Re: [Pound Mailing List] Pound & JBoss

We successfully run JBoss behind a Pound proxy. We only use Port 8080, and Pound does SSL termination, so www.example.com:443 gets directed to local_jboss_server:8080, and the web application runs just fine. However, we don't use the admin console, so I cannot comment on that. Cheers, Andreas.

[Pound Mailing List] URL pattern to negate a list

Hi, I'd like to set up a service with a URL pattern matching only if the path does *not* start with one of a list of words. The following doesn't work: Service HeadRequire "Host: .*www.mydomain.com.*" URL ! "^/project1|^/project2/|^/portal" RedirectAppend "https://www.mydom

Re: [Pound Mailing List] run pound on multiple interfaces including https

Yes, David, it is possible to have several ListenHTTPS blocks with their own Cert configs. Cheers, Andreas. Am 30.08.2013 09:11, schrieb D. R.: > Hi all, > > is it possible to let pound run on multiple interfaces with different > ssl certs? > > On http://www.apsis.ch/pound/index_html in the s

Re: [Pound Mailing List] Err503: Unknown directive?

07.2013 11:20, Bussi Andrea wrote: > On 07/17/2013 10:23 AM, Andreas Hilboll wrote: >> Hi, >> >> I want to configure an error page in my pound cfg. For that, I put the >> line >> >> Err503 "/etc/pound/e503.html" >> > > Is it insi

Re: [Pound Mailing List] Err503: Unknown directive?

On 17.07.2013 11:20, Bussi Andrea wrote: > On 07/17/2013 10:23 AM, Andreas Hilboll wrote: >> Hi, >> >> I want to configure an error page in my pound cfg. For that, I put the >> line >> >> Err503 "/etc/pound/e503.html" >> > > Is i

[Pound Mailing List] Err503: Unknown directive?

Hi, I want to configure an error page in my pound cfg. For that, I put the line Err503 "/etc/pound/e503.html" into my config, and the file /etc/pound/e503.html does exist. However, pound complains about an "unknown directive". I'm using a git checkout from end of April, from https://github.c

Re: [Pound Mailing List] Current development status

Hi, Joe stated the links to updated 2.6 and 2.7 branches in this thread: http://www.apsis.ch/pound/pound_list/archive/2013/2013-04/136765000/index_html Cheers, Andreas. On 18.06.2013 14:55, Scott McKeown wrote: > Hi Peter, > > Welcome to Pound. > > I'm sure that Joe will jump in at som

Re: [Pound Mailing List] send source IP of HTTP requests to web servers in the cluster

Hi Pat, if I'm not mistaken, the IP address you're looking for is being put into the X-Forwarded-For header by pound. So you just need to adapt your nginx logging directive. See, e.g., here: https://syslog.tv/2011/08/10/nginx-log-real-ip-from-pound/ Hope that helps, Andreas. On 21.05.2013 10

Re: [Pound Mailing List] PCI-DSS Compliance with Pound

> My suggestion to anyone who needs PCI-DSS compliance is to run my branch here: > https://github.com/goochjj/pound/tree/stage_for_upstream/v2.7b > > Zip here: > https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7b.zip > > This is based on 2.7b, and includes a bunch of patches that

Re: [Pound Mailing List] PCI-DSS Compliance with Pound

Hi Lubomir, thanks! > For 2011-3389, I need to disable ciphers deemed unsecure. The solution > for Apache would be this: > >SSLHonorCipherOrder On >SSLCipherSuite RC4-SHA:HIGH:!ADH > > > Pound 2.7a contains a fix, at GoodData we use the following configuration: > >

[Pound Mailing List] PCI-DSS Compliance with Pound

Hi, a recent PCI-DSS scan revealed the following vulnerabilities on our system: CVE-2011-3389: SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability CVE-2012-4929: SSL/TLS Compression Algorithm Information Leakage Vulnerability For 2011-3389, I need to disable ciphers deemed unsecu

[Pound Mailing List] Defining multiple URL patterns in a Service

Hi, on my pound 2.6-2, I would like to define multiple URL patterns in a service. The manpage says it's possible: You may define multiple URL conditions per service. However, in a service like this, none of the three patterns seems to kick in: Service URL "^/services/ddEmissionService"

Re: [Pound Mailing List] HTTP Listen Address as variable?

>> we like to have a pound server on standby in case the live server fails. >> problem is, that we can't keep the pound.cfg centralized as the >> HTTP/HTTPS Listen -> Address line is server specific. >> >> is there a way to fill this variable with the `hostname` for instance? >> >> regards, >> >> P

Re: [Pound Mailing List] Multiple SSL Certs

Thanks for the clarification, Sander! > Yes just load all certificates: > Cert "cert1.pem" > Cert "cert1.pem" > Cert "certX.pem" > > Pound uses the domain in the CN field of the certificate to match the correct certificate to the request with SNI. Which certificate w

Re: [Pound Mailing List] Multiple SSL Certs

Hi Scott, > ... I'm guessing that you have a WildCard SSL Certificate or a UCC Certificate that will allow you to correctly encrypt the required traffic to your backend servers as you can only enable one SSL Certificate per real IP Address. Isn't that the whole point of SNI? https://en.wikip

Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get certificate

Is it possible that your Perl application tries to enforce HTTPS? If so, HTTPS would go from user to Pound, HTTP from Pound to Perl, and Perl would then redirect to HTTPS, ending in an infinite loop. Cheers, A. > It is pretty much what I emailed earlier. /etc/pound/dev.pem is a > self-sign certi