Forgot to include this;
root@dev2: pound -V
starting...
Version 2.6
Configuration switches:
--enable-cert1l
--with-ssl=/usr/lib/openssl/
Exiting...
________________________________
From: Shane Chambers
Sent: Thursday, March 15, 2012 5:16 PM
To: '[email protected]'
Subject: Pound private services
I've run into a problem that I'm hoping someone can explain to me. It
appears that pound is treating HTTP private services as global services,
and ignoring HTTPS private services. Take for example this
configuration;
root@dev2: cat /etc/pound.cfg
User "nobody"
Group "nobody"
RootJail "/var/pound/jail"
Alive 15
Client 15
TimeOut 300
Grace 10
LogFacility local6
LogLevel 2
Control "/var/run/pound.control"
## Main listening ports
ListenHTTP
Address 192.168.3.120
Port 80
MaxRequest 10485760
xHTTP 0
Service
Redirect "https://dev2";
End
End
ListenHTTPS
Address 192.168.3.120
Port 443
MaxRequest 10485760
Cert <removed>
xHTTP 0
Service
IgnoreCase 1
URL "^\/*\/<removed>"
BackEnd
Address 192.168.3.120
Port 8080
End
End
Service
IgnoreCase 1
URL "^\/*\/<removed>"
BackEnd
Address 192.168.3.120
Port 8068
End
End
Service
BackEnd
Address 192.168.3.120
Port 81
End
End
End
root@dev2: poundctl -c /var/run/pound.control
0. http Listener 192.168.3.120:80 a
0. Service active (1)
0. Backend (UNKNOWN):0 active (1 0.000 sec) alive
1. HTTPS Listener 192.168.3.120:443 a
0. Service active (5)
0. Backend 192.168.3.120:8080 active (5 0.000 sec) alive
1. Service active (5)
0. Backend 192.168.3.120:8068 active (5 0.000 sec) alive
2. Service active (5)
0. Backend 192.168.3.120:81 active (5 0.000 sec) alive
-1. Global services
This was written with the intention of all HTTP traffic to be redirected
to HTTPS traffic. Indeed, from the headers I can see that all HTTP
traffic is being redirected, however, all HTTPS traffic is being
redirected as well. Thus I've got an infinite loop...
http://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.0 302 Found
Location: https://dev2/
Content-Type: text/html
Content-Length: 144
----------------------------------------------------------
https://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.0 302 Found
Location: https://dev2/
Content-Type: text/html
Content-Length: 144
----------------------------------------------------------
https://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.0 302 Found
Location: https://dev2/
Content-Type: text/html
Content-Length: 144
ad infinitum...
Removing the service holding the redirect from the HTTP listener,
resolves nothing. In fact, everything breaks.
ListenHTTP
Address 192.168.3.120
Port 80
MaxRequest 10485760
xHTTP 0
# Service
# Redirect "https://dev2";
# End
End
root@dev2: poundctl -c /var/run/pound.control
0. http Listener 192.168.3.120:80 a
1. HTTPS Listener 192.168.3.120:443 a
0. Service active (5)
0. Backend 192.168.3.120:8080 active (5 0.000 sec) alive
1. Service active (5)
0. Backend 192.168.3.120:8068 active (5 0.000 sec) alive
2. Service active (5)
0. Backend 192.168.3.120:81 active (5 0.000 sec) alive
-1. Global services
https://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.0 503 Service Unavailable
Content-Type: text/html
Content-Length: 53
Expires: now
Pragma: no-cache
Cache-Control: no-cache,no-store
----------------------------------------------------------
It's not until the services under HTTPS are moved out to the global
definition that things begin working again;
root@dev2: poundctl -c /var/run/pound.control
0. http Listener 192.168.3.120:80 a
1. HTTPS Listener 192.168.3.120:443 a
-1. Global services
0. Service active (5)
0. Backend 192.168.3.120:8080 active (5 0.000 sec) alive
1. Service active (5)
0. Backend 192.168.3.120:8068 active (5 0.000 sec) alive
2. Service active (5)
0. Backend 192.168.3.120:81 active (5 0.000 sec) alive
https://dev2/
GET / HTTP/1.1
Host: dev2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101
Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ad_session_id=<removed>
HTTP/1.1 200 OK
Set-Cookie: ad_session_id=<removed>; Path=/; Max-Age=3600
MIME-Version: 1.0
Date: Thu, 15 Mar 2012 21:59:39 GMT
Server: AOLserver/4.5.1
Content-Type: text/html; charset=utf-8
Content-Length: 5847
Connection: keep-alive
----------------------------------------------------------
Why does the private service under HTTP appear to be treated like it's a
global service (or at least a private service for both HTTP, and HTTPS)?
Why are the private services under HTTPS appearing to not be seen at
all?
Is there a better way to implement HTTP to HTTPS redirection? (or at
least a work around for this problem?)
