Hi Joe, Thank you lot for your feedback!
So basically what solved my problem was following: 1) I added the planned DNS name to the hosts file of the client (where I issued wget from using that dns name) 67.123.123.123 planned-dns.com 2) added the planned DNS name to the node running pound, resolving to the IP where my Backend (in my case haproxy) is running 10.223.205.152 planned-dns.com So the dns is resolved on the client to the public IP and that same dns name resolved to the backend (haproxy) on the pound server (for reverse lookup) Thanks a million for that hint and warm greetings from Berlin Karsten Karsten Brusch www.synchronica.com -----Original Message----- From: Joe Gooch [mailto:[email protected]] Sent: Dienstag, 21. September 2010 23:26 To: [email protected] Subject: [Pound Mailing List] RE: Strange Location rewrite problem Pound will only rewrite the location if it can be sure the redirect is referencing either the backend IP address or the listener IP address... Since your outside IP is NAT-ed... it can't be sure that that IP refers to the box. (for instance, you could redirect to www.cnn.com... Pound would know not to rewrite that.) Once you have DNS set up you can work around this with /etc/hosts. When a client comes in, either from outside or inside, it'll be something like: GET / HTTP/1.0 Host: yourhost.domain.org And when your backend redirects to yourhost.domain.org/get/, or even yourbackend/get/, it'll know based on the host requested that yourhost.domain.org resolves to your 67 address and 10 address, and would deal with the rewrite properly. If the IP is specified and Pound doesn't know about it (i.e. it's not a listener), I'm not sure what recourse you have. Since it'll go away with DNS maybe you don't have to worry about it. Pound's behavior in this regard appears to be inline with other commercial load balancers... For instance, the CoyotePoint Equalizer works the same way. Joe > -----Original Message----- > From: Karsten Brusch [mailto:[email protected]] > Sent: Tuesday, September 21, 2010 2:23 PM > To: [email protected] > Subject: [Pound Mailing List] Strange Location rewrite problem > > Hello together, > > I am reading through the pound mailing list archive for some time now > and I am stuck with a strange problem. > > We have following traffic flow: > > Client / Browser --- https ---> Firewall --- https ---> Pound --- > http > ----> haproxy ----http ----> node_x > > We are calling a tomcat webservlet running on the node_x which returns > a HTTP 302 when the client hits a location. > > > The strange thing is when I call the external IP (as there is no DNS > name so far) it fails: > ---------------------------------------------------------------------- > - > ---- > # wget --no-check-certificate "https://67.123.123.123"; > Connecting to 67.123.123.123:443... connected. > HTTP request sent, awaiting response... 302 Moved Temporarily > Location: http://67.123.123.123/get/ [following] > ---------------------------------------------------------------------- > - > ---- > > So the redirect to /get is correct but the https was changed into http. > When I run another test directly on the node where pound is running > then the Location rewrite works like a charm: > ---------------------------------------------------------------------- > - > ---- > # wget --no-check-certificate "https://10.223.205.152"; > Connecting to 10.223.205.152:443... connected. > HTTP request sent, awaiting response... 302 Moved Temporarily > Location: https://10.223.205.152/get/ [following] > ---------------------------------------------------------------------- > - > ---- > > So this looks very strange to me. > I read about problem when DNS is not working properly, but as I am > using the direct IP what shouldn't be an issue. > To be sure I added a DNS name for the public IP (67.123.123.123) in > /etc/hosts in case it's doing reverse lookup, but this didn't help > either. > > > Here's my config: > > > User "www-data" > Group "www-data" > LogLevel 1 > Alive 30 > Control "/var/run/pound/poundctl.socket" > > ListenHTTPS > Address 10.223.205.152 > Port 443 > Cert "/etc/pound/testcert.pem" > ## allow PUT and DELETE also (by default only GET, POST and > HEAD)?: > xHTTP 4 > RewriteLocation 1 > #10.223.205.152 is the IP of the haproxy which is doing some addition > load balancing. > Service > BackEnd > Address 10.223.205.152 > Port 80 > End > End > End > > > Do you have any idea? > It's strange that the reqrite is working in one case and not in the > other. > > I'm happy for any feedback / suggestion I could get. > Best Regards > Karsten > > > -- > To unsubscribe send an email with subject unsubscribe to > [email protected]. > Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
