> -----Original Message----- > From: Robert Segall [mailto:[email protected]] > Sent: Saturday, February 04, 2012 11:50 AM > To: [email protected] > Subject: Re: [Pound Mailing List] Pound 2.7 > > So here is a summary of all the feature requests I have seen until now, > as well as some comments on my part: > > * SSL Ciphers (BEAST)/Joe Gooch > accepted for 2.7 > * Client Renegotiation/Joe Gooch > accepted for 2.7 > * CSRF issue w/ invalid tags/et al in redirects/Joe Gooch > accepted for 2.7 > * ForceHTTP10/ssl unclean shutdown functionality based on user > agent/Joe > Gooch > needs more analysis, but looks OK > * Socket ownership and permissions/Joe Gooch > accepted for 2.7
Patches for the above submitted > * NoSSL redirect/Joe Gooch > I think it is (mostly ?) supported by existing redirect mechanism It's not... This specifically covers http://www.website.com:443/ situations. (http protocol to a HTTPS port) Patch allows for a pound-style a la Err503 type directive (ErrNoSsl) or the use of a RedirectNoSsl directive. (i.e. redirect to https://www.website.com) Patch 7/8 in the patchset > * include file, include dir/Joe Gooch > include file is already supported > include dir is dangerous, as the file inclusion order is > unpredictable > - rejected I'm pretty sure this isn't true, but I welcome further clarification so I can modify the patch if necessary.... I run readdir and add all the .cfg and .conf files in whatever order they're found into an array. However, when it goes to read the files, it pulls the maximum file (using strcmp). That file is then added to the f_in array and cur_fin is incremented as if that file had been supplied to Include. It then loops and pulls the next maximum, and so on. Since Include is essentially a stack implementation (LIFO), as we add the maximum file name to the stack it will end up in the stack in sorted alphabetical order min to max. Since we're using the same facility as Include, it will work even if the included file includes or includedir's other files. So, if you looked at the readdir implementation and figured it wasn't sorted, that's correct, but the loop below that adds to the Include stack takes care of that. Essentially: conf.d/ has files A.conf B.conf c.conf D.conf IncludeDir "conf.d/" Will include files A.conf B.conf D.conf c.conf in that order. (case sensitive, though it could easily be changed to casecmp... I just prefix with numbers) Still have to rebase this patch against 2.6 before submission. > * PCRE-based dynamic redirects/Joe Gooch > needs more analysis Will rebase patch and provide. Here's the modified man page... note RedirectAppend and RedirectDynamic. [Redirect | RedirectAppend | RedirectDynamic] [code] "url" This is a special type of back-end. Instead of sending the request to a back-end Pound replies immedi- ately with a redirection to the given URL. You may define multiple redirectors in a service, as well as mixing them with regular back-ends. The address the client is redirected to is determined by the command you specify. If you specify Redi- rect, the url is taken as an absolute host and path to redirect to. If you use RedirectAppend, the original request path will be appended to the host and path you specified. If you use RedirectDynamic, then url can contain RegEx replacements in the form $1 through $9 which indicate expression captured from the original request path. You must have a URL directive, and the first URL directive for the ser- vice is the one used for capturing expressions. Examples: if you specified Redirect "http://abc.example"; and the client requested http://xyz/a/b/c then it will be redirected to http://abc.example, but if you specified RedirectAppend "http://abc.example"; it will be sent to http://abc.example/a/b/c. If you specified URL "^/a(/([^/]*)(/[^/]*)" RedirectDynamic "http://abc.example$2$1/index.html"; it will be sent to http://abc.example/c/b/index.html. Technical note: in an ideal world Pound should reply with a "307 Temporary Redirect" status. Unfortu- nately, that is not yet supported by all clients (in particular HTTP 1.0 ones), so Pound currently replies by default with a "302 Found" instead. You may override this behaviour by specifying the code to be used (301, 302 or 307). > * config reload/Erik Hensema > not as easy as it looks - suggestions are welcome It doesn't even look easy to me. :) I'd welcome discussion on the thread I started to discuss this, but there haven't been any responses. > * session cookies by Pound/Francisco Ruiz > needs more discussion. It would break the proxy transparency Need to rebase my backend cookies patch against v2.6 and submit. By breaking proxy transparency do you mean the proxy is adding a cookie that the backend isn't? If so, I think (if configured to do so) this isn't necessarily a bad thing... There are certainly situations where it's appropriate or desired. Generally accepted as a useful way to do affinity (coyote, a10, kemp, et al) > * enhanced alive test: 200/503 reply rather than connect/Francisco Ruiz > needs more discussion. Can be easily supported now via external > scripts, so it's not clear we need it Just my $.02.... I've tried a couple times to make a useful connect-based script, and have run into all sorts of issues. It's just not an easy thing to do. It would be so much easier if pound had a connect/send text A/expect text B/close type check feature. (like the Coyote or A10 or other load balancers do) Joe
