I downgraded pound on the new server from 2.6 to 2.5 and using the same configuration, everything works (with 2.5).
So, it appears that there is a problem with the ListenHTTPS handler or perhaps with using AddHeader with ListenHTTPS in version 2.6 I'm not exactly sure how to debug this further? Please let me know. The redirect to pound for apache is working correctly, however when the request has passed through the HTTPS handler, been decrypted and re-presented to apache, it has not had the necessary header added. Cheers Mark. Further to last I increased the log level (should have done that before sorry) And it appears that the header is never being added by the HTTPSListener The relevant lines in the log are: redirect to https://flooting.com/login [REDIRECT/302] -> this *should* set IS_SSL to SSL strip per-dir prefix: /home/flooting/src/YMGN/trunk/www/flooting/login -> login applying pattern '^(login|register|payment.*|gopro)$' to uri 'login' RewriteCond: input='' pattern='!^SSL$' => matched Input should at this stage be IS_SSL because the header should have been added. Cheers Mark. Hi All I've been using pound 2.5 for some time and it's been working nicely. I'm just in the process of building a new LB using pound 2.6 and I'm hitting a problem I'm not certain it's related to the version. Anyway, my current load balancer is handling SSL termination for me. I've created some rules so that people accessing the login or registration pages are redirected to https. That's been working fine. On 2.6 the same configuration does not work. When I try and access login i end up in a redirect loop rather then being redirected to the page. here are the relevant files; pound.cfg: ListenHTTP Address <IP address> Port 80 #RewriteLocation 2 was required with 2.5 to make this work RewriteLocation 2 #Normal service statements... ListenHTTPS Address <IP address> Port 443 Cert "/etc/ssl/localcerts/site.pem" CAList "/etc/ssl/localcerts/gd_bundle.crt" #Add a header so we know the connection has passed via https. AddHeader "IS_SSL: SSL" RewriteLocation 2 Then, on the web servers the .htaccess file is as follows; Options +FollowSymLinks -MultiViews RewriteEngine On RewriteBase / # force https for /login and /register # first check that we DON'T have the IS_SSL header set to SSL (it would only be set when we pass through ListenHTTPS on the LB RewriteCond %{HTTP:IS_SSL} !^SSL$ # if it's not set, rewrite to HTTPS for these pages. RewriteRule ^(login|register|payment.*|gopro)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L] # don't do anything for images/css/js (leave protocol as is) RewriteRule \.(woff|gif|jpe?g|png|css|js)$ - [NC,L] # force http for all other URLs RewriteCond %{HTTP:IS_SSL} ^SSL$ RewriteCond %{REQUEST_URI} !^/(login|register|payment.*|gopro)$ RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=302,L] The log output (as you can see it just loops). strip per-dir prefix: /home/flooting/src/YMGN/trunk/www/flooting/login -> login applying pattern '^(login|register|payment.*|gopro)$' to uri 'login' rewrite 'login' -> 'https://flooting.com/login' explicitly forcing redirect with https://flooting.com/login trying to replace prefix /home/flooting/src/YMGN/trunk/www/flooting/ with / escaping https://flooting.com/login for redirect redirect to https://flooting.com/login [REDIRECT/302] strip per-dir prefix: /home/flooting/src/YMGN/trunk/www/flooting/login -> login applying pattern '^(login|register|payment.*|gopro)$' to uri 'login' rewrite 'login' -> 'https://flooting.com/login' explicitly forcing redirect with https://flooting.com/login trying to replace prefix /home/flooting/src/YMGN/trunk/www/flooting/ with / escaping https://flooting.com/login for redirect redirect to https://flooting.com/login [REDIRECT/302] strip per-dir prefix: /home/flooting/src/YMGN/trunk/www/flooting/login -> login applying pattern '^(login|register|payment.*|gopro)$' to uri 'login' rewrite 'login' -> 'https://flooting.com/login' explicitly forcing redirect with https://flooting.com/login trying to replace prefix /home/flooting/src/YMGN/trunk/www/flooting/ with / As I said, this has been working fine. The only change I'm aware of is the version change, but perhaps there is something else I've missed in the new machine. Any thoughts greatly appreciated. Mark. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
