Joe,
Thanks for your help! I fixed the redirect loops. But I still can't get
pound to do the last redirect. Here's my updated config file.
And ideas what else I can try?
Rob
User "pound"
Group "pound"
Control "/tmp/pound.sock"
LogLevel 2
DynScale 1
Alive 15
Client 30
TimeOut 181
ListenHTTP
Address 0.0.0.0
Port 80
Service
HeadRequire "^Host[:\t|:\s]|[\t|\s]stageweb.example.com|(:80)*$"
BackEnd
Address 127.0.0.1
Port 8970
End
End
Service
Redirect "https://stage.example.com/login/GetConsole.do";
End
End
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/pound/example.com.pem"
Ciphers "-ALL +SSLv3 +TLSv1 HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL"
xHTTP 2
Service
Session
Type Cookie
ID "JSESSIONID"
TTL 900
End
HeadRequire "^Host[:\t|:\s]|[\t|\s]stage.example.com|(:443)*$"
BackEnd
Address 127.0.0.1
Port 8970
End
End
Service
Redirect "https://stage.example.com/login/GetConsole.do";
End
End
On Mon, Aug 6, 2012 at 12:09 PM, Joe Gooch <[email protected]> wrote:
> Yep, top down.****
>
> ** **
>
> But that would also mean if the headrequire matches, and it’s sending to
> the backend on port 8970, and that backend is dead – you’ll get a 503.
> (i.e. not listening on 127.0.0.1, firewalled, port not open, etc)****
>
> ** **
>
> I’m not sure if you actually have the regexes in like this:****
>
> ** **
>
> HeadRequire "secure.contractpal.com <http://secure.contractpal.com>"****
>
> Or if your email client is being too smart for its own good and trying to
> turn the web link into an email link. If they actually are like this, they
> won’t work. J****
>
> Dave’s regex suggestion would be better.****
>
> Or even something like:****
>
> HeadRequire "^Host:[ \t]*secure\.contractpal\.com(:443)?$" <to catch
> the possible explicit port in the host header case****
>
> ** **
>
> And you’ll probably want the secure.example.com to match
> secure.contractpal.com if it doesn’t already. (that’s what I was
> thinking… redirect loop because you’re redirecting to a different name than
> you’re trapping for)****
>
> -G****
>
> ** **
>
> ** **
>
> *From:* Rob Hicks [mailto:[email protected]]
> *Sent:* Monday, August 06, 2012 1:58 PM
>
> *To:* [email protected]
> *Subject:* Re: [Pound Mailing List] Config to Catch All Requests****
>
> ** **
>
> Joe,****
>
> ** **
>
> Good catch on the Host. ****
>
> ** **
>
> Yes the SSL listener creates a redirect loop. But that is part of what I
> don't understand. According to what I have read, shouldn't the first
> service block service the request if the HeadRequire is met? If not, the
> request would fall through to the next service, which would create the
> redirect. ****
>
> ** **
>
> What I need to do is this:****
>
> ** **
>
> 1) if a request comes in that with the proper name in host, service the
> request through the associated backends.****
>
> 2) if a request comes in without the proper name in host, redirect the
> user to the login page.****
>
> ** **
>
> How does service matching occur? Does it occur top down?****
>
> ** **
>
> Rob ****
>
> On Mon, Aug 6, 2012 at 11:39 AM, Joe Gooch <[email protected]> wrote:
> ****
>
> Wouldn’t your 443 listener cause a redirect loop?****
>
> Also your 443 listener doesn’t have Host: in it…****
>
> Joe****
>
> ****
>
> *From:* Rob Hicks [mailto:[email protected]]
> *Sent:* Monday, August 06, 2012 1:29 PM
> *To:* [email protected]
> *Subject:* Re: [Pound Mailing List] Config to Catch All Requests****
>
> ****
>
> Dave,****
>
> ****
>
> Yes, I didn't put the full RegEx in the HeadRequires in the post.****
>
> ****
>
> The last redirect never happens. Pound returns a 503 error.****
>
> ****
>
> Rob****
>
> On Mon, Aug 6, 2012 at 11:18 AM, Dave Steinberg <[email protected]>
> wrote:****
>
> On 8/6/2012 12:58 PM, Rob Hicks wrote:****
>
> Hi.
>
> I have a pound config that includes the following listeners. I have
> added two new services at the end of each of the listeners. The idea is
> to redirect the user to a proper url. This is necessary for a PCI
> security scan, which is now complaining that 500 errors are PCI failures.
>
> Shouldn't this work? If not, what is the right way to approach this
> problem?
>
> Rob
>
> ListenHTTP
> Address 0.0.0.0
> Port 80
> Service****
>
> HeadRequire "(Host: www.example.com <http://www.example.com>)"***
> *
>
>
> BackEnd
> Address 127.0.0.1
> Port 8970
> End
> End
> Service
> HeadRequire "(Host: secure.example.com****
>
> <http://secure.example.com>)"****
>
>
> Redirect "https://secure.example.com";
>
> End
> Service
> Redirect "https://secure.example.com";
> End
> End
>
> ListenHTTPS
> Address 0.0.0.0
> Port 443
> Cert "/etc/pound/secure.example.com.pem"
> Ciphers "-ALL +SSLv3 +TLSv1 HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL"
> xHTTP 2
> Service
> HeadRequire "secure.contractpal.com****
>
> <http://secure.contractpal.com>"****
>
>
> BackEnd
> Address 127.0.0.1
> Port 8970
> End
> End
> Service
> Redirect "https://secure.example.com";
> End
> End****
>
>
> This seems like it ought to work. Where is it failing?
>
> PS: Your Host header regexps could be improved. Try:
>
> HeadRequire "^Host:[ \t]*secure\.example\.com$"
>
> --
> Dave Steinberg
> http://www.geekisp.com/
> http://www.steinbergcomputing.com/
> http://www.redterror.net/
>
> --
> To unsubscribe send an email with subject unsubscribe to [email protected].
> Please contact [email protected] for questions.****
>
> ****
>
> ** **
>
