|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2012
/
2012-08
/
Config to Catch All Requests
[
MAXBUF again - configurable? / Pedro Pessoa ... ]
[
Hardware Crypto recommendatons / Adam Vande More ... ]
Config to Catch All Requests
Rob Hicks <rob(at)hixfamily.org> |
2012-08-06 18:58:44 |
[ FULL ]
|
Hi.
I have a pound config that includes the following listeners. I have added
two new services at the end of each of the listeners. The idea is to
redirect the user to a proper url. This is necessary for a PCI security
scan, which is now complaining that 500 errors are PCI failures.
Shouldn't this work? If not, what is the right way to approach this problem?
Rob
ListenHTTP
Address 0.0.0.0
Port 80
Service
HeadRequire "(Host: www.example.com)"
BackEnd
Address 127.0.0.1
Port 8970
End
End
Service
HeadRequire "(Host: secure.example.com)"
Redirect "https://secure.example.com"
End
Service
Redirect "https://secure.example.com"
End
End
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/pound/secure.example.com.pem"
Ciphers "-ALL +SSLv3 +TLSv1 HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL"
xHTTP 2
Service
HeadRequire "secure.contractpal.com"
BackEnd
Address 127.0.0.1
Port 8970
End
End
Service
Redirect "https://secure.example.com"
End
End
|
|
|
|
|
Re: [Pound Mailing List] Config to Catch All Requests
Dave Steinberg <dave(at)redterror.net> |
2012-08-06 19:18:59 |
[ FULL ]
|
On 8/6/2012 12:58 PM, Rob Hicks wrote:[...]
This seems like it ought to work. Where is it failing?
PS: Your Host header regexps could be improved. Try:
HeadRequire "^Host:[ \t]*secure\.example\.com$"
[...]
|
|
|
Re: [Pound Mailing List] Config to Catch All Requests
Rob Hicks <rob(at)hixfamily.org> |
2012-08-06 19:29:18 |
[ FULL ]
|
Dave,
Yes, I didn't put the full RegEx in the HeadRequires in the post.
The last redirect never happens. Pound returns a 503 error.
Rob
On Mon, Aug 6, 2012 at 11:18 AM, Dave Steinberg <dave(at)redterror.net>
wrote:
[...][...][...]
|
|
|
|
|
RE: [Pound Mailing List] Config to Catch All Requests
Joe Gooch <mrwizard(at)k12system.com> |
2012-08-06 19:39:47 |
[ FULL ]
|
Wouldn’t your 443 listener cause a redirect loop?
Also your 443 listener doesn’t have Host: in it…
Joe
From: Rob Hicks [mailto:rob(at)hixfamily.org]
Sent: Monday, August 06, 2012 1:29 PM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Config to Catch All Requests
Dave,
Yes, I didn't put the full RegEx in the HeadRequires in the post.
The last redirect never happens. Pound returns a 503 error.
Rob
On Mon, Aug 6, 2012 at 11:18 AM, Dave Steinberg
<dave(at)redterror.net<mailto:dave(at)redterror.net>> wrote:
On 8/6/2012 12:58 PM, Rob Hicks wrote:
Hi.
I have a pound config that includes the following listeners. I have
added two new services at the end of each of the listeners. The idea is
to redirect the user to a proper url. This is necessary for a PCI
security scan, which is now complaining that 500 errors are PCI failures.
Shouldn't this work? If not, what is the right way to approach this problem?
Rob
ListenHTTP
Address 0.0.0.0
Port 80
Service
HeadRequire "(Host: www.example.com<http://www.example.com> <http://www.example.com>)"
BackEnd
Address 127.0.0.1
Port 8970
End
End
Service
HeadRequire "(Host: secure.example.com<http://secure.example.com>
<http://secure.example.com>)"
Redirect "https://secure.example.com"
End
Service
Redirect "https://secure.example.com"
End
End
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/pound/secure.example.com.pem"
Ciphers "-ALL +SSLv3 +TLSv1 HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL"
xHTTP 2
Service
HeadRequire "secure.contractpal.com<http://secure.contractpal.com>
<http://secure.contractpal.com>"
BackEnd
Address 127.0.0.1
Port 8970
End
End
Service
Redirect "https://secure.example.com"
End
End
This seems like it ought to work. Where is it failing?
PS: Your Host header regexps could be improved. Try:
HeadRequire "^Host:[ \t]*secure\.example\.com$"
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/
--
To unsubscribe send an email with subject unsubscribe to
pound(at)apsis.ch<mailto:pound(at)apsis.ch>.
Please contact roseg(at)apsis.ch<mailto:roseg(at)apsis.ch> for questions.
|
|
|
|
|
Re: [Pound Mailing List] Config to Catch All Requests
Rob Hicks <rob(at)hixfamily.org> |
2012-08-06 19:58:00 |
[ FULL ]
|
Joe,
Good catch on the Host.
Yes the SSL listener creates a redirect loop. But that is part of what I
don't understand. According to what I have read, shouldn't the first
service block service the request if the HeadRequire is met? If not, the
request would fall through to the next service, which would create the
redirect.
What I need to do is this:
1) if a request comes in that with the proper name in host, service the
request through the associated backends.
2) if a request comes in without the proper name in host, redirect the user
to the login page.
How does service matching occur? Does it occur top down?
Rob
On Mon, Aug 6, 2012 at 11:39 AM, Joe Gooch <mrwizard(at)k12system.com>
wrote:
[...]
|
|
|
|
|
RE: [Pound Mailing List] Config to Catch All Requests
Joe Gooch <mrwizard(at)k12system.com> |
2012-08-06 20:09:25 |
[ FULL ]
|
Yep, top down.
But that would also mean if the headrequire matches, and it’s sending to the
backend on port 8970, and that backend is dead – you’ll get a 503. (i.e. not
listening on 127.0.0.1, firewalled, port not open, etc)
I’m not sure if you actually have the regexes in like this:
HeadRequire "secure.contractpal.com<http://secure.contractpal.com>
<http://secure.contractpal.com>"
Or if your email client is being too smart for its own good and trying to turn
the web link into an email link. If they actually are like this, they won’t
work. :)
Dave’s regex suggestion would be better.
Or even something like:
HeadRequire "^Host:[ \t]*secure\.contractpal\.com(:443)?$" <to catch the
possible explicit port in the host header case
And you’ll probably want the secure.example.com to match secure.contractpal.com
if it doesn’t already. (that’s what I was thinking… redirect loop because
you’re redirecting to a different name than you’re trapping for)
-G
From: Rob Hicks [mailto:rob(at)hixfamily.org]
Sent: Monday, August 06, 2012 1:58 PM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Config to Catch All Requests
Joe,
Good catch on the Host.
Yes the SSL listener creates a redirect loop. But that is part of what I don't
understand. According to what I have read, shouldn't the first service block
service the request if the HeadRequire is met? If not, the request would fall
through to the next service, which would create the redirect.
What I need to do is this:
1) if a request comes in that with the proper name in host, service the request
through the associated backends.
2) if a request comes in without the proper name in host, redirect the user to
the login page.
How does service matching occur? Does it occur top down?
Rob
On Mon, Aug 6, 2012 at 11:39 AM, Joe Gooch
<mrwizard(at)k12system.com<mailto:mrwizard(at)k12system.com>>
wrote:
Wouldn’t your 443 listener cause a redirect loop?
Also your 443 listener doesn’t have Host: in it…
Joe
From: Rob Hicks
[mailto:rob(at)hixfamily.org<mailto:rob(at)hixfamily.org>]
Sent: Monday, August 06, 2012 1:29 PM
To: pound(at)apsis.ch<mailto:pound(at)apsis.ch>
Subject: Re: [Pound Mailing List] Config to Catch All Requests
Dave,
Yes, I didn't put the full RegEx in the HeadRequires in the post.
The last redirect never happens. Pound returns a 503 error.
Rob
On Mon, Aug 6, 2012 at 11:18 AM, Dave Steinberg
<dave(at)redterror.net<mailto:dave(at)redterror.net>> wrote:
On 8/6/2012 12:58 PM, Rob Hicks wrote:
Hi.
I have a pound config that includes the following listeners. I have
added two new services at the end of each of the listeners. The idea is
to redirect the user to a proper url. This is necessary for a PCI
security scan, which is now complaining that 500 errors are PCI failures.
Shouldn't this work? If not, what is the right way to approach this problem?
Rob
ListenHTTP
Address 0.0.0.0
Port 80
Service
HeadRequire "(Host: www.example.com<http://www.example.com> <http://www.example.com>)"
BackEnd
Address 127.0.0.1
Port 8970
End
End
Service
HeadRequire "(Host: secure.example.com<http://secure.example.com>
<http://secure.example.com>)"
Redirect "https://secure.example.com"
End
Service
Redirect "https://secure.example.com"
End
End
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/pound/secure.example.com.pem"
Ciphers "-ALL +SSLv3 +TLSv1 HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL"
xHTTP 2
Service
HeadRequire "secure.contractpal.com<http://secure.contractpal.com>
<http://secure.contractpal.com>"
BackEnd
Address 127.0.0.1
Port 8970
End
End
Service
Redirect "https://secure.example.com"
End
End
This seems like it ought to work. Where is it failing?
PS: Your Host header regexps could be improved. Try:
HeadRequire "^Host:[ \t]*secure\.example\.com$"
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/
--
To unsubscribe send an email with subject unsubscribe to
pound(at)apsis.ch<mailto:pound(at)apsis.ch>.
Please contact roseg(at)apsis.ch<mailto:roseg(at)apsis.ch> for questions.
|
|
|
|
|
Re: [Pound Mailing List] Config to Catch All Requests
Rob Hicks <rob(at)hixfamily.org> |
2012-08-06 21:37:51 |
[ FULL ]
|
Joe,
Thanks for your help! I fixed the redirect loops. But I still can't get
pound to do the last redirect. Here's my updated config file.
And ideas what else I can try?
Rob
User "pound"
Group "pound"
Control "/tmp/pound.sock"
LogLevel 2
DynScale 1
Alive 15
Client 30
TimeOut 181
ListenHTTP
Address 0.0.0.0
Port 80
Service
HeadRequire "^Host[:\t|:\s]|[\t|\s]stageweb.example.com|(:80)*$"
BackEnd
Address 127.0.0.1
Port 8970
End
End
Service
Redirect "https://stage.example.com/login/GetConsole.do"
End
End
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/pound/example.com.pem"
Ciphers "-ALL +SSLv3 +TLSv1 HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL"
xHTTP 2
Service
Session
Type Cookie
ID "JSESSIONID"
TTL 900
End
HeadRequire "^Host[:\t|:\s]|[\t|\s]stage.example.com|(:443)*$"
BackEnd
Address 127.0.0.1
Port 8970
End
End
Service
Redirect "https://stage.example.com/login/GetConsole.do"
End
End
On Mon, Aug 6, 2012 at 12:09 PM, Joe Gooch <mrwizard(at)k12system.com>
wrote:
[...]
|
|
|
|
|
RE: [Pound Mailing List] Config to Catch All Requests
Joe Gooch <mrwizard(at)k12system.com> |
2012-08-06 22:01:32 |
[ FULL ]
|
That’s because this:
"^Host[:\t|:\s]|[\t|\s]stage.example.com<http://stage.example.com>|(:443)*$"
Matches absolutely everything.
| is or, it’s not in a group, and (:443)* will match an empty string. Or on
:443.
http://www.regexplanet.com/advanced/java/index.html
If you go there and punch in your regex without the quotes, and then put in
input strings of:
Host: stage.example.com
Host: stage.example.com:443
Host:stage.example.com:443
stage.example.com
www.microsoft.com<http://www.microsoft.com>
and hit test, the Find() column should show yes, yes, yes, no no.
With what you’ve supplied, it says yes, yes, yes, yes ,yes
And there are these that you don’t want it to match as well:
Host: stage1example.com
Host stage.example.com
Host: stage.example.com:443:443
You want the regex:
“^Host:[ \t]*stage\.example\.com(:443)?$”
(notice the space before \t)
Joe
From: Rob Hicks [mailto:rob(at)hixfamily.org]
Sent: Monday, August 06, 2012 3:38 PM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Config to Catch All Requests
Joe,
Thanks for your help! I fixed the redirect loops. But I still can't get pound
to do the last redirect. Here's my updated config file.
And ideas what else I can try?
Rob
User "pound"
Group "pound"
Control "/tmp/pound.sock"
LogLevel 2
DynScale 1
Alive 15
Client 30
TimeOut 181
ListenHTTP
Address 0.0.0.0
Port 80
Service
HeadRequire "^Host[:\t|:\s]|[\t|\s]stageweb.example.com<http://stageweb.example.com>|(:80)*$"
BackEnd
Address 127.0.0.1
Port 8970
End
End
Service
Redirect "https://stage.example.com/login/GetConsole.do"
End
End
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/pound/example.com.pem"
Ciphers "-ALL +SSLv3 +TLSv1 HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL"
xHTTP 2
Service
Session
Type Cookie
ID "JSESSIONID"
TTL 900
End
HeadRequire "^Host[:\t|:\s]|[\t|\s]stage.example.com<http://stage.example.com>|(:443)*$"
BackEnd
Address 127.0.0.1
Port 8970
End
End
Service
Redirect "https://stage.example.com/login/GetConsole.do"
End
End
On Mon, Aug 6, 2012 at 12:09 PM, Joe Gooch
<mrwizard(at)k12system.com<mailto:mrwizard(at)k12system.com>>
wrote:
Yep, top down.
But that would also mean if the headrequire matches, and it’s sending to the
backend on port 8970, and that backend is dead – you’ll get a 503. (i.e. not
listening on 127.0.0.1, firewalled, port not open, etc)
I’m not sure if you actually have the regexes in like this:
HeadRequire "secure.contractpal.com<http://secure.contractpal.com>
<http://secure.contractpal.com>"
Or if your email client is being too smart for its own good and trying to turn
the web link into an email link. If they actually are like this, they won’t
work. :)
Dave’s regex suggestion would be better.
Or even something like:
HeadRequire "^Host:[ \t]*secure\.contractpal\.com(:443)?$" <to catch the
possible explicit port in the host header case
And you’ll probably want the secure.example.com<http://secure.example.com> to match
secure.contractpal.com<http://secure.contractpal.com>
if it doesn’t already. (that’s what I was thinking… redirect loop because
you’re redirecting to a different name than you’re trapping for)
-G
From: Rob Hicks
[mailto:rob(at)hixfamily.org<mailto:rob(at)hixfamily.org>]
Sent: Monday, August 06, 2012 1:58 PM
To: pound(at)apsis.ch<mailto:pound(at)apsis.ch>
Subject: Re: [Pound Mailing List] Config to Catch All Requests
Joe,
Good catch on the Host.
Yes the SSL listener creates a redirect loop. But that is part of what I don't
understand. According to what I have read, shouldn't the first service block
service the request if the HeadRequire is met? If not, the request would fall
through to the next service, which would create the redirect.
What I need to do is this:
1) if a request comes in that with the proper name in host, service the request
through the associated backends.
2) if a request comes in without the proper name in host, redirect the user to
the login page.
How does service matching occur? Does it occur top down?
Rob
On Mon, Aug 6, 2012 at 11:39 AM, Joe Gooch
<mrwizard(at)k12system.com<mailto:mrwizard(at)k12system.com>>
wrote:
Wouldn’t your 443 listener cause a redirect loop?
Also your 443 listener doesn’t have Host: in it…
Joe
From: Rob Hicks
[mailto:rob(at)hixfamily.org<mailto:rob(at)hixfamily.org>]
Sent: Monday, August 06, 2012 1:29 PM
To: pound(at)apsis.ch<mailto:pound(at)apsis.ch>
Subject: Re: [Pound Mailing List] Config to Catch All Requests
Dave,
Yes, I didn't put the full RegEx in the HeadRequires in the post.
The last redirect never happens. Pound returns a 503 error.
Rob
On Mon, Aug 6, 2012 at 11:18 AM, Dave Steinberg
<dave(at)redterror.net<mailto:dave(at)redterror.net>> wrote:
On 8/6/2012 12:58 PM, Rob Hicks wrote:
Hi.
I have a pound config that includes the following listeners. I have
added two new services at the end of each of the listeners. The idea is
to redirect the user to a proper url. This is necessary for a PCI
security scan, which is now complaining that 500 errors are PCI failures.
Shouldn't this work? If not, what is the right way to approach this problem?
Rob
ListenHTTP
Address 0.0.0.0
Port 80
Service
HeadRequire "(Host: www.example.com<http://www.example.com> <http://www.example.com>)"
BackEnd
Address 127.0.0.1
Port 8970
End
End
Service
HeadRequire "(Host: secure.example.com<http://secure.example.com>
<http://secure.example.com>)"
Redirect "https://secure.example.com"
End
Service
Redirect "https://secure.example.com"
End
End
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/pound/secure.example.com.pem"
Ciphers "-ALL +SSLv3 +TLSv1 HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL"
xHTTP 2
Service
HeadRequire "secure.contractpal.com<http://secure.contractpal.com>
<http://secure.contractpal.com>"
BackEnd
Address 127.0.0.1
Port 8970
End
End
Service
Redirect "https://secure.example.com"
End
End
This seems like it ought to work. Where is it failing?
PS: Your Host header regexps could be improved. Try:
HeadRequire "^Host:[ \t]*secure\.example\.com$"
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/
--
To unsubscribe send an email with subject unsubscribe to
pound(at)apsis.ch<mailto:pound(at)apsis.ch>.
Please contact roseg(at)apsis.ch<mailto:roseg(at)apsis.ch> for questions.
|
|
|
|
|
Re: [Pound Mailing List] Config to Catch All Requests
Rob Hicks <rob(at)hixfamily.org> |
2012-08-07 04:29:08 |
[ FULL ]
|
Joe,
Thanks! That worked.
rob
On Mon, Aug 6, 2012 at 2:01 PM, Joe Gooch <mrwizard(at)k12system.com>
wrote:
[...]
|
|
|
|
|
|
