Yep, top down. But that would also mean if the headrequire matches, and it’s sending to the backend on port 8970, and that backend is dead – you’ll get a 503. (i.e. not listening on 127.0.0.1, firewalled, port not open, etc)
I’m not sure if you actually have the regexes in like this: HeadRequire "secure.contractpal.com<http://secure.contractpal.com> <http://secure.contractpal.com>" Or if your email client is being too smart for its own good and trying to turn the web link into an email link. If they actually are like this, they won’t work. :) Dave’s regex suggestion would be better. Or even something like: HeadRequire "^Host:[ \t]*secure\.contractpal\.com(:443)?$" <to catch the possible explicit port in the host header case And you’ll probably want the secure.example.com to match secure.contractpal.com if it doesn’t already. (that’s what I was thinking… redirect loop because you’re redirecting to a different name than you’re trapping for) -G From: Rob Hicks [mailto:[email protected]] Sent: Monday, August 06, 2012 1:58 PM To: [email protected] Subject: Re: [Pound Mailing List] Config to Catch All Requests Joe, Good catch on the Host. Yes the SSL listener creates a redirect loop. But that is part of what I don't understand. According to what I have read, shouldn't the first service block service the request if the HeadRequire is met? If not, the request would fall through to the next service, which would create the redirect. What I need to do is this: 1) if a request comes in that with the proper name in host, service the request through the associated backends. 2) if a request comes in without the proper name in host, redirect the user to the login page. How does service matching occur? Does it occur top down? Rob On Mon, Aug 6, 2012 at 11:39 AM, Joe Gooch <[email protected]<mailto:[email protected]>> wrote: Wouldn’t your 443 listener cause a redirect loop? Also your 443 listener doesn’t have Host: in it… Joe From: Rob Hicks [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, August 06, 2012 1:29 PM To: [email protected]<mailto:[email protected]> Subject: Re: [Pound Mailing List] Config to Catch All Requests Dave, Yes, I didn't put the full RegEx in the HeadRequires in the post. The last redirect never happens. Pound returns a 503 error. Rob On Mon, Aug 6, 2012 at 11:18 AM, Dave Steinberg <[email protected]<mailto:[email protected]>> wrote: On 8/6/2012 12:58 PM, Rob Hicks wrote: Hi. I have a pound config that includes the following listeners. I have added two new services at the end of each of the listeners. The idea is to redirect the user to a proper url. This is necessary for a PCI security scan, which is now complaining that 500 errors are PCI failures. Shouldn't this work? If not, what is the right way to approach this problem? Rob ListenHTTP Address 0.0.0.0 Port 80 Service HeadRequire "(Host: www.example.com<http://www.example.com> <http://www.example.com>)" BackEnd Address 127.0.0.1 Port 8970 End End Service HeadRequire "(Host: secure.example.com<http://secure.example.com> <http://secure.example.com>)" Redirect "https://secure.example.com"; End Service Redirect "https://secure.example.com"; End End ListenHTTPS Address 0.0.0.0 Port 443 Cert "/etc/pound/secure.example.com.pem" Ciphers "-ALL +SSLv3 +TLSv1 HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL" xHTTP 2 Service HeadRequire "secure.contractpal.com<http://secure.contractpal.com> <http://secure.contractpal.com>" BackEnd Address 127.0.0.1 Port 8970 End End Service Redirect "https://secure.example.com"; End End This seems like it ought to work. Where is it failing? PS: Your Host header regexps could be improved. Try: HeadRequire "^Host:[ \t]*secure\.example\.com$" -- Dave Steinberg http://www.geekisp.com/ http://www.steinbergcomputing.com/ http://www.redterror.net/ -- To unsubscribe send an email with subject unsubscribe to [email protected]<mailto:[email protected]>. Please contact [email protected]<mailto:[email protected]> for questions.
