Hi List,



I am having trouble with Pound in front of HAProxy, they are performing SSL
Offload and Load Balancing in front of a Web Server with multiple sites in
the same domain. Everything works apart from one niggling problem, when I
do a 302 redirect from one subdomain site to another on the webserver it
does not change the subdomain sent to the client. E.g.
https://sd1.example.com/test.php
 performs a 302 redirect to
https://sd2.example.com/result.php
but instead the client is redirected to
https://sd1.example.com/result.php
 I have included my config below. I have
read the man pages, the mailing list and scoured google but I cannot seem
to find the same issue explained in a way I can make sense of. This is my
first time using Pound and HAProxy (I have sent the same question to the
HAProxy list) I am not sure where this is going wrong but have searched
resolutions in both software.



# poundctl control socket

Control "/var/run/pound/poundctl.socket"





######################################################################

## listen, redirect and ... to:



## redirect all requests on port 8080 ("ListenHTTP") to the local webserver
(see "Service" below):

ListenHTTP

        Address 127.0.0.1

        Port    8080

        Client  10

        ## allow PUT and DELETE also (by default only GET, POST and HEAD)?:

#       xHTTP           0



        Service

                BackEnd

                        Address 127.0.0.1

                        Port    80

                End

        End

End



ListenHTTPS

        Address 192.168.1.80

        Port    443

        Cert    "/etc/pound/star.staging.poli.local.pem"

        Client  20

        Service

                BackEnd

                        Address 127.0.0.2

                        Port    80

                End

        End

End
























[ Wrote 60 lines ]

^G Get Help                  ^O WriteOut                  ^R Read
File                 ^Y Prev Page                 ^K Cut
Text                  ^C Cur Pos

^X Exit                      ^J Justify                   ^W Where
Is                  ^V Next Page                 ^U UnCut
Text                ^T To Spell



Regards,

Leo Cadle



Network/System Administrator

*POLi Payments*



*Phone Numbers*

*Direct:* +61 3 8601 5907

*Main:* +61 3 8601 5900

*Free:* 1300 007654

*Fax:* +61 3 8601 5999



*URL:* http://www.polipayments.com


[...]

Hi Chris,

Thanks for the reply, in our scenario the website asks for the redirect,
and it is not static, so I may not know beforehand what redirect is going
to be asked for. Under Microsofts ARR for example they call it "reverse
rewrite host in response headers", if you turn it on it behaves very much
the same as what I am experiencing.

Cheers,
Leo.

-----Original Message-----
From: Chris Morrow [mailto:cmorrow(at)paybyphone.com]
Sent: Thursday, 17 May 2012 3:15 PM
To: leo.cadle(at)polipayments.com
Subject: [Pound Mailing List] Wildcard Certificate and 302 redirect

Hi Leo, emailing you directly as the mailing list bounced my earlier
reply.

It looks like you're trying to perform the redirect at the application
level, rather than at the load balancer. You may find success by
implementing the following config:

#edit the listener containing the backends for https://sd1.example.com
#put this at the top of the listener config

ListenHTTPS
        Address 192.168.1.80
        Port    443
        Cert    "/etc/pound/star.staging.poli.local.pem"
        Client  20
        Service
                IgnoreCase 1
                Url "test\.php"
                Redirect "https://sd2.example.com/result.php"
        End
        Service
                BackEnd
                        Address 127.0.0.2
                        Port    80
                End
        End
End


I am assuming your localhost references are just masking your network
design.

Regards,
Chris

[...]

----- Puvodní zpráva ----- 
  Od: Leo Cadle
  Komu: pound(at)apsis.ch
  Odesláno: 17. kvetna 2012 4:16
  Predmet: [Pound Mailing List] Wildcard Certificate and 302 redirect


  Hi List,



  I am having trouble with Pound in front of HAProxy, they are performing 
SSL Offload and Load Balancing in front of a Web Server with multiple sites 
in the same domain. Everything works apart from one niggling problem, when I 
do a 302 redirect from one subdomain site to another on the webserver it 
does not change the subdomain sent to the client. E.g. 
https://sd1.example.com/test.php
 performs a 302 redirect to 
https://sd2.example.com/result.php
but instead the client is redirected to 
https://sd1.example.com/result.php
 I have included my config below. I have 
read the man pages, the mailing list and scoured google but I cannot seem to 
find the same issue explained in a way I can make sense of. This is my first 
time using Pound and HAProxy (I have sent the same question to the HAProxy 
list) I am not sure where this is going wrong but have searched resolutions 
in both software.



  # poundctl control socket

  Control "/var/run/pound/poundctl.socket"





  ######################################################################

  ## listen, redirect and ... to:



  ## redirect all requests on port 8080 ("ListenHTTP") to the local 
webserver (see "Service" below):

  ListenHTTP

          Address 127.0.0.1

          Port    8080

          Client  10

          ## allow PUT and DELETE also (by default only GET, POST and 
HEAD)?:

  #       xHTTP           0



          Service

                  BackEnd

                          Address 127.0.0.1

                          Port    80

                  End

          End

  End



  ListenHTTPS

          Address 192.168.1.80

          Port    443

          Cert    "/etc/pound/star.staging.poli.local.pem"

          Client  20

          Service

                  BackEnd

                          Address 127.0.0.2

                          Port    80

                  End

          End

  End























                                                                             
     [ Wrote 60 lines ]

  ^G Get Help                  ^O WriteOut                  ^R Read File 
^Y Prev Page                 ^K Cut Text                  ^C Cur Pos

  ^X Exit                      ^J Justify                   ^W Where Is 
^V Next Page                 ^U UnCut Text                ^T To Spell



  Regards,

  Leo Cadle



  Network/System Administrator

  POLi Payments



  Phone Numbers

  Direct: +61 3 8601 5907

  Main: +61 3 8601 5900

  Free: 1300 007654

  Fax: +61 3 8601 5999



  URL: http://www.polipayments.com



  ____________________________________________________________________________

  This e-mail and any attachments to it (the "Communication") are, unless 
otherwise stated, confidential. It may contain copyright material and is for 
the use only of the intended recipient. If you have received the 
Communication in error, please notify the sender immediately by return 
e-mail, then delete the Communication and the return e-mail. Please do not 
read, copy, retransmit or otherwise deal with it. Any views expressed in the 
Communication are those of the individual sender only, unless expressly 
stated to be those of Centricom Pty Ltd (ABN73 105 393 664). Centricom does 
not accept liability in connection with the integrity of (or errors) in the 
Communication, computer virus, data corruption, interference or delay 
arising from or in respect of the Communication.

Analyze headers from webserver and from browser.

----- Puvodní zpráva ----- 
Od: Leo Cadle

I am having trouble with Pound in front of HAProxy, they are performing SSL 
Offload and Load Balancing in front of a Web Server with multiple sites in 
the same domain. Everything works apart from one niggling problem, when I do 
a 302 redirect from one subdomain site to another on the webserver it does 
not change the subdomain sent to the client. E.g. 
https://sd1.example.com/test.php
 performs a 302 redirect to 
https://sd2.example.com/result.php
but instead the client is redirected to 
https://sd1.example.com/result.php
 I have included my config below. I have 
read the man pages, the mailing list and scoured google but I cannot seem to 
find the same issue explained in a way I can make sense of. This is my first 
time using Pound and HAProxy (I have sent the same question to the HAProxy 
list) I am not sure where this is going wrong but have searched resolutions 
in both software.

Leo,
Before talking about your problem, in your system, where is located the
haproxy? is your backend an apache or an nginx?
regards,
robert.



Em 17/05/2012, às 03:15, Jaroslav Lukesh <lukesh(at)seznam.cz> escreveu:
[...]

W dniu 17.05.2012 04:16, Leo Cadle pisze:[...]
"RewriteLocation 0" in Listeners.

[...]
[...]

Hello,

 

For my take, and my experience only, I’ve had this occur when I did not have
the DNS setup properly. In my case, I was not setting the sd1.example.com and
sd2.example.com domains back to the local IP addresses.  When this was the
case, pound would not redirect correctly and our login would never work. Once I
added the local IP name service for example.com, pound started to redirect
properly. Our backends were tomcat servers.

 

Just my experience, and it may not reflect what you are experiencing. Pound is
very touchy about DNS from what I’ve seen.

 
[...]

I completely agree. It does not seem a pound matter…..

De: Jacob Anderson [mailto:jwa(at)beyond-ordinary.com]
Enviada em: quinta-feira, 17 de maio de 2012 12:20
Para: pound(at)apsis.ch
Assunto: RE: [Pound Mailing List] Wildcard Certificate and 302 redirect

Hello,

For my take, and my experience only, I’ve had this occur when I did not have
the DNS setup properly. In my case, I was not setting the sd1.example.com and
sd2.example.com domains back to the local IP addresses.  When this was the
case, pound would not redirect correctly and our login would never work. Once I
added the local IP name service for example.com, pound started to redirect
properly. Our backends were tomcat servers.

Just my experience, and it may not reflect what you are experiencing. Pound is
very touchy about DNS from what I’ve seen.
[...]

-Are you using nginx or apache?
-Could you send us your redirect code in the php file?
-Why are you using pound AND haproxy?

Regards,
Roberto

De: Roberto Geraldo Pimenta Ribeiro Junior
Enviada em: quinta-feira, 17 de maio de 2012 15:36
Para: pound(at)apsis.ch
Assunto: RES: [Pound Mailing List] Wildcard Certificate and 302 redirect

I completely agree. It does not seem a pound matter…..

De: Jacob Anderson [mailto:jwa(at)beyond-ordinary.com]
Enviada em: quinta-feira, 17 de maio de 2012 12:20
Para: pound(at)apsis.ch<mailto:pound(at)apsis.ch>
Assunto: RE: [Pound Mailing List] Wildcard Certificate and 302 redirect

Hello,

For my take, and my experience only, I’ve had this occur when I did not have
the DNS setup properly. In my case, I was not setting the sd1.example.com and
sd2.example.com domains back to the local IP addresses.  When this was the
case, pound would not redirect correctly and our login would never work. Once I
added the local IP name service for example.com, pound started to redirect
properly. Our backends were tomcat servers.

Just my experience, and it may not reflect what you are experiencing. Pound is
very touchy about DNS from what I’ve seen.
[...]

Hi List,



I will reply once here to all comments.



I have removed HA Proxy, it was just doing the Load Balancing while Pound
was doing the SSL Offload.

I had not tried to setup an environment like this before and was following
a tutorial that did it this way. Once I installed Pound I could see it
could do the same thing on the back end but did not remove HA Proxy
straight away. It is now out of the picture.

I am trying to replicate our production environment in a test scenario. Our
production environment uses hardware load balancers, I am trying to see if
I can replicate the configuration using software Load Balancers so we can
better test our releases. So far I have tried Microsoft ARR, which has a
checkbox to enable or disable this particular behaviour called ‘Reverse
rewrite host header’.

The backend web server is a singe server with one IP address, it hosts
multiple sites answering to different subdomains. That is why we have the
wildcard certificate. The DNS is set correctly with all sudomains pointing
to the same IP. Without Pound the redirect works correctly, when pound is
involved the subdomain always gets rewritten to the starting subdomain. It
is not a problem with our redirect code, it is a simple redirect, this is a
replica of our production code which works correctly behind Brocade Load
Balancers (http://www.brocade.com/index.page)
and also works behind
Microsoft ARR (something else is the problem with ARR).

I have included a tcp dump that shows the rewrite taking place.



Cheers,

Leo.

On Fri, May 18, 2012 at 4:39 AM, Roberto Geraldo Pimenta Ribeiro Junior <
rpimenta(at)senado.gov.br> wrote:

-Are you using nginx or apache?

-Could you send us your redirect code in the php file?

-Why are you using pound AND haproxy?



Regards,

Roberto



*De:* Roberto Geraldo Pimenta Ribeiro Junior
*Enviada em:* quinta-feira, 17 de maio de 2012 15:36
*Para:* pound(at)apsis.ch
*Assunto:* RES: [Pound Mailing List] Wildcard Certificate and 302 redirect



I completely agree. It does not seem a pound matter…..



*De:* Jacob Anderson
[mailto:jwa(at)beyond-ordinary.com<jwa(at)beyond-ordinary.com>]


*Enviada em:* quinta-feira, 17 de maio de 2012 12:20
*Para:* pound(at)apsis.ch

*Assunto:* RE: [Pound Mailing List] Wildcard Certificate and 302 redirect



Hello,



For my take, and my experience only, I’ve had this occur when I did not
have the DNS setup properly. In my case, I was not setting the
sd1.example.com and sd2.example.com domains back to the local IP
addresses.  When this was the case, pound would not redirect correctly and
our login would never work. Once I added the local IP name service for
example.com, pound started to redirect properly. Our backends were tomcat
servers.



Just my experience, and it may not reflect what you are experiencing. Pound
is very touchy about DNS from what I’ve seen.


[...]

Take a look in the directive rewritedestination in man

Enviado via iPhone

Em 17/05/2012, às 19:14, "Leo Cadle"
<leo.cadle(at)polipayments.com<mailto:leo.cadle(at)polipayments.com>>
escreveu:

Hi List,

I will reply once here to all comments.

I have removed HA Proxy, it was just doing the Load Balancing while Pound was
doing the SSL Offload.
I had not tried to setup an environment like this before and was following a
tutorial that did it this way. Once I installed Pound I could see it could do
the same thing on the back end but did not remove HA Proxy straight away. It is
now out of the picture.
I am trying to replicate our production environment in a test scenario. Our
production environment uses hardware load balancers, I am trying to see if I
can replicate the configuration using software Load Balancers so we can better
test our releases. So far I have tried Microsoft ARR, which has a checkbox to
enable or disable this particular behaviour called ‘Reverse rewrite host
header’.
The backend web server is a singe server with one IP address, it hosts multiple
sites answering to different subdomains. That is why we have the wildcard
certificate. The DNS is set correctly with all sudomains pointing to the same
IP. Without Pound the redirect works correctly, when pound is involved the
subdomain always gets rewritten to the starting subdomain. It is not a problem
with our redirect code, it is a simple redirect, this is a replica of our
production code which works correctly behind Brocade Load Balancers (http://www.brocade.com/index.page)
and also works behind Microsoft ARR (something else is the problem with ARR).
I have included a tcp dump that shows the rewrite taking place.

Cheers,
Leo.
On Fri, May 18, 2012 at 4:39 AM, Roberto Geraldo Pimenta Ribeiro Junior
<rpimenta(at)senado.gov.br<mailto:rpimenta(at)senado.gov.br>>
wrote:
-Are you using nginx or apache?
-Could you send us your redirect code in the php file?
-Why are you using pound AND haproxy?

Regards,
Roberto

De: Roberto Geraldo Pimenta Ribeiro Junior
Enviada em: quinta-feira, 17 de maio de 2012 15:36
Para: pound(at)apsis.ch<mailto:pound(at)apsis.ch>
Assunto: RES: [Pound Mailing List] Wildcard Certificate and 302 redirect

I completely agree. It does not seem a pound matter…..

De: Jacob Anderson [mailto:jwa(at)beyond-ordinary.com]
Enviada em: quinta-feira, 17 de maio de 2012 12:20
Para: pound(at)apsis.ch<mailto:pound(at)apsis.ch>
Assunto: RE: [Pound Mailing List] Wildcard Certificate and 302 redirect

Hello,

For my take, and my experience only, I’ve had this occur when I did not have
the DNS setup properly. In my case, I was not setting the sd1.example.com<http://sd1.example.com> and
sd2.example.com<http://sd2.example.com> domains back
to the local IP addresses.  When this was the case, pound would not redirect
correctly and our login would never work. Once I added the local IP name
service for example.com<http://example.com>, pound started to
redirect properly. Our backends were tomcat servers.

Just my experience, and it may not reflect what you are experiencing. Pound is
very touchy about DNS from what I’ve seen.
[...]

have you tested with rewrite location or rewrite destination?



Em 17/05/2012, às 19:01, Leo Cadle <leo.cadle(at)polipayments.com>
escreveu:
[...]

Hi Roberto,



Yes I already tried this, Default is 0, I have tried setting to 0 and to 1
it does not seem to change the behaviour.



RewriteLocation has more effect but still not what I am looking for.



I am using Ubuntu 12.04 which provides pound_2.5-1.1_i386 from the
repositories



Cheers,

Leo.



*From:* Roberto Geraldo Pimenta Ribeiro Junior [mailto:
rpimenta(at)senado.gov.br]
*Sent:* Friday, 18 May 2012 8:25 AM
*To:* <pound(at)apsis.ch>
*Subject:* Re: [Pound Mailing List] Wildcard Certificate and 302 redirect



Take a look in the directive rewritedestination in man

Enviado via iPhone


Em 17/05/2012, às 19:14, "Leo Cadle" <leo.cadle(at)polipayments.com>
escreveu:

Hi List,



I will reply once here to all comments.



I have removed HA Proxy, it was just doing the Load Balancing while Pound
was doing the SSL Offload.

I had not tried to setup an environment like this before and was following
a tutorial that did it this way. Once I installed Pound I could see it
could do the same thing on the back end but did not remove HA Proxy
straight away. It is now out of the picture.

I am trying to replicate our production environment in a test scenario. Our
production environment uses hardware load balancers, I am trying to see if
I can replicate the configuration using software Load Balancers so we can
better test our releases. So far I have tried Microsoft ARR, which has a
checkbox to enable or disable this particular behaviour called ‘Reverse
rewrite host header’.

The backend web server is a singe server with one IP address, it hosts
multiple sites answering to different subdomains. That is why we have the
wildcard certificate. The DNS is set correctly with all sudomains pointing
to the same IP. Without Pound the redirect works correctly, when pound is
involved the subdomain always gets rewritten to the starting subdomain. It
is not a problem with our redirect code, it is a simple redirect, this is a
replica of our production code which works correctly behind Brocade Load
Balancers (http://www.brocade.com/index.page)
and also works behind
Microsoft ARR (something else is the problem with ARR).

I have included a tcp dump that shows the rewrite taking place.



Cheers,

Leo.

On Fri, May 18, 2012 at 4:39 AM, Roberto Geraldo Pimenta Ribeiro Junior <
rpimenta(at)senado.gov.br> wrote:

-Are you using nginx or apache?

-Could you send us your redirect code in the php file?

-Why are you using pound AND haproxy?



Regards,

Roberto



*De:* Roberto Geraldo Pimenta Ribeiro Junior
*Enviada em:* quinta-feira, 17 de maio de 2012 15:36
*Para:* pound(at)apsis.ch
*Assunto:* RES: [Pound Mailing List] Wildcard Certificate and 302 redirect



I completely agree. It does not seem a pound matter…..



*De:* Jacob Anderson
[mailto:jwa(at)beyond-ordinary.com<jwa(at)beyond-ordinary.com>]


*Enviada em:* quinta-feira, 17 de maio de 2012 12:20
*Para:* pound(at)apsis.ch

*Assunto:* RE: [Pound Mailing List] Wildcard Certificate and 302 redirect



Hello,



For my take, and my experience only, I’ve had this occur when I did not
have the DNS setup properly. In my case, I was not setting the
sd1.example.com and sd2.example.com domains back to the local IP
addresses.  When this was the case, pound would not redirect correctly and
our login would never work. Once I added the local IP name service for
example.com, pound started to redirect properly. Our backends were tomcat
servers.



Just my experience, and it may not reflect what you are experiencing. Pound
is very touchy about DNS from what I’ve seen.


[...]

I think that rewritelocation 2 will do the trick... but i dont have an
environment to test.

Em 17/05/2012, às 19:42, Roberto Pimenta Jr. <rpimenta(at)senado.gov.br>
escreveu:
[...][...]

you also have the option to put the redirect in pound ......


Em 17/05/2012, às 19:51, Roberto Pimenta Jr. <rpimenta(at)senado.gov.br>
escreveu:
[...][...]
>>> Hi List,
>>> 
>>>  
>>> 
>>> I will reply once here to all comments.
>>> 
>>>  
>>> 
>>> I have removed HA Proxy, it was just doing the Load Balancing
while Pound was doing the SSL Offload.
>>> 
>>> I had not tried to setup an environment like this before and was
following a tutorial that did it this way. Once I installed Pound I could see
it could do the same thing on the back end but did not remove HA Proxy straight
away. It is now out of the picture.
>>> 
>>> I am trying to replicate our production environment in a test
scenario. Our production environment uses hardware load balancers, I am trying
to see if I can replicate the configuration using software Load Balancers so we
can better test our releases. So far I have tried Microsoft ARR, which has a
checkbox to enable or disable this particular behaviour called ‘Reverse
rewrite host header’. 
>>> 
>>> The backend web server is a singe server with one IP address, it
hosts multiple sites answering to different subdomains. That is why we have the
wildcard certificate. The DNS is set correctly with all sudomains pointing to
the same IP. Without Pound the redirect works correctly, when pound is involved
the subdomain always gets rewritten to the starting subdomain. It is not a
problem with our redirect code, it is a simple redirect, this is a replica of
our production code which works correctly behind Brocade Load Balancers (http://www.brocade.com/index.page)
and also works behind Microsoft ARR (something else is the problem with ARR).
>>> 
>>> I have included a tcp dump that shows the rewrite taking place.
>>> 
>>>  
>>> 
>>> Cheers,
>>> 
>>> Leo.
>>> 
>>> On Fri, May 18, 2012 at 4:39 AM, Roberto Geraldo Pimenta Ribeiro
Junior <rpimenta(at)senado.gov.br> wrote:
>>> 
>>> -Are you using nginx or apache?
>>> 
>>> -Could you send us your redirect code in the php file?
>>> 
>>> -Why are you using pound AND haproxy?
>>> 
>>>  
>>> 
>>> Regards,
>>> 
>>> Roberto
>>> 
>>>  
>>> 
>>> De: Roberto Geraldo Pimenta Ribeiro Junior 
>>> Enviada em: quinta-feira, 17 de maio de 2012 15:36
>>> Para: pound(at)apsis.ch
>>> Assunto: RES: [Pound Mailing List] Wildcard Certificate and 302
redirect
>>> 
>>>  
>>> 
>>> I completely agree. It does not seem a pound matter…..
>>> 
>>>  
>>> 
>>> De: Jacob Anderson [mailto:jwa(at)beyond-ordinary.com]
>>> 
>>> Enviada em: quinta-feira, 17 de maio de 2012 12:20
>>> Para: pound(at)apsis.ch
>>> 
>>> Assunto: RE: [Pound Mailing List] Wildcard Certificate and 302
redirect
>>> 
>>>  
>>> 
>>> Hello,
>>> 
>>>  
>>> 
>>> For my take, and my experience only, I’ve had this occur when I
did not have the DNS setup properly. In my case, I was not setting the
sd1.example.com and sd2.example.com domains back to the local IP addresses. 
When this was the case, pound would not redirect correctly and our login would
never work. Once I added the local IP name service for example.com, pound
started to redirect properly. Our backends were tomcat servers.
>>> 
>>>  
>>> 
>>> Just my experience, and it may not reflect what you are
experiencing. Pound is very touchy about DNS from what I’ve seen.
>>> 
>>>  
>>> 
>>> -- Jake
>>> 
>>>  
>>> 
>>>  
>>> 
>>> From: Andrzej Dopierała [mailto:undefine(at)aramin.net] 
>>> Sent: Thursday, May 17, 2012 6:43 AM
>>> To: pound(at)apsis.ch
>>> Subject: Re: [Pound Mailing List] Wildcard Certificate and 302
redirect
>>> 
>>>  
>>> 
>>> W dniu 17.05.2012 04:16, Leo Cadle pisze:
>>> 
>>> Hi List,
>>> 
>>>  
>>> 
>>> I am having trouble with Pound in front of HAProxy, they are
performing SSL Offload and Load Balancing in front of a Web Server with
multiple sites in the same domain. Everything works apart from one niggling
problem, when I do a 302 redirect from one subdomain site to another on the
webserver it does not change the subdomain sent to the client. E.g. https://sd1.example.com/test.php 
performs a 302 redirect to https://sd2.example.com/result.php
but instead the client is redirected to https://sd1.example.com/result.php
 I have included my config below. I have read the man pages, the mailing list
and scoured google but I cannot seem to find the same issue explained in a way
I can make sense of. This is my first time using Pound and HAProxy (I have sent
the same question to the HAProxy list) I am not sure where this is going wrong
but have searched resolutions in both software.
>>> 
>>>  
>>> 
>>> use 
>>> "RewriteLocation 0" in Listeners.
>>> 
>>> # poundctl control socket
>>> 
>>> Control "/var/run/pound/poundctl.socket"
>>> 
>>>  
>>> 
>>>  
>>> 
>>>
######################################################################
>>> 
>>> ## listen, redirect and ... to:
>>> 
>>>  
>>> 
>>> ## redirect all requests on port 8080 ("ListenHTTP") to the local
webserver (see "Service" below):
>>> 
>>> ListenHTTP
>>> 
>>>         Address 127.0.0.1
>>> 
>>>         Port    8080
>>> 
>>>         Client  10
>>> 
>>>         ## allow PUT and DELETE also (by default only GET, POST
and HEAD)?:
>>> 
>>> #       xHTTP           0
>>> 
>>>  
>>> 
>>>         Service
>>> 
>>>                 BackEnd
>>> 
>>>                         Address 127.0.0.1
>>> 
>>>                         Port    80
>>> 
>>>                 End
>>> 
>>>         End
>>> 
>>> End
>>> 
>>>  
>>> 
>>> ListenHTTPS
>>> 
>>>         Address 192.168.1.80
>>> 
>>>         Port    443
>>> 
>>>         Cert    "/etc/pound/star.staging.poli.local.pem"
>>> 
>>>         Client  20
>>> 
>>>         Service
>>> 
>>>                 BackEnd
>>> 
>>>                         Address 127.0.0.2
>>> 
>>>                         Port    80
>>> 
>>>                 End
>>> 
>>>         End
>>> 
>>> End
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>>                                                                   
            [ Wrote 60 lines ]
>>> 
>>> ^G Get Help                  ^O WriteOut                  ^R Read
File                 ^Y Prev Page                 ^K Cut Text                 
^C Cur Pos
>>> 
>>> ^X Exit                      ^J Justify                   ^W Where
Is                  ^V Next Page                 ^U UnCut Text               
^T To Spell
>>> 
>>>  
>>> 
>>> Regards,
>>> 
>>> Leo Cadle
>>> 
>>>  
>>> 
>>> Network/System Administrator
>>> 
>>> POLi Payments
>>> 
>>>  
>>> 
>>> Phone Numbers
>>> 
>>> Direct: +61 3 8601 5907
>>> 
>>> Main: +61 3 8601 5900
>>> 
>>> Free: 1300 007654
>>> 
>>> Fax: +61 3 8601 5999
>>> 
>>>  
>>> 
>>> URL: http://www.polipayments.com
>>> 
>>>  
>>> 
>>>
____________________________________________________________________________
>>> 
>>> This e-mail and any attachments to it (the "Communication") are,
unless otherwise stated, confidential. It may contain copyright material and is
for the use only of the intended recipient. If you have received the
Communication in error, please notify the sender immediately by return e-mail,
then delete the Communication and the return e-mail. Please do not read, copy,
retransmit or otherwise deal with it. Any views expressed in the Communication
are those of the individual sender only, unless expressly stated to be those of
Centricom Pty Ltd (ABN73 105 393 664). Centricom does not accept liability in
connection with the integrity of (or errors) in the Communication, computer
virus, data corruption, interference or delay arising from or in respect of the
Communication.
>>> 
>>>  
>>> 
>>>  
>>> 
>>> -- 
>>> Regards,
>>> Andrzej 'The Undefined' Dopierała
>>> http://andrzej.dopierala.name/
>>> 
>>> 
>>> 
>>> --
>>> 
>>>  
>>> 
>>> Regards,
>>> 
>>>  
>>> 
>>> Leo Cadle
>>> 
>>> Network/System Administrator
>>> 
>>> POLi Payments
>>> 
>>>  
>>> 
>>> Phone Numbers
>>> 
>>> Direct: +61 3 8601 5907
>>> 
>>> Main: +61 3 8601 5900
>>> 
>>> Fax: +61 3 8601 5999
>>> 
>>>  
>>> 
>>> URL: http://www.polipayments.com
>>> 
>>>
____________________________________________________________________________
>>> 
>>>  
>>> 
>>> This e-mail and any attachments to it (the "Communication") are,
unless otherwise stated, confidential. It may contain copyright material and is
for the use only of the intended recipient. If you have received the
Communication in error, please notify the sender immediately by return e-mail,
then delete the Communication and the return e-mail. Please do not read, copy,
retransmit or otherwise deal with it. Any views expressed in the Communication
are those of the individual sender only, unless expressly stated to be those of
Centricom Pty Ltd (ABN73 105 393 664). Centricom does not accept liability in
connection with the integrity of (or errors) in the Communication, computer
virus, data corruption, interference or delay arising from or in respect of the
Communication.
>>> 
>>>  
>>> 
>>> <redir.cap>

Hi Roberto,



As I do not know what the redirection will be, remember a 302 redirect is
temporary, that will not work.



Cheers,

Leo.



*From:* Roberto Pimenta Jr. [mailto:rpimenta(at)senado.gov.br]
*Sent:* Friday, 18 May 2012 8:57 AM
*To:* pound(at)apsis.ch
*Subject:* Re: [Pound Mailing List] Wildcard Certificate and 302 redirect




you also have the option to put the redirect in pound ......


Em 17/05/2012, às 19:51, Roberto Pimenta Jr. <rpimenta(at)senado.gov.br>
escreveu:



I think that rewritelocation 2 will do the trick... but i dont have an
environment to test.


Em 17/05/2012, às 19:42, Roberto Pimenta Jr. <rpimenta(at)senado.gov.br>
escreveu:

have you tested with rewrite location or rewrite destination?


Em 17/05/2012, às 19:01, Leo Cadle <leo.cadle(at)polipayments.com>
escreveu:

Hi List,



I will reply once here to all comments.



I have removed HA Proxy, it was just doing the Load Balancing while Pound
was doing the SSL Offload.

I had not tried to setup an environment like this before and was following
a tutorial that did it this way. Once I installed Pound I could see it
could do the same thing on the back end but did not remove HA Proxy
straight away. It is now out of the picture.

I am trying to replicate our production environment in a test scenario. Our
production environment uses hardware load balancers, I am trying to see if
I can replicate the configuration using software Load Balancers so we can
better test our releases. So far I have tried Microsoft ARR, which has a
checkbox to enable or disable this particular behaviour called ‘Reverse
rewrite host header’.

The backend web server is a singe server with one IP address, it hosts
multiple sites answering to different subdomains. That is why we have the
wildcard certificate. The DNS is set correctly with all sudomains pointing
to the same IP. Without Pound the redirect works correctly, when pound is
involved the subdomain always gets rewritten to the starting subdomain. It
is not a problem with our redirect code, it is a simple redirect, this is a
replica of our production code which works correctly behind Brocade Load
Balancers (http://www.brocade.com/index.page)
and also works behind
Microsoft ARR (something else is the problem with ARR).

I have included a tcp dump that shows the rewrite taking place.



Cheers,

Leo.

On Fri, May 18, 2012 at 4:39 AM, Roberto Geraldo Pimenta Ribeiro Junior <
rpimenta(at)senado.gov.br> wrote:

-Are you using nginx or apache?

-Could you send us your redirect code in the php file?

-Why are you using pound AND haproxy?



Regards,

Roberto



*De:* Roberto Geraldo Pimenta Ribeiro Junior
*Enviada em:* quinta-feira, 17 de maio de 2012 15:36
*Para:* pound(at)apsis.ch
*Assunto:* RES: [Pound Mailing List] Wildcard Certificate and 302 redirect



I completely agree. It does not seem a pound matter…..



*De:* Jacob Anderson
[mailto:jwa(at)beyond-ordinary.com<jwa(at)beyond-ordinary.com>]


*Enviada em:* quinta-feira, 17 de maio de 2012 12:20
*Para:* pound(at)apsis.ch

*Assunto:* RE: [Pound Mailing List] Wildcard Certificate and 302 redirect



Hello,



For my take, and my experience only, I’ve had this occur when I did not
have the DNS setup properly. In my case, I was not setting the
sd1.example.com and sd2.example.com domains back to the local IP
addresses.  When this was the case, pound would not redirect correctly and
our login would never work. Once I added the local IP name service for
example.com, pound started to redirect properly. Our backends were tomcat
servers.



Just my experience, and it may not reflect what you are experiencing. Pound
is very touchy about DNS from what I’ve seen.


[...]

Hi Roberto,



Hold the horses, RewriteLocation 2 may be the ticket, I did not have
success last time I tried it but this time it seems to be working. I will
do a bit more testing to confirm.



Cheers,

Leo.



*From:* Roberto Pimenta Jr. [mailto:rpimenta(at)senado.gov.br]
*Sent:* Friday, 18 May 2012 8:57 AM
*To:* pound(at)apsis.ch
*Subject:* Re: [Pound Mailing List] Wildcard Certificate and 302 redirect




you also have the option to put the redirect in pound ......


Em 17/05/2012, às 19:51, Roberto Pimenta Jr. <rpimenta(at)senado.gov.br>
escreveu:



I think that rewritelocation 2 will do the trick... but i dont have an
environment to test.


Em 17/05/2012, às 19:42, Roberto Pimenta Jr. <rpimenta(at)senado.gov.br>
escreveu:

have you tested with rewrite location or rewrite destination?


Em 17/05/2012, às 19:01, Leo Cadle <leo.cadle(at)polipayments.com>
escreveu:

Hi List,



I will reply once here to all comments.



I have removed HA Proxy, it was just doing the Load Balancing while Pound
was doing the SSL Offload.

I had not tried to setup an environment like this before and was following
a tutorial that did it this way. Once I installed Pound I could see it
could do the same thing on the back end but did not remove HA Proxy
straight away. It is now out of the picture.

I am trying to replicate our production environment in a test scenario. Our
production environment uses hardware load balancers, I am trying to see if
I can replicate the configuration using software Load Balancers so we can
better test our releases. So far I have tried Microsoft ARR, which has a
checkbox to enable or disable this particular behaviour called ‘Reverse
rewrite host header’.

The backend web server is a singe server with one IP address, it hosts
multiple sites answering to different subdomains. That is why we have the
wildcard certificate. The DNS is set correctly with all sudomains pointing
to the same IP. Without Pound the redirect works correctly, when pound is
involved the subdomain always gets rewritten to the starting subdomain. It
is not a problem with our redirect code, it is a simple redirect, this is a
replica of our production code which works correctly behind Brocade Load
Balancers (http://www.brocade.com/index.page)
and also works behind
Microsoft ARR (something else is the problem with ARR).

I have included a tcp dump that shows the rewrite taking place.



Cheers,

Leo.

On Fri, May 18, 2012 at 4:39 AM, Roberto Geraldo Pimenta Ribeiro Junior <
rpimenta(at)senado.gov.br> wrote:

-Are you using nginx or apache?

-Could you send us your redirect code in the php file?

-Why are you using pound AND haproxy?



Regards,

Roberto



*De:* Roberto Geraldo Pimenta Ribeiro Junior
*Enviada em:* quinta-feira, 17 de maio de 2012 15:36
*Para:* pound(at)apsis.ch
*Assunto:* RES: [Pound Mailing List] Wildcard Certificate and 302 redirect



I completely agree. It does not seem a pound matter…..



*De:* Jacob Anderson
[mailto:jwa(at)beyond-ordinary.com<jwa(at)beyond-ordinary.com>]


*Enviada em:* quinta-feira, 17 de maio de 2012 12:20
*Para:* pound(at)apsis.ch

*Assunto:* RE: [Pound Mailing List] Wildcard Certificate and 302 redirect



Hello,



For my take, and my experience only, I’ve had this occur when I did not
have the DNS setup properly. In my case, I was not setting the
sd1.example.com and sd2.example.com domains back to the local IP
addresses.  When this was the case, pound would not redirect correctly and
our login would never work. Once I added the local IP name service for
example.com, pound started to redirect properly. Our backends were tomcat
servers.



Just my experience, and it may not reflect what you are experiencing. Pound
is very touchy about DNS from what I’ve seen.


[...]

Ok .. Waiting....

Enviado via iPhone

Em 17/05/2012, às 20:34, "Leo Cadle"
<leo.cadle(at)polipayments.com<mailto:leo.cadle(at)polipayments.com>>
escreveu:

Hi Roberto,

Hold the horses, RewriteLocation 2 may be the ticket, I did not have success
last time I tried it but this time it seems to be working. I will do a bit more
testing to confirm.

Cheers,
Leo.

From: Roberto Pimenta Jr.
[mailto:rpimenta(at)senado.gov.br<mailto:rpimenta(at)senado.gov.br>]
Sent: Friday, 18 May 2012 8:57 AM
To: pound(at)apsis.ch<mailto:pound(at)apsis.ch>
Subject: Re: [Pound Mailing List] Wildcard Certificate and 302 redirect


you also have the option to put the redirect in pound ......

Em 17/05/2012, às 19:51, Roberto Pimenta Jr.
<rpimenta(at)senado.gov.br<mailto:rpimenta(at)senado.gov.br>>
escreveu:


I think that rewritelocation 2 will do the trick... but i dont have an
environment to test.

Em 17/05/2012, às 19:42, Roberto Pimenta Jr.
<rpimenta(at)senado.gov.br<mailto:rpimenta(at)senado.gov.br>>
escreveu:
have you tested with rewrite location or rewrite destination?


Em 17/05/2012, às 19:01, Leo Cadle
<leo.cadle(at)polipayments.com<mailto:leo.cadle(at)polipayments.com>>
escreveu:
Hi List,

I will reply once here to all comments.

I have removed HA Proxy, it was just doing the Load Balancing while Pound was
doing the SSL Offload.
I had not tried to setup an environment like this before and was following a
tutorial that did it this way. Once I installed Pound I could see it could do
the same thing on the back end but did not remove HA Proxy straight away. It is
now out of the picture.
I am trying to replicate our production environment in a test scenario. Our
production environment uses hardware load balancers, I am trying to see if I
can replicate the configuration using software Load Balancers so we can better
test our releases. So far I have tried Microsoft ARR, which has a checkbox to
enable or disable this particular behaviour called ‘Reverse rewrite host
header’.
The backend web server is a singe server with one IP address, it hosts multiple
sites answering to different subdomains. That is why we have the wildcard
certificate. The DNS is set correctly with all sudomains pointing to the same
IP. Without Pound the redirect works correctly, when pound is involved the
subdomain always gets rewritten to the starting subdomain. It is not a problem
with our redirect code, it is a simple redirect, this is a replica of our
production code which works correctly behind Brocade Load Balancers (http://www.brocade.com/index.page)
and also works behind Microsoft ARR (something else is the problem with ARR).
I have included a tcp dump that shows the rewrite taking place.

Cheers,
Leo.
On Fri, May 18, 2012 at 4:39 AM, Roberto Geraldo Pimenta Ribeiro Junior
<rpimenta(at)senado.gov.br<mailto:rpimenta(at)senado.gov.br>>
wrote:
-Are you using nginx or apache?
-Could you send us your redirect code in the php file?
-Why are you using pound AND haproxy?

Regards,
Roberto

De: Roberto Geraldo Pimenta Ribeiro Junior
Enviada em: quinta-feira, 17 de maio de 2012 15:36
Para: pound(at)apsis.ch<mailto:pound(at)apsis.ch>
Assunto: RES: [Pound Mailing List] Wildcard Certificate and 302 redirect

I completely agree. It does not seem a pound matter…..

De: Jacob Anderson [mailto:jwa(at)beyond-ordinary.com]
Enviada em: quinta-feira, 17 de maio de 2012 12:20
Para: pound(at)apsis.ch<mailto:pound(at)apsis.ch>
Assunto: RE: [Pound Mailing List] Wildcard Certificate and 302 redirect

Hello,

For my take, and my experience only, I’ve had this occur when I did not have
the DNS setup properly. In my case, I was not setting the sd1.example.com<http://sd1.example.com> and
sd2.example.com<http://sd2.example.com> domains back
to the local IP addresses.  When this was the case, pound would not redirect
correctly and our login would never work. Once I added the local IP name
service for example.com<http://example.com>, pound started to
redirect properly. Our backends were tomcat servers.

Just my experience, and it may not reflect what you are experiencing. Pound is
very touchy about DNS from what I’ve seen.
[...]

Hi Roberto,



This has definitely fixed the issue. I don’t know why it did not work the
first time I tried it but I’ll cop a user error on that one. Thanks very
much for everyones help.



Cheers,

Leo.



*From:* Roberto Geraldo Pimenta Ribeiro Junior [mailto:
rpimenta(at)senado.gov.br]
*Sent:* Friday, 18 May 2012 9:35 AM
*To:* <pound(at)apsis.ch>
*Subject:* Re: [Pound Mailing List] Wildcard Certificate and 302 redirect



Ok .. Waiting....

Enviado via iPhone


Em 17/05/2012, às 20:34, "Leo Cadle" <leo.cadle(at)polipayments.com>
escreveu:

Hi Roberto,



Hold the horses, RewriteLocation 2 may be the ticket, I did not have
success last time I tried it but this time it seems to be working. I will
do a bit more testing to confirm.



Cheers,

Leo.



*From:* Roberto Pimenta Jr. [mailto:rpimenta(at)senado.gov.br]
*Sent:* Friday, 18 May 2012 8:57 AM
*To:* pound(at)apsis.ch
*Subject:* Re: [Pound Mailing List] Wildcard Certificate and 302 redirect




you also have the option to put the redirect in pound ......


Em 17/05/2012, às 19:51, Roberto Pimenta Jr. <rpimenta(at)senado.gov.br>
escreveu:



I think that rewritelocation 2 will do the trick... but i dont have an
environment to test.


Em 17/05/2012, às 19:42, Roberto Pimenta Jr. <rpimenta(at)senado.gov.br>
escreveu:

have you tested with rewrite location or rewrite destination?


Em 17/05/2012, às 19:01, Leo Cadle <leo.cadle(at)polipayments.com>
escreveu:

Hi List,



I will reply once here to all comments.



I have removed HA Proxy, it was just doing the Load Balancing while Pound
was doing the SSL Offload.

I had not tried to setup an environment like this before and was following
a tutorial that did it this way. Once I installed Pound I could see it
could do the same thing on the back end but did not remove HA Proxy
straight away. It is now out of the picture.

I am trying to replicate our production environment in a test scenario. Our
production environment uses hardware load balancers, I am trying to see if
I can replicate the configuration using software Load Balancers so we can
better test our releases. So far I have tried Microsoft ARR, which has a
checkbox to enable or disable this particular behaviour called ‘Reverse
rewrite host header’.

The backend web server is a singe server with one IP address, it hosts
multiple sites answering to different subdomains. That is why we have the
wildcard certificate. The DNS is set correctly with all sudomains pointing
to the same IP. Without Pound the redirect works correctly, when pound is
involved the subdomain always gets rewritten to the starting subdomain. It
is not a problem with our redirect code, it is a simple redirect, this is a
replica of our production code which works correctly behind Brocade Load
Balancers (http://www.brocade.com/index.page)
and also works behind
Microsoft ARR (something else is the problem with ARR).

I have included a tcp dump that shows the rewrite taking place.



Cheers,

Leo.

On Fri, May 18, 2012 at 4:39 AM, Roberto Geraldo Pimenta Ribeiro Junior <
rpimenta(at)senado.gov.br> wrote:

-Are you using nginx or apache?

-Could you send us your redirect code in the php file?

-Why are you using pound AND haproxy?



Regards,

Roberto



*De:* Roberto Geraldo Pimenta Ribeiro Junior
*Enviada em:* quinta-feira, 17 de maio de 2012 15:36
*Para:* pound(at)apsis.ch
*Assunto:* RES: [Pound Mailing List] Wildcard Certificate and 302 redirect



I completely agree. It does not seem a pound matter…..



*De:* Jacob Anderson
[mailto:jwa(at)beyond-ordinary.com<jwa(at)beyond-ordinary.com>]


*Enviada em:* quinta-feira, 17 de maio de 2012 12:20
*Para:* pound(at)apsis.ch

*Assunto:* RE: [Pound Mailing List] Wildcard Certificate and 302 redirect



Hello,



For my take, and my experience only, I’ve had this occur when I did not
have the DNS setup properly. In my case, I was not setting the
sd1.example.com and sd2.example.com domains back to the local IP
addresses.  When this was the case, pound would not redirect correctly and
our login would never work. Once I added the local IP name service for
example.com, pound started to redirect properly. Our backends were tomcat
servers.



Just my experience, and it may not reflect what you are experiencing. Pound
is very touchy about DNS from what I’ve seen.


[...]