That’s because this: "^Host[:\t|:\s]|[\t|\s]stage.example.com<http://stage.example.com>|(:443)*$"
Matches absolutely everything. | is or, it’s not in a group, and (:443)* will match an empty string. Or on :443. http://www.regexplanet.com/advanced/java/index.html If you go there and punch in your regex without the quotes, and then put in input strings of: Host: stage.example.com Host: stage.example.com:443 Host:stage.example.com:443 stage.example.com www.microsoft.com<http://www.microsoft.com> and hit test, the Find() column should show yes, yes, yes, no no. With what you’ve supplied, it says yes, yes, yes, yes ,yes And there are these that you don’t want it to match as well: Host: stage1example.com Host stage.example.com Host: stage.example.com:443:443 You want the regex: “^Host:[ \t]*stage\.example\.com(:443)?$” (notice the space before \t) Joe From: Rob Hicks [mailto:[email protected]] Sent: Monday, August 06, 2012 3:38 PM To: [email protected] Subject: Re: [Pound Mailing List] Config to Catch All Requests Joe, Thanks for your help! I fixed the redirect loops. But I still can't get pound to do the last redirect. Here's my updated config file. And ideas what else I can try? Rob User "pound" Group "pound" Control "/tmp/pound.sock" LogLevel 2 DynScale 1 Alive 15 Client 30 TimeOut 181 ListenHTTP Address 0.0.0.0 Port 80 Service HeadRequire "^Host[:\t|:\s]|[\t|\s]stageweb.example.com<http://stageweb.example.com>|(:80)*$" BackEnd Address 127.0.0.1 Port 8970 End End Service Redirect "https://stage.example.com/login/GetConsole.do"; End End ListenHTTPS Address 0.0.0.0 Port 443 Cert "/etc/pound/example.com.pem" Ciphers "-ALL +SSLv3 +TLSv1 HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL" xHTTP 2 Service Session Type Cookie ID "JSESSIONID" TTL 900 End HeadRequire "^Host[:\t|:\s]|[\t|\s]stage.example.com<http://stage.example.com>|(:443)*$" BackEnd Address 127.0.0.1 Port 8970 End End Service Redirect "https://stage.example.com/login/GetConsole.do"; End End On Mon, Aug 6, 2012 at 12:09 PM, Joe Gooch <[email protected]<mailto:[email protected]>> wrote: Yep, top down. But that would also mean if the headrequire matches, and it’s sending to the backend on port 8970, and that backend is dead – you’ll get a 503. (i.e. not listening on 127.0.0.1, firewalled, port not open, etc) I’m not sure if you actually have the regexes in like this: HeadRequire "secure.contractpal.com<http://secure.contractpal.com> <http://secure.contractpal.com>" Or if your email client is being too smart for its own good and trying to turn the web link into an email link. If they actually are like this, they won’t work. :) Dave’s regex suggestion would be better. Or even something like: HeadRequire "^Host:[ \t]*secure\.contractpal\.com(:443)?$" <to catch the possible explicit port in the host header case And you’ll probably want the secure.example.com<http://secure.example.com> to match secure.contractpal.com<http://secure.contractpal.com> if it doesn’t already. (that’s what I was thinking… redirect loop because you’re redirecting to a different name than you’re trapping for) -G From: Rob Hicks [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, August 06, 2012 1:58 PM To: [email protected]<mailto:[email protected]> Subject: Re: [Pound Mailing List] Config to Catch All Requests Joe, Good catch on the Host. Yes the SSL listener creates a redirect loop. But that is part of what I don't understand. According to what I have read, shouldn't the first service block service the request if the HeadRequire is met? If not, the request would fall through to the next service, which would create the redirect. What I need to do is this: 1) if a request comes in that with the proper name in host, service the request through the associated backends. 2) if a request comes in without the proper name in host, redirect the user to the login page. How does service matching occur? Does it occur top down? Rob On Mon, Aug 6, 2012 at 11:39 AM, Joe Gooch <[email protected]<mailto:[email protected]>> wrote: Wouldn’t your 443 listener cause a redirect loop? Also your 443 listener doesn’t have Host: in it… Joe From: Rob Hicks [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, August 06, 2012 1:29 PM To: [email protected]<mailto:[email protected]> Subject: Re: [Pound Mailing List] Config to Catch All Requests Dave, Yes, I didn't put the full RegEx in the HeadRequires in the post. The last redirect never happens. Pound returns a 503 error. Rob On Mon, Aug 6, 2012 at 11:18 AM, Dave Steinberg <[email protected]<mailto:[email protected]>> wrote: On 8/6/2012 12:58 PM, Rob Hicks wrote: Hi. I have a pound config that includes the following listeners. I have added two new services at the end of each of the listeners. The idea is to redirect the user to a proper url. This is necessary for a PCI security scan, which is now complaining that 500 errors are PCI failures. Shouldn't this work? If not, what is the right way to approach this problem? Rob ListenHTTP Address 0.0.0.0 Port 80 Service HeadRequire "(Host: www.example.com<http://www.example.com> <http://www.example.com>)" BackEnd Address 127.0.0.1 Port 8970 End End Service HeadRequire "(Host: secure.example.com<http://secure.example.com> <http://secure.example.com>)" Redirect "https://secure.example.com"; End Service Redirect "https://secure.example.com"; End End ListenHTTPS Address 0.0.0.0 Port 443 Cert "/etc/pound/secure.example.com.pem" Ciphers "-ALL +SSLv3 +TLSv1 HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL" xHTTP 2 Service HeadRequire "secure.contractpal.com<http://secure.contractpal.com> <http://secure.contractpal.com>" BackEnd Address 127.0.0.1 Port 8970 End End Service Redirect "https://secure.example.com"; End End This seems like it ought to work. Where is it failing? PS: Your Host header regexps could be improved. Try: HeadRequire "^Host:[ \t]*secure\.example\.com$" -- Dave Steinberg http://www.geekisp.com/ http://www.steinbergcomputing.com/ http://www.redterror.net/ -- To unsubscribe send an email with subject unsubscribe to [email protected]<mailto:[email protected]>. Please contact [email protected]<mailto:[email protected]> for questions.
