On Saturday 12 July 2003 14:30, you wrote: > On Saturday 12 July 2003 14:13, you wrote: > > That X-Forwarded-For is a very useful little feature, thanks for doing > > it Zoran! > > Well, it seemed trivial to include, so I did it. > Some people have expressed concern about potential > security issue with this, so I may end up making this > configurable over some (yet to name) ns_param in the > config file for the nslog facility. > > > But FYI, Gustaf Neumann's original comment mentioned using Pound with > > OpenACS, and several users have reported that Pound has problems > > there. I've never used Pound myself, but specifically, they say Pound > > doesn't work well with any server using "html streaming", which in > > AOLserver's case I think means ns_write:
well, it refers to responses of a get request, which do not contain a content-length, which are therefore - according to the following section in rfc2068 - not HTTP compliant. for these types of "old-style" responses, the end of the message body is flagged by eof. This won't work with HTTP/1.1 persistant connections at all. For compatibility with HTTP/1.0 applications, HTTP/1.1 requests containing a message-body MUST include a valid Content-Length header field unless the server is known to be HTTP/1.1 compliant. If a request contains a message-body and a Content-Length is not given, the server SHOULD respond with 400 (bad request) if it cannot determine the length of the message, or with 411 (length required) if it wishes to insist on receiving a valid Content-Length. The correct form of streaming should be performed via the chunked-encoding, where a a few small chunks with separate content-lengths are transfered. According to the source code, these should work with pound. > > http://openacs.org/forums/message-view?message_id=109568 > > > > Apparently all such pages break with Pound. OpenACS does have a few > > pages using ns_write by default, and for the occasional page where it > > makes sense, being able to use ns_write is certainly very useful and > > important. > > > > Never having used or looked at the Pound code, I don't know why it > > breaks ns_write style pages, but that sure is unfortunate. Oddly, the > > Pound homepage makes no mention of any Pound mailing list (nor CVS for > > that matter), so other than emailing the author directly I don't know > > where you'd ask about this. > > I suppose Gustaf may take this step. I'll keep him on the cc: list. > I would expect that some proxys may have problems with streaming, > yes. But, I have absolutely no experiance with Pond, whatsoever. i have done a couple of fixes in the pound-code: - handling of the "old-style" responses (as far i can tell, all uses of ns_write work now) - rewriting of return-redirects: this is a more tricky part. many web-apps (in particular open-acs) like to redirect http requests to different urls of the same server. The new code handles two situations: * target of a redirect is the backend server. In this situation, the backend (say host:8000) makes a redirect to itself. if pound is running via https on host:443, the redirect of the backend should be really a redirect to the proxy (host:443) * target of the redirect is the proxy-server, but with the wrong protocol: many clients transmit "host: hostname" in their requests. These host-tags are forwarded to the backend-server. When the backend makes a redirect to the entry in the host-field, it does not know the protocol (e.g. https). in both situations, the redirects are rewritten now in a sane way. - rewritten most of the logging stuff (mostly editing work) we will do some more testing, i have still two source files to edit. If you are interested, i can send you may changes; in any case i hope that the pound authors accept my changes... -gustaf PS: with the log-file-change in the aolserver, there is a potential small security leak. The proxy MUST bock requests that have already X-Forwarded-For set (easily configurable in pound). otherwise, it is possible that the wrong client address is written into the logfile, and a client can hide its identity.... > > Cheers > Zoran -- Univ.Prof. Dr.Gustaf Neumann Abteilung f�r Wirtschaftsinformatik WU-Wien, Augasse 2-6, 1090 Wien -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
