Mailing List] HTTPS backend


See lines below.
Joe
[...]
                          HTTPS[...]
                          HTTPS[...]
                          HTTPS[...]

--
To unsubscribe send an email with subject unsubscribe to
pound(at)apsis.ch<mailto:pound(at)apsis.ch>.
Please contact roseg(at)apsis.ch<mailto:roseg(at)apsis.ch> for questions.
Attachments:  
text.html text/html 15031 Bytes

RE: [Pound Mailing List] HTTPS backend
=?windows-1252?Q?Jean-Pierre?= <jp(at)mirmana.com>
2012-02-09 00:09:34 [ FULL ]
Hi Joe,

 

Immediately after sending my last message I made a new one...

I just discovered that message somehow didn't get to the mailing list (maybe it
wasn't sent).

 

Sorry to have wasted your time.

I always work with pound 1.6f, but on this system I installed it with apt-get
(Ubuntu 10.4 LTS) and it was an old version (I believe 1.45).

 

I compiled pound from source and now it's running as expected.

 

 

JP
 
-----Original message-----
From: Joe Gooch <mrwizard(at)k12system.com>
Sent: Wed 08-02-2012 17:46
To: 'pound(at)apsis.ch' <pound(at)apsis.ch>; 
Subject: RE: [Pound Mailing List] HTTPS backend


man pound


 


It should be there.


 


BackEnd

       A  back-end  is  a  definition  of  a single back-end server Pound will
use to reply to incoming requests.  All configuration directives enclosed
between BackEnd and End are specific to a single service. The following

       directives are available:


 


       Address address

              The address that Pound will connect to. This can be a numeric IP
address, or a symbolic host name that must be resolvable at run-time. If the
name cannot be resolved to a valid address, Pound will  assume  that

              it represents the path for a Unix-domain socket. This is a
mandatory parameter.


 


       Port port

              The port number that Pound will connect to. This is a mandatory
parameter for non Unix-domain back-ends.


 


       HTTPS [ "cert" ]

              The back-end is using HTTPS. If the optional parameter cert is
specified, Pound will present this certificate to the back-end.


 



 


If it isn t, your installed pound does not have that feature.  Don t know what
else to tell you.


 


Joe


 


From: Jean-Pierre van Melis [mailto:jp(at)mirmana.com] 
Sent: Wednesday, February 08, 2012 10:19 AM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] HTTPS backend




 


Joe,


 


I tried that before....


I'm getting this error message....


 


 


Start service "pound" (/etc/rc2.d/S20pound)


service: Start service: "pound" (/etc/rc2.d/S20pound)


* Starting reverse proxy and load balancer
pound                                                                      
starting...


line 47: unknown directive "                    HTTPS" - aborted




 



 


-----Original Message-----
From: Joe Gooch <mrwizard(at)k12system.com>
To: "'pound(at)apsis.ch'" <pound(at)apsis.ch>
Date: Wed, 8 Feb 2012 14:39:49 +0000
Subject: RE: [Pound Mailing List] HTTPS backend



See lines below.
Joe
[...]
                          HTTPS[...]
                          HTTPS[...]
                          HTTPS[...]

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
 
Attachments:  
text.html text/html 17253 Bytes

RE: [Pound Mailing List] HTTPS backend
Joe Gooch <mrwizard(at)k12system.com>
2012-02-09 00:25:25 [ FULL ]
OK I did see that message, but the other one came in after it, so I thought it
was later in the series.

No worries. Glad it’s working for you!

Joe

From: Jean-Pierre [mailto:jp(at)mirmana.com]
Sent: Wednesday, February 08, 2012 6:10 PM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] HTTPS backend


Hi Joe,



Immediately after sending my last message I made a new one...

I just discovered that message somehow didn't get to the mailing list (maybe it
wasn't sent).



Sorry to have wasted your time.

I always work with pound 1.6f, but on this system I installed it with apt-get
(Ubuntu 10.4 LTS) and it was an old version (I believe 1.45).



I compiled pound from source and now it's running as expected.





JP

-----Original message-----
From: Joe Gooch
<mrwizard(at)k12system.com<mailto:mrwizard(at)k12system.com>>
Sent: Wed 08-02-2012 17:46
To: 'pound(at)apsis.ch'
<pound(at)apsis.ch<mailto:pound(at)apsis.ch>>;
Subject: RE: [Pound Mailing List] HTTPS backend

man pound



It should be there.



BackEnd

       A  back-end  is  a  definition  of  a single back-end server Pound will
use to reply to incoming requests.  All configuration directives enclosed
between BackEnd and End are specific to a single service. The following

       directives are available:



       Address address

              The address that Pound will connect to. This can be a numeric IP
address, or a symbolic host name that must be resolvable at run-time. If the
name cannot be resolved to a valid address, Pound will  assume  that

              it represents the path for a Unix-domain socket. This is a
mandatory parameter.



       Port port

              The port number that Pound will connect to. This is a mandatory
parameter for non Unix-domain back-ends.



       HTTPS [ "cert" ]

              The back-end is using HTTPS. If the optional parameter cert is
specified, Pound will present this certificate to the back-end.





If it isn’t, your installed pound does not have that feature.  Don’t know what
else to tell you.



Joe



From: Jean-Pierre van Melis [mailto:jp(at)mirmana.com]
Sent: Wednesday, February 08, 2012 10:19 AM
To: pound(at)apsis.ch<mailto:pound(at)apsis.ch>
Subject: RE: [Pound Mailing List] HTTPS backend



Joe,



I tried that before....

I'm getting this error message....





Start service "pound" (/etc/rc2.d/S20pound)

service: Start service: "pound" (/etc/rc2.d/S20pound)

* Starting reverse proxy and load balancer pound                               
                                       starting...

line 47: unknown directive "                    HTTPS" - aborted





-----Original Message-----
From: Joe Gooch
<mrwizard(at)k12system.com<mailto:mrwizard(at)k12system.com>>
To: "'pound(at)apsis.ch'"
<pound(at)apsis.ch<mailto:pound(at)apsis.ch>>
Date: Wed, 8 Feb 2012 14:39:49 +0000
Subject: RE: [Pound Mailing List] HTTPS backend


See lines below.
Joe
[...]
                          HTTPS[...]
                          HTTPS[...]
                          HTTPS[...]

--
To unsubscribe send an email with subject unsubscribe to
pound(at)apsis.ch<mailto:pound(at)apsis.ch>.
Please contact roseg(at)apsis.ch<mailto:roseg(at)apsis.ch> for questions.
Attachments:  
text.html text/html 20949 Bytes

Re: RE: [Pound Mailing List] strange performance
fatcharly(at)gmx.de
2012-02-09 13:29:46 [ FULL ]
Hi Joe,
[...]
it´is ssl with non-ssl to the backend[...]
-this is all I know about the testing.

I will try your patch, but what is this Thread-Value, where can I find it ?

Kind Regards

fatcharly


-------- Original-Nachricht --------[...]
[...]
[...]

Re: RE: [Pound Mailing List] strange performance
fatcharly(at)gmx.de
2012-02-09 17:21:40 [ FULL ]
Hi Joe,

[...]
I´ve just made a test with the mentioned patch, but there is no difference in
the behavior of the loadbalancer.

2) Investigate and change your Threads value.  The default of 128 may be[...]
Where can I change it ?


Kind Regards

fatcharly

-------- Original-Nachricht --------[...]
[...]
[...]

RE: RE: [Pound Mailing List] strange performance
Joe Gooch <mrwizard(at)k12system.com>
2012-02-09 17:49:49 [ FULL ]
man pound

       Threads nnn
              How many worker threads Pound should use. Default: 128. Tune this
parameter to improve performance.  If you set it too high, Pound will use a lot
memory, and some CPU will be wasted on context switches.  If you set it
              too low requests may be served with some delay. Experiment to
find the optimal value for your installation.

Joe
[...]

Re: [Pound Mailing List] user IP
Heiko Schlittermann <hs(at)schlittermann.de>
2012-02-19 17:26:05 [ FULL ]
Bashar <bashar(at)gmail.com> (So 19 Feb 2012 14:22:21 CET):[...]

As Pound acts an a proxy on the application protocol layer, Zope will
see connections originating from the Pound proxy only.

But - Pound sets the X-Forwarded-For HTTP-Header.

    GET /test/index.html HTTP/1.0
    User-Agent: Wget/1.12 (linux-gnu)
    Accept: */*
    Host: ssl.schlittermann.de
    X-SSL-cipher: DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA 
Enc=AES(256)  Mac=SHA1
    X-Forwarded-For: 88.73.219.244

But - you should read about X-Forwarded-For and possibilities of its
abuse and about its contents in face of proxy chains.

I do not know anything about Zope, but probably you can have it trust
the X-Forwarded-For headers and apply its ACLs on the base of these
headers.
[...]
Attachments:  
signature.asc application/pgp-signature 199 Bytes

Re: [Pound Mailing List] user IP
Bashar <bashar(at)gmail.com>
2012-02-19 19:10:54 [ FULL ]
On Sun, Feb 19, 2012 at 7:26 PM, Heiko Schlittermann
<hs(at)schlittermann.de>wrote:
[...]
The weird thing I dont see X-Forwarded-For HTTP-Header anywhere in Z2.log ,
i see something like this:
111.222.333.444 - bashar [19/Feb/2012:20:24:19 +0300] "GET /html/admin
HTTP/1.1" 200 5636 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:10.0.1)
Gecko/20100101 Firefox/10.0.1"

I remember X-Forwarded requests in Nginx sits at the end of the log entries
but not the case in this log, would it be I'm using a very old pound and
didn't have this feature? pound -V shows 2.1.3

Thanks,[...]
Attachments:  
text.html text/html 2250 Bytes

Re: [Pound Mailing List] user IP
Dave Steinberg <dave(at)redterror.net>
2012-02-19 19:21:46 [ FULL ]
> The weird thing I dont see X-Forwarded-For HTTP-Header anywhere in[...]

The X-Forwarded-For header is not logged by default by most pieces of 
software, unless you're defining your own custom log format.  Even then, 
it probably won't always log what you expect, since this field can be a 
list of IPs.

It's probably worthwhile to setup a little test script in Zope and 
examine the headers.  Either that or via tcpdump / wireshark.  Then you 
can be certain as far as what Zope is getting.

PS - Upgrading to a more recent release is probably a good idea.

Regards,[...]

Re: [Pound Mailing List] user IP
Bashar <bashar(at)gmail.com>
2012-02-19 19:29:52 [ FULL ]
On Sun, Feb 19, 2012 at 9:21 PM, Dave Steinberg <dave(at)redterror.net>
wrote:
[...][...][...]
Being not a Zope expert this could be a hard task to me

more log entries also doesn't show the originating IP too:
111.222.333.444 - Anonymous [19/Feb/2012:20:48:24 +0300] "GET
/html/img/buttons/search_button_gif HTTP/1.1" 200 408 "
http://www.domaindns.com/html/index.html"
"Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11"
111.222.333.444 - Anonymous [19/Feb/2012:20:48:25 +0300] "GET
/html/img/buttons/add_button_gif HTTP/1.1" 200 384 "
http://www.domaindns.com/html/index.html"
"Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11"
111.222.333.444 - Anonymous [19/Feb/2012:20:48:26 +0300] "GET /favicon.ico
HTTP/1.1" 404 3463 "" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.11
(KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11"
111.222.333.444 - Anonymous [19/Feb/2012:20:48:34 +0300] "GET / HTTP/1.0"
302 226 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; i-NavFourF;
Orange 7.4 ; NaviWoo1.1; .NET CLR 1.1.4322)"
111.222.333.444 - Anonymous [19/Feb/2012:20:48:34 +0300] "GET /html
HTTP/1.0" 500 4377 "" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
YPC 3.2.0; .NET CLR 1.1.4322; IEMB3; InfoPath.1; IEMB3; yplus 5.1.04b)"
111.222.333.444 - Anonymous [19/Feb/2012:20:49:48 +0300] "GET / HTTP/1.1"
302 207 "" "Mozilla/5.0 (compatible; bingbot/2.0; +
http://www.bing.com/bingbot.htm)"
111.222.333.444 - Anonymous [19/Feb/2012:20:49:48 +0300] "GET /html/
HTTP/1.1" 500 4358 "" "Mozilla/5.0 (compatible; bingbot/2.0; +
http://www.bing.com/bingbot.htm)"
111.222.333.444 - Anonymous [19/Feb/2012:20:59:03 +0300] "GET / HTTP/1.1"
302 207 "" ""
111.222.333.444 - Anonymous [19/Feb/2012:20:59:03 +0300] "GET /html/
HTTP/1.1" 500 4358 "" ""
111.222.333.444 - Anonymous [19/Feb/2012:21:01:59 +0300] "GET / HTTP/1.0"
200 371 "" "Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1;
SV1; AT&T CSM8.0)"
111.222.333.444 - Anonymous [19/Feb/2012:21:07:17 +0300] "GET / HTTP/1.1"
302 207 "" ""
111.222.333.444 - Anonymous [19/Feb/2012:21:07:18 +0300] "GET /html/
HTTP/1.1" 500 4358 "" ""
111.222.333.444 - Anonymous [19/Feb/2012:21:26:30 +0300] "GET / HTTP/1.1"
302 207 "" "Mozilla/5.0 (compatible; Googlebot/2.1; +
http://www.google.com/bot.html)"
111.222.333.444 - Anonymous [19/Feb/2012:21:26:31 +0300] "GET /html/
HTTP/1.1" 500 4358 "" "Mozilla/5.0 (compatible; Googlebot/2.1; +
http://www.google.com/bot.html)"


I'm upgrading now, but there is no feature in pound that would make the
original IP forwards to zope?

Thanks
Attachments:  
text.html text/html 4933 Bytes

Re: [Pound Mailing List] user IP
Matti Aarnio <matti.aarnio(at)methics.fi>
2012-02-19 20:01:25 [ FULL ]
On 02/19/2012 08:29 PM, Bashar wrote:Being not a Zope expert this could be a
hard task to me
...[...]

Apparently the method for  this is similar to many other systems - same
problem, alike approaches:

zope.conf:

# Directive: trusted-proxy
#
# Description:
#     Define one or more 'trusted-proxies' directives, each of which is a
#     hostname or an IP address.  The set of definitions comprises a list
#     of front-end proxies that are trusted to supply an accurate
#     X-Forwarded-For header to Zope.  If a connection comes from
#     a trusted proxy, Zope will trust any X-Forwarded header to contain
#     the user's real IP address for the purposes of address-based
#     authentication restriction.
#
# Default: unset
#
# Example:
#
#    trusted-proxy www.example.com
#    trusted-proxy 192.168.1.1


utfg: zope x-forwarded-for
Attachments:  
smime.p7s application/pkcs7-signature 1803 Bytes

Re: [Pound Mailing List] user IP
Martin Meredith <mez(at)debian.org>
2012-02-19 20:01:37 [ FULL ]
http://stackoverflow.com/questions/5170364/how-do-i-configure-my-web-server-to-work-with-the-pluggableauthservices-domain

Bashar <bashar(at)gmail.com> wrote:
[...]
>>> Z2.log , i see something like this:
>>> 111.222.333.444 - bashar [19/Feb/2012:20:24:19 +0300] "GET
/html/admin
>>> HTTP/1.1" 200 5636 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
>>> rv:10.0.1) Gecko/20100101 Firefox/10.0.1"
>>>
>>> I remember X-Forwarded requests in Nginx sits at the end of the
log
>>> entries but not the case in this log, would it be I'm using a very
old
>>> pound and didn't have this feature? pound -V shows 2.1.3
>>>[...][...]
Attachments:  
text.html text/html 5140 Bytes

Re: [Pound Mailing List] user IP
Bashar <bashar(at)gmail.com>
2012-02-19 21:20:22 [ FULL ]
On Sun, Feb 19, 2012 at 10:01 PM, Matti Aarnio
<matti.aarnio(at)methics.fi>wrote:
[...]
work still shows 111.222.333.444 in Z2.log

[...]
Attachments:  
text.html text/html 1837 Bytes

Re: [Pound Mailing List] user IP
"Jaroslav Lukesh" <lukesh(at)seznam.cz>
2012-02-19 21:50:54 [ FULL ]
Hi,

In deep past was change Z2 logger in python source code directly.

Today I use pound logs with grep.

Regards, JL.

  ----- Původní zpráva ----- 
  Od: Bashar
  Komu: pound(at)apsis.ch
  Odesláno: 19. února 2012 19:10
  Předmět: Re: [Pound Mailing List] user IP


  On Sun, Feb 19, 2012 at 7:26 PM, Heiko Schlittermann
<hs(at)schlittermann.de> 
wrote:

    Bashar <bashar(at)gmail.com> (So 19 Feb 2012 14:22:21 CET):

    > Hello,
    > We're using Pound as front for Zope and in Z2.log it shows the main IP

of
    > Pound that forwards traffic.
    >
    > I wish to use the Domains feature under acl_users in zope to restrict
    > access for managers (the /manage) So how can i change/tweak it where 
Zope
    > can see the real user IP for using it in Domains option for managers?


    As Pound acts an a proxy on the application protocol layer, Zope will
    see connections originating from the Pound proxy only.

    But - Pound sets the X-Forwarded-For HTTP-Header.

       GET /test/index.html HTTP/1.0
       User-Agent: Wget/1.12 (linux-gnu)
       Accept: */*
       Host: ssl.schlittermann.de
       X-SSL-cipher: DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA 
Enc=AES(256)  Mac=SHA1
       X-Forwarded-For: 88.73.219.244

    But - you should read about X-Forwarded-For and possibilities of its
    abuse and about its contents in face of proxy chains.

    I do not know anything about Zope, but probably you can have it trust
    the X-Forwarded-For headers and apply its ACLs on the base of these
    headers.



  The weird thing I dont see X-Forwarded-For HTTP-Header anywhere in Z2.log 
, i see something like this:
  111.222.333.444 - bashar [19/Feb/2012:20:24:19 +0300] "GET /html/admin 
HTTP/1.1" 200 5636 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:10.0.1) 
Gecko/20100101 Firefox/10.0.1"

  I remember X-Forwarded requests in Nginx sits at the end of the log 
entries but not the case in this log, would it be I'm using a very old pound 
and didn't have this feature? pound -V shows 2.1.3

  Thanks,
  -- 
  Bashar
Attachments:  
text.html text/html 3838 Bytes

Re: [Pound Mailing List] user IP
Heiko Schlittermann <hs(at)schlittermann.de>
2012-02-19 21:53:00 [ FULL ]
Bashar <bashar(at)gmail.com> (So 19 Feb 2012 21:20:22 CET):[...]

It's kind of recursive now :)

https://www.google.com/search?q=utfg
[...]
Attachments:  
signature.asc application/pgp-signature 199 Bytes

MailBoxer