|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2012
/
2012-03
/
Pound private services
[
is pound still actively updated? / Zachary Alex ... ]
[
Pound threading model in 2.6 / Neil Skrypuch ... ]
Pound private services
"Shane Chambers" <schambers(at)myriad-development.com> |
2012-03-15 23:16:16 |
[ FULL ]
|
I've run into a problem that I'm hoping someone can explain to me. It
appears that pound is treating HTTP private services as global services,
and ignoring HTTPS private services. Take for example this
configuration;
root(at)dev2: cat /etc/pound.cfg
User "nobody"
Group "nobody"
RootJail "/var/pound/jail"
Alive 15
Client 15
TimeOut 300
Grace 10
LogFacility local6
LogLevel 2
Control "/var/run/pound.control"
## Main listening ports
ListenHTTP
Address 192.168.3.120
Port 80
MaxRequest 10485760
xHTTP 0
Service
Redirect "https://dev2"
End
End
ListenHTTPS
Address 192.168.3.120
Port 443
MaxRequest 10485760
Cert <removed>
xHTTP 0
Service
IgnoreCase 1
URL "^\/*\/<removed>"
BackEnd
Address 192.168.3.120
Port 8080
End
End
Service
IgnoreCase 1
URL "^\/*\/<removed>"
BackEnd
Address 192.168.3.120
Port 8068
End
End
Service
BackEnd
Address 192.168.3.120
Port 81
End
End
End
root(at)dev2: poundctl -c /var/run/pound.control
0. http Listener 192.168.3.120:80 a
0. Service active (1)
0. Backend (UNKNOWN):0 active (1 0.000 sec) alive
1. HTTPS Listener 192.168.3.120:443 a
0. Service active (5)
0. Backend 192.168.3.120:8080 active (5 0.000 sec) alive
1. Service active (5)
0. Backend 192.168.3.120:8068 active (5 0.000 sec) alive
2. Service active (5)
0. Backend 192.168.3.120:81 active (5 0.000 sec) alive
-1. Global services
This was written with the intention of all HTTP traffic to be redirected
to HTTPS traffic. Indeed, from the headers I can see that all HTTP
traffic is being redirected, however, all HTTPS traffic is being
redirected as well. Thus I've got an infinite loop...
http://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.0 302 Found
Location: https://dev2/
Content-Type: text/html
Content-Length: 144
----------------------------------------------------------
https://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.0 302 Found
Location: https://dev2/
Content-Type: text/html
Content-Length: 144
----------------------------------------------------------
https://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.0 302 Found
Location: https://dev2/
Content-Type: text/html
Content-Length: 144
ad infinitum...
Removing the service holding the redirect from the HTTP listener,
resolves nothing. In fact, everything breaks.
ListenHTTP
Address 192.168.3.120
Port 80
MaxRequest 10485760
xHTTP 0
# Service
# Redirect "https://dev2"
# End
End
root(at)dev2: poundctl -c /var/run/pound.control
0. http Listener 192.168.3.120:80 a
1. HTTPS Listener 192.168.3.120:443 a
0. Service active (5)
0. Backend 192.168.3.120:8080 active (5 0.000 sec) alive
1. Service active (5)
0. Backend 192.168.3.120:8068 active (5 0.000 sec) alive
2. Service active (5)
0. Backend 192.168.3.120:81 active (5 0.000 sec) alive
-1. Global services
https://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.0 503 Service Unavailable
Content-Type: text/html
Content-Length: 53
Expires: now
Pragma: no-cache
Cache-Control: no-cache,no-store
----------------------------------------------------------
It's not until the services under HTTPS are moved out to the global
definition that things begin working again;
root(at)dev2: poundctl -c /var/run/pound.control
0. http Listener 192.168.3.120:80 a
1. HTTPS Listener 192.168.3.120:443 a
-1. Global services
0. Service active (5)
0. Backend 192.168.3.120:8080 active (5 0.000 sec) alive
1. Service active (5)
0. Backend 192.168.3.120:8068 active (5 0.000 sec) alive
2. Service active (5)
0. Backend 192.168.3.120:81 active (5 0.000 sec) alive
https://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.1 200 OK
Set-Cookie: ad_session_id=<removed>; Path=/; Max-Age=3600
MIME-Version: 1.0
Date: Thu, 15 Mar 2012 21:59:39 GMT
Server: AOLserver/4.5.1
Content-Type: text/html; charset=utf-8
Content-Length: 5847
Connection: keep-alive
----------------------------------------------------------
Why does the private service under HTTP appear to be treated like it's a
global service (or at least a private service for both HTTP, and HTTPS)?
Why are the private services under HTTPS appearing to not be seen at
all?
Is there a better way to implement HTTP to HTTPS redirection? (or at
least a work around for this problem?)
|
|
|
|
|
RE: Pound private services
"Shane Chambers" <schambers(at)myriad-development.com> |
2012-03-15 23:23:33 |
[ FULL ]
|
Forgot to include this;
root(at)dev2: pound -V
starting...
Version 2.6
Configuration switches:
--enable-cert1l
--with-ssl=/usr/lib/openssl/
Exiting...
[...]
|
|
|
|
|
RE: Pound private services
Joe Gooch <mrwizard(at)k12system.com> |
2012-03-16 16:35:33 |
[ FULL ]
|
>>>Removing the service holding the redirect from the HTTP listener,
resolves nothing. In >>>fact, everything breaks.
At that point, if you connect to https://dev2, what
happens? Clearly http://dev2 will not work in that
case.
Joe
From: Shane Chambers [mailto:schambers(at)myriad-development.com]
Sent: Thursday, March 15, 2012 6:16 PM
To: pound(at)apsis.ch
Subject: ***SPAM*** [Pound Mailing List] Pound private services
I’ve run into a problem that I’m hoping someone can explain to me. It appears
that pound is treating HTTP private services as global services, and ignoring
HTTPS private services. Take for example this configuration;
root(at)dev2: cat /etc/pound.cfg
User "nobody"
Group "nobody"
RootJail "/var/pound/jail"
Alive 15
Client 15
TimeOut 300
Grace 10
LogFacility local6
LogLevel 2
Control "/var/run/pound.control"
## Main listening ports
ListenHTTP
Address 192.168.3.120
Port 80
MaxRequest 10485760
xHTTP 0
Service
Redirect "https://dev2"
End
End
ListenHTTPS
Address 192.168.3.120
Port 443
MaxRequest 10485760
Cert <removed>
xHTTP 0
Service
IgnoreCase 1
URL "^\/*\/<removed>"
BackEnd
Address 192.168.3.120
Port 8080
End
End
Service
IgnoreCase 1
URL "^\/*\/<removed>"
BackEnd
Address 192.168.3.120
Port 8068
End
End
Service
BackEnd
Address 192.168.3.120
Port 81
End
End
End
root(at)dev2: poundctl -c /var/run/pound.control
0. http Listener 192.168.3.120:80 a
0. Service active (1)
0. Backend (UNKNOWN):0 active (1 0.000 sec) alive
1. HTTPS Listener 192.168.3.120:443 a
0. Service active (5)
0. Backend 192.168.3.120:8080 active (5 0.000 sec) alive
1. Service active (5)
0. Backend 192.168.3.120:8068 active (5 0.000 sec) alive
2. Service active (5)
0. Backend 192.168.3.120:81 active (5 0.000 sec) alive
-1. Global services
This was written with the intention of all HTTP traffic to be redirected to
HTTPS traffic. Indeed, from the headers I can see that all HTTP traffic is
being redirected, however, all HTTPS traffic is being redirected as well. Thus
I’ve got an infinite loop...
http://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.0 302 Found
Location: https://dev2/
Content-Type: text/html
Content-Length: 144
----------------------------------------------------------
https://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.0 302 Found
Location: https://dev2/
Content-Type: text/html
Content-Length: 144
----------------------------------------------------------
https://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.0 302 Found
Location: https://dev2/
Content-Type: text/html
Content-Length: 144
ad infinitum…
Removing the service holding the redirect from the HTTP listener, resolves
nothing. In fact, everything breaks.
ListenHTTP
Address 192.168.3.120
Port 80
MaxRequest 10485760
xHTTP 0
# Service
# Redirect "https://dev2"
# End
End
root(at)dev2: poundctl -c /var/run/pound.control
0. http Listener 192.168.3.120:80 a
1. HTTPS Listener 192.168.3.120:443 a
0. Service active (5)
0. Backend 192.168.3.120:8080 active (5 0.000 sec) alive
1. Service active (5)
0. Backend 192.168.3.120:8068 active (5 0.000 sec) alive
2. Service active (5)
0. Backend 192.168.3.120:81 active (5 0.000 sec) alive
-1. Global services
https://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.0 503 Service Unavailable
Content-Type: text/html
Content-Length: 53
Expires: now
Pragma: no-cache
Cache-Control: no-cache,no-store
----------------------------------------------------------
It’s not until the services under HTTPS are moved out to the global definition
that things begin working again;
root(at)dev2: poundctl -c /var/run/pound.control
0. http Listener 192.168.3.120:80 a
1. HTTPS Listener 192.168.3.120:443 a
-1. Global services
0. Service active (5)
0. Backend 192.168.3.120:8080 active (5 0.000 sec) alive
1. Service active (5)
0. Backend 192.168.3.120:8068 active (5 0.000 sec) alive
2. Service active (5)
0. Backend 192.168.3.120:81 active (5 0.000 sec) alive
https://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.1 200 OK
Set-Cookie: ad_session_id=<removed>; Path=/; Max-Age=3600
MIME-Version: 1.0
Date: Thu, 15 Mar 2012 21:59:39 GMT
Server: AOLserver/4.5.1
Content-Type: text/html; charset=utf-8
Content-Length: 5847
Connection: keep-alive
----------------------------------------------------------
Why does the private service under HTTP appear to be treated like it’s a global
service (or at least a private service for both HTTP, and HTTPS)?
Why are the private services under HTTPS appearing to not be seen at all?
Is there a better way to implement HTTP to HTTPS redirection? (or at least a
work around for this problem?)
|
|
|
|
|
RE: [Pound Mailing List] RE: Pound private services
"Shane Chambers" <schambers(at)myriad-development.com> |
2012-03-19 22:47:38 |
[ FULL ]
|
Hi Joe,
In the configuration below I have the redirect commented out of the
ListenHTTP, and all of the services as private within the ListenHTTPS.
As you can see in the captured headers (FROM FIREFOX) at the bottom, the
only thing that comes back in this case is a "503 Service Unavailable."
However, if I use LWP's GET, or curl to retrieve the page from on Dev2
itself, I actually get the page as if nothing was wrong?
Mar 19 21:38:20 dev2 pound: (b7b5eb90) e503 no service "GET / HTTP/1.1"
from 192.168.1.154 192.168.3.120
Mar 19 21:38:32 dev2 pound: 192.168.3.120 GET / HTTP/1.1 - HTTP/1.1 200
OK (dev2/- -> 192.168.3.120:81) 0.008 sec
Above is the two different entries from the messages file. They are
both asking for the same thing (https://dev2 <https://dev2/> ) however,
the first come from my workstation, and the second come from Dev2
itself. This is getting more bizarre, why would it work on the system,
and not off the system? This can't be a network issue, obviously from
the log they are asking for the same thing, but getting two different
responses.
Thanks,
Shane Chambers
Configuration
----------------------------------------------------------
root(at)dev2: cat /etc/pound.cfg
User "nobody"
Group "nobody"
RootJail "/var/pound/jail"
Alive 15
Client 15
TimeOut 300
Grace 10
LogFacility local6
LogLevel 2
Control "/var/run/pound.control"
# Main listening ports
ListenHTTP
Address 192.168.3.120
Port 80
MaxRequest 10485760
xHTTP 0
# Service
# Redirect "https://dev2"
# End
End
ListenHTTPS
Address 192.168.3.120
Port 443
MaxRequest 10485760
Cert "/etc/pki/tls/certs/<removed>"
xHTTP 0
Service
IgnoreCase 1
URL "^\/*\/<removed>"
BackEnd
Address 192.168.3.120
Port 8080
End
End
Service
IgnoreCase 1
URL "^\/*\/<removed>"
BackEnd
Address 192.168.3.120
Port 8068
End
End
Service
BackEnd
Address 192.168.3.120
Port 81
End
End
End
Poundctl display current configuration
----------------------------------------------------------
root(at)dev2: poundctl -c /var/run/pound.control
0. http Listener 192.168.3.120:80 a
1. HTTPS Listener 192.168.3.120:443 a
0. Service active (5)
0. Backend 192.168.3.120:8080 active (5 0.000 sec) alive
1. Service active (5)
0. Backend 192.168.3.120:8068 active (5 0.000 sec) alive
2. Service active (5)
0. Backend 192.168.3.120:81 active (5 0.000 sec) alive
-1. Global services
FireFox Headers
----------------------------------------------------------
https://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101
Firefox/11.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.0 503 Service Unavailable
Content-Type: text/html
Content-Length: 53
Expires: now
Pragma: no-cache
Cache-Control: no-cache,no-store
----------------------------------------------------------
LWP HEAD (from Dev2)
----------------------------------------------------------
root(at)dev2: HEAD https://dev2/
200 OK
Connection: close
Date: Mon, 19 Mar 2012 21:44:01 GMT
Server: AOLserver/4.5.1
Content-Length: 5847
Content-Type: text/html; charset=utf-8
Client-Date: Mon, 19 Mar 2012 21:44:01 GMT
Client-Peer: 192.168.3.120:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: <removed>
Client-SSL-Cert-Subject: <removed>
Client-SSL-Cipher: <removed>
Client-SSL-Warning: Peer certificate not verified
MIME-Version: 1.0
Set-Cookie: <removed>
[...]
|
|
|
|
|
RE: [Pound Mailing List] RE: Pound private services
Joe Gooch <mrwizard(at)k12system.com> |
2012-03-20 15:28:46 |
[ FULL ]
|
I think it’s more important to note that when you run the LWP command, it
returns all the Client-SSL headers in the response. Which tells me you made an
SSL connection.
Those headers aren’t in the firefox response from your workstation, which leads
me to believe firefox, for whatever reason, isn’t making a SSL connection. OR,
firefox is making a SSL connection and is being redirected. (probably by your
AOLServer backend)
From your workstation are you sure if you ping dev2 it returns 192.168.3.120?
Try using telnet and openssl.
i.e.
telnet 192.168.3.120 80
GET / HTTP/1.0
Host: dev2
<enter>
After the last enter, you should receive the headers back. (In this
configuration, 503 service unavailable)
SSL connection: (win binaries at
www.slproweb.com/products/Win32OpenSSL.html<http://www.slproweb.com/products/Win32OpenSSL.html>
)
openssl s_client –connect 192.168.3.120:443
GET / HTTP/1.0
Host: dev2
<enter>
I would suspect in this configuration you’d see a response similar to what you
saw with LWP.
Firefox in your configuration seems to me like it’s going through a proxy,
being redirected, or doing something else not represented in your test case.
(Because I know I can’t reproduce the behavior you’re seeing)
Sometimes redirects cause these things… for instance https://dev2/directory and https://dev2/directory/ are *not* the same…
most servers will fire a redirect. Thought being:
https://dev2/directory
AOLServer sees HTTP connection on 8080 or 8068, sends redirect to http://dev2:8080/directory/ or worse http://dev2/directory/ (see RewriteLocation
directive)
Browser redirects as instructed
You receive a 503 error
Are you sure something like that isn’t happening?
Joe
From: Shane Chambers [mailto:schambers(at)myriad-development.com]
Sent: Monday, March 19, 2012 5:48 PM
To: pound(at)apsis.ch
Subject: ***SPAM*** RE: [Pound Mailing List] RE: Pound private services
Hi Joe,
In the configuration below I have the redirect commented out of the ListenHTTP,
and all of the services as private within the ListenHTTPS. As you can see in
the captured headers (FROM FIREFOX) at the bottom, the only thing that comes
back in this case is a “503 Service Unavailable.”
However, if I use LWP’s GET, or curl to retrieve the page from on Dev2 itself,
I actually get the page as if nothing was wrong?
Mar 19 21:38:20 dev2 pound: (b7b5eb90) e503 no service "GET / HTTP/1.1" from
192.168.1.154 192.168.3.120
Mar 19 21:38:32 dev2 pound: 192.168.3.120 GET / HTTP/1.1 - HTTP/1.1 200 OK
(dev2/- -> 192.168.3.120:81) 0.008 sec
Above is the two different entries from the messages file. They are both
asking for the same thing (https://dev2<https://dev2/>)
however, the first come from my workstation, and the second come from Dev2
itself. This is getting more bizarre, why would it work on the system, and not
off the system? This can’t be a network issue, obviously from the log they are
asking for the same thing, but getting two different responses.
Thanks,
Shane Chambers
Configuration
----------------------------------------------------------
root(at)dev2: cat /etc/pound.cfg
User "nobody"
Group "nobody"
RootJail "/var/pound/jail"
Alive 15
Client 15
TimeOut 300
Grace 10
LogFacility local6
LogLevel 2
Control "/var/run/pound.control"
# Main listening ports
ListenHTTP
Address 192.168.3.120
Port 80
MaxRequest 10485760
xHTTP 0
# Service
# Redirect "https://dev2"
# End
End
ListenHTTPS
Address 192.168.3.120
Port 443
MaxRequest 10485760
Cert "/etc/pki/tls/certs/<removed>"
xHTTP 0
Service
IgnoreCase 1
URL "^\/*\/<removed>"
BackEnd
Address 192.168.3.120
Port 8080
End
End
Service
IgnoreCase 1
URL "^\/*\/<removed>"
BackEnd
Address 192.168.3.120
Port 8068
End
End
Service
BackEnd
Address 192.168.3.120
Port 81
End
End
End
Poundctl display current configuration
----------------------------------------------------------
root(at)dev2: poundctl -c /var/run/pound.control
0. http Listener 192.168.3.120:80 a
1. HTTPS Listener 192.168.3.120:443 a
0. Service active (5)
0. Backend 192.168.3.120:8080 active (5 0.000 sec) alive
1. Service active (5)
0. Backend 192.168.3.120:8068 active (5 0.000 sec) alive
2. Service active (5)
0. Backend 192.168.3.120:81 active (5 0.000 sec) alive
-1. Global services
FireFox Headers
----------------------------------------------------------
https://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.0 503 Service Unavailable
Content-Type: text/html
Content-Length: 53
Expires: now
Pragma: no-cache
Cache-Control: no-cache,no-store
----------------------------------------------------------
LWP HEAD (from Dev2)
----------------------------------------------------------
root(at)dev2: HEAD https://dev2/
200 OK
Connection: close
Date: Mon, 19 Mar 2012 21:44:01 GMT
Server: AOLserver/4.5.1
Content-Length: 5847
Content-Type: text/html; charset=utf-8
Client-Date: Mon, 19 Mar 2012 21:44:01 GMT
Client-Peer: 192.168.3.120:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: <removed>
Client-SSL-Cert-Subject: <removed>
Client-SSL-Cipher: <removed>
Client-SSL-Warning: Peer certificate not verified
MIME-Version: 1.0
Set-Cookie: <removed>
[...]
|
|
|
|
|
|
