Hi Mattias,
Thanks for the tip. As per your suggetion, I added in AddHeader directive
into my ListenHTTP and ListenHTTPS listeners and now can determine which
request(s) were HTTP originated and which were https.
I also looked at the RewriteLocation definition in the man pages, but really
can't understand what it means. I must have reread it a dozen times but
still don't understand it.
I am also seemingly completely incapable of getting the X-SSL-cipher headers
to be displayed. For a server where the certificate is server based, is
there no way to get that information out?
My Listeners are defined as follows:
######################################################################
## Listeners
ListenHTTP
Address charliebrown.domain.com
Port 80
xHTTP 0
AddHeader "X-forwarded-proto:http"
End
ListenHTTPS
Address charliebrown.domain.com
Port 443
Cert "/etc/pound/wildcard.domain.com.pem"
AddHeader "X-forwarded-proto:https"
End
I have tried adding an AddHeader: X-ssl-cipher in the ListenHTTPS listener
but to no avail.
Any suggestions what/where that belongs? Do you have a sample config file
that you can share that does produce it?
I am running pound 2.4.3.
Thanks,
Eric
"Mattias Berge" <[email protected]> wrote in
message news:[email protected]...
> Hi Eric,
>
> I was wrong, this is what I see on my backends:
>
> X-SSL: yes
> X-SSL-cipher: CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA
> Enc=Camellia(256) Mac=SHA1
> X-Forwarded-For: 196.15.188.178
>
> 'X-SSL: yes' is a custom header I add in the ListenHTTPS, to tell the
> backends that the protocol is HTTPS. You can do the same way in
> ListenHTTP.
> The trick is to add a 'AddHeader "You-Custom-Header: value'. You probably
> need to use "RewriteLocation 2" if you intend to identify the protocol by
> the custom header, and do a redirect if protocol is not https.
> I can give you an example if you like
>
> You can also force the ciphers using "Ciphers" directive, see the man page
> for more information
>
> On Wed, Oct 21, 2009 at 3:34 AM, Eric B.
> <[email protected]> wrote:
>
>> Hi Mattias,
>>
>> Maybe I was misunderstanding the man page. I reread it, and indeed, I
>> see
>> the statement that you wrote below.
>>
>> But does that mean that if the certificate is on the server, there is no
>> way
>> to determine which cipher the client used?
>>
>> Furthermore, is there any way to get additional information in the X-
>> headers? It would be nice to have X-forwarded-proto for instance (ie:
>> http
>> or https), cipher, cipher strength, the proxy's ip address itself.
>>
>> Are additional headers such as those existant and/or configurable?
>>
>> Thanks,
>>
>> Eric
>>
>>
>> "Mattias Berge" <[email protected]> wrote
>> in
>> message
>> news:[email protected]...
>> > Is it in a ListenHTTP directive? About the X-SSL-cipher, it says "...if
>> it
>> > (the client) presents a client certificate Pound adds the following
>> > headers.."
>> >
>> > Post your config and pound version, you've probably added the AddHeader
>> > incorrectly
>> >
>> >
>> > On Fri, Oct 9, 2009 at 5:45 PM, Eric B.
>> > <[email protected]> wrote:
>> >
>> >> I didn't understand that I needed to do that based on the man pages,
>> >> so
>> I
>> >> just tried it, but still get an unknown directive error:
>> >>
>> >> [r...@charliebrown ~]# /usr/sbin/pound
>> >> starting...
>> >> line 30: unknown directive "AddHeader X-SSL-cipher" - aborted
>> >>
>> >> I tried both
>> >> AddHeader X-SSL-cipher
>> >> and
>> >> AddHeader "X-SSL-cipher"
>> >>
>> >> in the config file, but neither seemed to work.
>> >>
>> >> According to the man pages, the X-SSL* headers are supposed to be
>> >> automaticcaly appended to the headers if it is an SSL request, but I
>> >> can't
>> >> seem to get any such headers added.
>> >>
>> >> Any ideas?
>> >>
>> >> Thanks,
>> >>
>> >> Eric
>> >>
>> >> "Mattias Berge" <[email protected]>
>> >> wrote
>> >> in
>> >> message
>> >> news:[email protected]...
>> >> > Did you try 'AddHeader X-SSL-cipher'?
>> >> >
>> >> > On Fri, Oct 9, 2009 at 7:21 AM, Eric B.
>> >> > <[email protected]> wrote:
>> >> >
>> >> >> Hi,
>> >> >>
>> >> >> According to the man pages and the web site, the X-SSL-cipher is
>> added
>> >> if
>> >> >> the client connects via HTTPS. However, my redirected requests
>> >> >> don't
>> >> >> seem
>> >> >> to contain any such headers even if the client is connecting via
>> >> >> SSL.
>> >> >>
>> >> >> Additionally, according to the website, it says the X-SSL-cipher is
>> >> added
>> >> >> if
>> >> >> the HTTPSHeaders is set. I didn't find anything such instructions
>> >> >> in
>> >> the
>> >> >> man pages, but tried adding it in anyhow. However, pound doesn't
>> >> >> start
>> >> >> up,
>> >> >> complaining that HTTPSHeaders 1 is an unknown directive.
>> >> >>
>> >> >> Has anybody used these headers before? Am I doing something wrong
>> >> trying
>> >> >> to
>> >> >> get them added to my requests?
>> >> >>
>> >> >> Thanks,
>> >> >>
>> >> >> Eric
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> To unsubscribe send an email with subject unsubscribe to
>> >> >> [email protected].
>> >> >> Please contact [email protected] for questions.
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Mattias Berge
>> >> > Direct +46 (0)40-690 3825
>> >> >
>> >> >
>> >> > --
>> >> > To unsubscribe send an email with subject unsubscribe to
>> >> > [email protected].
>> >> > Please contact [email protected] for questions.
>> >> >
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> To unsubscribe send an email with subject unsubscribe to
>> >> [email protected].
>> >> Please contact [email protected] for questions.
>> >>
>> >
>> >
>> >
>> > --
>> > Mattias Berge
>> > Direct +46 (0)40-690 3825
>> >
>> >
>> > --
>> > To unsubscribe send an email with subject unsubscribe to
>> > [email protected].
>> > Please contact [email protected] for questions.
>> >
>>
>>
>>
>>
>> --
>> To unsubscribe send an email with subject unsubscribe to
>> [email protected].
>> Please contact [email protected] for questions.
>>
>
>
>
> --
> Mattias Berge
> Direct +46 (0)40-690 3825
>
>
> --
> To unsubscribe send an email with subject unsubscribe to
> [email protected].
> Please contact [email protected] for questions.
>
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
