Joe, Thanks! That worked.
rob On Mon, Aug 6, 2012 at 2:01 PM, Joe Gooch <[email protected]> wrote: > That’s because this:**** > > "^Host[:\t|:\s]|[\t|\s]stage.example.com|(:443)*$"**** > > ** ** > > Matches absolutely everything.**** > > ** ** > > | is or, it’s not in a group, and (:443)* will match an empty string. Or > on :443.**** > > ** ** > > ** ** > > http://www.regexplanet.com/advanced/java/index.html**** > > ** ** > > If you go there and punch in your regex without the quotes, and then put > in input strings of:**** > > Host: stage.example.com**** > > Host: stage.example.com:443**** > > Host:stage.example.com:443**** > > stage.example.com**** > > www.microsoft.com**** > > ** ** > > and hit test, the Find() column should show yes, yes, yes, no no.**** > > ** ** > > With what you’ve supplied, it says yes, yes, yes, yes ,yes**** > > ** ** > > And there are these that you don’t want it to match as well:**** > > ** ** > > Host: stage1example.com**** > > Host stage.example.com**** > > Host: stage.example.com:443:443**** > > ** ** > > ** ** > > ** ** > > You want the regex:**** > > “^Host:[ \t]*stage\.example\.com(:443)?$”**** > > (notice the space before \t)**** > > ** ** > > Joe**** > > ** ** > > *From:* Rob Hicks [mailto:[email protected]] > *Sent:* Monday, August 06, 2012 3:38 PM > > *To:* [email protected] > *Subject:* Re: [Pound Mailing List] Config to Catch All Requests**** > > ** ** > > Joe,**** > > ** ** > > Thanks for your help! I fixed the redirect loops. But I still can't get > pound to do the last redirect. Here's my updated config file.**** > > ** ** > > And ideas what else I can try?**** > > ** ** > > Rob**** > > ** ** > > User "pound"**** > > Group "pound"**** > > Control "/tmp/pound.sock"**** > > LogLevel 2**** > > DynScale 1**** > > Alive 15**** > > Client 30**** > > TimeOut 181**** > > ** ** > > ListenHTTP**** > > Address 0.0.0.0**** > > Port 80**** > > Service**** > > HeadRequire "^Host[:\t|:\s]|[\t|\s]stageweb.example.com|(:80)*$"** > ** > > BackEnd**** > > Address 127.0.0.1**** > > Port 8970**** > > End**** > > End**** > > Service**** > > Redirect "https://stage.example.com/login/GetConsole.do"**** > > End**** > > End**** > > ** ** > > ListenHTTPS**** > > Address 0.0.0.0**** > > Port 443**** > > Cert "/etc/pound/example.com.pem"**** > > Ciphers "-ALL +SSLv3 +TLSv1 HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL"**** > > xHTTP 2**** > > Service**** > > Session**** > > Type Cookie**** > > ID "JSESSIONID"**** > > TTL 900**** > > End**** > > HeadRequire "^Host[:\t|:\s]|[\t|\s]stage.example.com|(:443)*$"**** > > BackEnd**** > > Address 127.0.0.1**** > > Port 8970**** > > End**** > > End**** > > Service**** > > Redirect "https://stage.example.com/login/GetConsole.do"**** > > End**** > > End**** > > ** ** > > On Mon, Aug 6, 2012 at 12:09 PM, Joe Gooch <[email protected]> wrote: > **** > > Yep, top down.**** > > **** > > But that would also mean if the headrequire matches, and it’s sending to > the backend on port 8970, and that backend is dead – you’ll get a 503. > (i.e. not listening on 127.0.0.1, firewalled, port not open, etc)**** > > **** > > I’m not sure if you actually have the regexes in like this:**** > > **** > > HeadRequire "secure.contractpal.com <http://secure.contractpal.com>"**** > > Or if your email client is being too smart for its own good and trying to > turn the web link into an email link. If they actually are like this, they > won’t work. J**** > > Dave’s regex suggestion would be better.**** > > Or even something like:**** > > HeadRequire "^Host:[ \t]*secure\.contractpal\.com(:443)?$" <to catch > the possible explicit port in the host header case**** > > **** > > And you’ll probably want the secure.example.com to match > secure.contractpal.com if it doesn’t already. (that’s what I was > thinking… redirect loop because you’re redirecting to a different name than > you’re trapping for)**** > > -G**** > > **** > > **** > > *From:* Rob Hicks [mailto:[email protected]] > *Sent:* Monday, August 06, 2012 1:58 PM**** > > > *To:* [email protected] > *Subject:* Re: [Pound Mailing List] Config to Catch All Requests**** > > **** > > Joe,**** > > **** > > Good catch on the Host. **** > > **** > > Yes the SSL listener creates a redirect loop. But that is part of what I > don't understand. According to what I have read, shouldn't the first > service block service the request if the HeadRequire is met? If not, the > request would fall through to the next service, which would create the > redirect. **** > > **** > > What I need to do is this:**** > > **** > > 1) if a request comes in that with the proper name in host, service the > request through the associated backends.**** > > 2) if a request comes in without the proper name in host, redirect the > user to the login page.**** > > **** > > How does service matching occur? Does it occur top down?**** > > **** > > Rob **** > > On Mon, Aug 6, 2012 at 11:39 AM, Joe Gooch <[email protected]> wrote: > **** > > Wouldn’t your 443 listener cause a redirect loop?**** > > Also your 443 listener doesn’t have Host: in it…**** > > Joe**** > > **** > > *From:* Rob Hicks [mailto:[email protected]] > *Sent:* Monday, August 06, 2012 1:29 PM > *To:* [email protected] > *Subject:* Re: [Pound Mailing List] Config to Catch All Requests**** > > **** > > Dave,**** > > **** > > Yes, I didn't put the full RegEx in the HeadRequires in the post.**** > > **** > > The last redirect never happens. Pound returns a 503 error.**** > > **** > > Rob**** > > On Mon, Aug 6, 2012 at 11:18 AM, Dave Steinberg <[email protected]> > wrote:**** > > On 8/6/2012 12:58 PM, Rob Hicks wrote:**** > > Hi. > > I have a pound config that includes the following listeners. I have > added two new services at the end of each of the listeners. The idea is > to redirect the user to a proper url. This is necessary for a PCI > security scan, which is now complaining that 500 errors are PCI failures. > > Shouldn't this work? If not, what is the right way to approach this > problem? > > Rob > > ListenHTTP > Address 0.0.0.0 > Port 80 > Service**** > > HeadRequire "(Host: www.example.com <http://www.example.com>)"*** > * > > > BackEnd > Address 127.0.0.1 > Port 8970 > End > End > Service > HeadRequire "(Host: secure.example.com**** > > <http://secure.example.com>)"**** > > > Redirect "https://secure.example.com"; > > End > Service > Redirect "https://secure.example.com"; > End > End > > ListenHTTPS > Address 0.0.0.0 > Port 443 > Cert "/etc/pound/secure.example.com.pem" > Ciphers "-ALL +SSLv3 +TLSv1 HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL" > xHTTP 2 > Service > HeadRequire "secure.contractpal.com**** > > <http://secure.contractpal.com>"**** > > > BackEnd > Address 127.0.0.1 > Port 8970 > End > End > Service > Redirect "https://secure.example.com"; > End > End**** > > > This seems like it ought to work. Where is it failing? > > PS: Your Host header regexps could be improved. Try: > > HeadRequire "^Host:[ \t]*secure\.example\.com$" > > -- > Dave Steinberg > http://www.geekisp.com/ > http://www.steinbergcomputing.com/ > http://www.redterror.net/ > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions.**** > > **** > > **** > > ** ** >
