>>>Removing the service holding the redirect from the HTTP listener, resolves >>>nothing. In >>>fact, everything breaks.
At that point, if you connect to https://dev2, what happens? Clearly http://dev2 will not work in that case. Joe From: Shane Chambers [mailto:[email protected]] Sent: Thursday, March 15, 2012 6:16 PM To: [email protected] Subject: ***SPAM*** [Pound Mailing List] Pound private services I’ve run into a problem that I’m hoping someone can explain to me. It appears that pound is treating HTTP private services as global services, and ignoring HTTPS private services. Take for example this configuration; root@dev2: cat /etc/pound.cfg User "nobody" Group "nobody" RootJail "/var/pound/jail" Alive 15 Client 15 TimeOut 300 Grace 10 LogFacility local6 LogLevel 2 Control "/var/run/pound.control" ## Main listening ports ListenHTTP Address 192.168.3.120 Port 80 MaxRequest 10485760 xHTTP 0 Service Redirect "https://dev2"; End End ListenHTTPS Address 192.168.3.120 Port 443 MaxRequest 10485760 Cert <removed> xHTTP 0 Service IgnoreCase 1 URL "^\/*\/<removed>" BackEnd Address 192.168.3.120 Port 8080 End End Service IgnoreCase 1 URL "^\/*\/<removed>" BackEnd Address 192.168.3.120 Port 8068 End End Service BackEnd Address 192.168.3.120 Port 81 End End End root@dev2: poundctl -c /var/run/pound.control 0. http Listener 192.168.3.120:80 a 0. Service active (1) 0. Backend (UNKNOWN):0 active (1 0.000 sec) alive 1. HTTPS Listener 192.168.3.120:443 a 0. Service active (5) 0. Backend 192.168.3.120:8080 active (5 0.000 sec) alive 1. Service active (5) 0. Backend 192.168.3.120:8068 active (5 0.000 sec) alive 2. Service active (5) 0. Backend 192.168.3.120:81 active (5 0.000 sec) alive -1. Global services This was written with the intention of all HTTP traffic to be redirected to HTTPS traffic. Indeed, from the headers I can see that all HTTP traffic is being redirected, however, all HTTPS traffic is being redirected as well. Thus I’ve got an infinite loop... http://dev2/ GET / HTTP/1.1 Host: dev2 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: ad_session_id=<removed> HTTP/1.0 302 Found Location: https://dev2/ Content-Type: text/html Content-Length: 144 ---------------------------------------------------------- https://dev2/ GET / HTTP/1.1 Host: dev2 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: ad_session_id=<removed> HTTP/1.0 302 Found Location: https://dev2/ Content-Type: text/html Content-Length: 144 ---------------------------------------------------------- https://dev2/ GET / HTTP/1.1 Host: dev2 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: ad_session_id=<removed> HTTP/1.0 302 Found Location: https://dev2/ Content-Type: text/html Content-Length: 144 ad infinitum… Removing the service holding the redirect from the HTTP listener, resolves nothing. In fact, everything breaks. ListenHTTP Address 192.168.3.120 Port 80 MaxRequest 10485760 xHTTP 0 # Service # Redirect "https://dev2"; # End End root@dev2: poundctl -c /var/run/pound.control 0. http Listener 192.168.3.120:80 a 1. HTTPS Listener 192.168.3.120:443 a 0. Service active (5) 0. Backend 192.168.3.120:8080 active (5 0.000 sec) alive 1. Service active (5) 0. Backend 192.168.3.120:8068 active (5 0.000 sec) alive 2. Service active (5) 0. Backend 192.168.3.120:81 active (5 0.000 sec) alive -1. Global services https://dev2/ GET / HTTP/1.1 Host: dev2 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: ad_session_id=<removed> HTTP/1.0 503 Service Unavailable Content-Type: text/html Content-Length: 53 Expires: now Pragma: no-cache Cache-Control: no-cache,no-store ---------------------------------------------------------- It’s not until the services under HTTPS are moved out to the global definition that things begin working again; root@dev2: poundctl -c /var/run/pound.control 0. http Listener 192.168.3.120:80 a 1. HTTPS Listener 192.168.3.120:443 a -1. Global services 0. Service active (5) 0. Backend 192.168.3.120:8080 active (5 0.000 sec) alive 1. Service active (5) 0. Backend 192.168.3.120:8068 active (5 0.000 sec) alive 2. Service active (5) 0. Backend 192.168.3.120:81 active (5 0.000 sec) alive https://dev2/ GET / HTTP/1.1 Host: dev2 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: ad_session_id=<removed> HTTP/1.1 200 OK Set-Cookie: ad_session_id=<removed>; Path=/; Max-Age=3600 MIME-Version: 1.0 Date: Thu, 15 Mar 2012 21:59:39 GMT Server: AOLserver/4.5.1 Content-Type: text/html; charset=utf-8 Content-Length: 5847 Connection: keep-alive ---------------------------------------------------------- Why does the private service under HTTP appear to be treated like it’s a global service (or at least a private service for both HTTP, and HTTPS)? Why are the private services under HTTPS appearing to not be seen at all? Is there a better way to implement HTTP to HTTPS redirection? (or at least a work around for this problem?)
