I think your inbound to pound connection is working okay. It's your
pound-back_end that is failing. In the jail, you need to allow the pound
server to connect outbound to your inside network.
So you have:
USER - { jail [pound] }
|
|-- back_end
The USER - { jail
Hello,
Can you please add the client IP to the error log when any internal pound
errors, e.g. e500, are generated?
The current message looks something like:
Jan 23 09:11:31 pound: (9d6ec003) e500 response error read from (BE IP
ADDR)/POST /mypath HTTP/1.1: Connection timed out (59.992
To: pound@apsis.ch
Subject: Re: [Pound Mailing List] Request: add client IP to e500 error
log message
On Fri, 2009-01-23 at 10:25 -0800, Jacob Anderson wrote:
Hello,
Can you please add the client IP to the error log when any internal
pound
errors, e.g. e500, are generated
Hello,
When in doubt, you should always use tail -f on the log files:
1. tail -f /var/log/messages and watch the pound traffic
2. tail -f /var/log/httpd/blah.log and watch your back end traffic
If pound is the culprit, then you will see a quick connection in #1 and a slow
connection in #2.
Of
Jeff,
Do the cameras send video packets using UDP? Since the camera connection
from Lynx says that it needs Java, I am thinking that it delivers a java
applet, and then starts a UDP feed on the camera to send back to the java
applet, which then displays UDP video packets. That's a very common LAN
Hello,
I am trying to build pound 2.4.4 against PCRE and google-perftools.
(a) installed PCRE using yum install pcre-devel
(b) downloaded, extracted, and built the google-perftools from the google
code site. Using version 1.3. No problems here.
(c) added /usr/local/lib to the ld.so.conf just
San Diego, CA - had one failure, and then persistent success. Likely
intermittent DNS failure in the US.
-Original Message-
From: Albert [mailto:po...@alacra.com]
Sent: Monday, January 25, 2010 11:23 AM
To: pound@apsis.ch
Subject: Re: [Pound Mailing List] Pound website down?
I've been
Software Solutions
( \ / ___ \ | Insurance * Entertainment * Defense * Government
) ) | | || -
| __ (| | | || Jacob Anderson President
| |__) ) |___| || j...@beyond-ordinary.com | www.beyond-ordinary.com
Hello David,
First step - try direct routing with a static NAT rule to jump your users
directly to one back end. If they timeout, then it's a back end issue. If it
works great, then read on.
Next, check your routing. The back end may have a firewall running that is
not allowing the traffic on
Hello Anne,
You only need one SSL certificate for Pound with SSL. If you need to have
SSL on your back end servers, then you need certificates for every IP
ADDRESS that will be secured with SSL.
Pound is intended to be an SSL terminator, so you really only need SSL on
the pound server.
-- Jake
Hi,
You can only do this with a proxy rewrite, like mod_rewrite in Apache. Pound is
only a pass-through reverse proxy.
Either you do this on the front-end with Apache, or the back-end after Pound.
-- Jake
-Original Message-
From: p...@gmx.de [mailto:p...@gmx.de]
Sent: Wednesday, May
Hello,
You don't disable, you just authorize which ciphers you want to offer to the
client:
Ciphers TLSv1+SSLv3
-- Jake
-Original Message-
From: alexus [mailto:ale...@gmail.com]
Sent: Thursday, September 02, 2010 1:53 PM
To: pound@apsis.ch
Subject: [Pound Mailing List] SSL Weak
Try adding this to your ListenHTTPS config:
Ciphers TLSv1+SSLv3
This worked for our PCI DSS compliance scan. Is that what you are doing?
-- jake
-Original Message-
From: alexus [mailto:ale...@gmail.com]
Sent: Thursday, September 02, 2010 1:52 PM
To: pound@apsis.ch
Subject: [Pound
My $0.02 worth here. I had a similar problem recently when I switched our
network over to a routed network instead of drop-in. The DNS needed to
change, but I didn't change it, so pound redirected all https back to http,
no matter what. When I fixed the DNS (the pound machine had to resolve its
Hi,
Do you have a core file? If you build pound with debug symbols and have a
core file, then you can dbg the core file and see where it is segfaulting.
Once you get that information, post it and someone will be able to better
help you.
What other libraries are you using? (pcre, tmalloc, etc.)
If memory serves, the host header require is a regular expression. You need
to escape the '.'.
headrequire ^host:[\t ]*store\.compumedik\.com
http://store.compumedik.com $
BackEnd
Address192.168.3.32
Port80
End
End
service
From: Adrian
Test #1:
telnet 192.168.1.5 80 (from the pound machine)
If this fails, then you have a firewall rule blocking port 80 outbound
traffic, or you have a port 80 inbound block on 192.168.1.5.
Pound often times must reside on both an external and internal network. The
next test is to see
Hall,
If you ONLY have an HTTPS directive in your config, and you are being
redirected back to http, then it sounds like you are (a) testing from your
LAN, and (b) your BE is sending a redirect that is LAN addressed instead of
pound addressed.
Make sure that your application always
BE Apache setup with usecanonicalname no, so it should
be using whatever is passed in the URL.
Unfortunately I don't have that much control over the application, it's a
big box ERP system. DNS appears to be sound.
On Mon, Jul 25, 2011 at 2:32 PM, Jacob Anderson j...@beyond-ordinary.com
wrote:
Hall
Hello Patrizio,
What about removing HAProxy from the mix? The log looks like pound is
telling you that it can not connect back to HAProxy:
[Sep 9 12:08:15 bil1] pound: (4332a940) connect_nb: error after getsockopt:
Connection refused
[Sep 9 12:08:15 bil1] pound: (4332a940) backend
Change the logging option to be verbose, then:
%grep [pound] /var/log/messages pound.log
%webalizer pound.log
J Set this up as a nightly logrotate post-processing step and viola'!
From: Tom S [mailto:tsz...@gmail.com]
Sent: Thursday, December 15, 2011 7:17 AM
To: pound@apsis.ch
Hello,
The FIN/ACK is a TCP stack related issue, not pound. Do you have the most
recent patches and such for your host server?
I’ve seen this same behavior for a variety of hosts, not just Windows clients.
Plus, I’ve seen this on CentOS 4 and CentOS 5, and so far no relief in the way
of
Sorry to chime in here on this topic, but this really isn’t a pound function.
If you are losing your session data because pound bounces your client to
another BE, then you need a shared session state machine for your back ends.
We do this in ASP.NET with the session state server and it works
+1 on the cluster/macro idea. Yeah, that's a really good 2.7 idea. I could
really use that and get rid of my m4 templates.
-- jake
-Original Message-
From: Todd Freeman [mailto:free...@andrews.edu]
Sent: Friday, December 30, 2011 8:35 AM
To: pound@apsis.ch
Subject: Re: [Pound
Joe's items #1, #3, and #5 would benefit me. +1 for each.
-- jake
-Original Message-
From: Joe Gooch [mailto:mrwiz...@k12system.com]
Sent: Friday, December 30, 2011 9:47 AM
To: 'pound@apsis.ch'
Subject: RE: [Pound Mailing List] Pound 2.7 (FR27: Misc new features)
I have a bunch
Hello,
For my take, and my experience only, I’ve had this occur when I did not have
the DNS setup properly. In my case, I was not setting the sd1.example.com and
sd2.example.com domains back to the local IP addresses. When this was the
case, pound would not redirect correctly and our login
I’ll bite. So Peter, can you just rebind your web application “/html” to the
root of your web server? That would get rid of “/html” and you won’t have to
change your pound configuration or add Varnish in there. You’re not really URL
rewriting per-se. You’re just rebinding the web application to
Wow, thanks Joe! Keeping 2.6 alive for us xenophobic IT administrators is very
helpful. :)
-- Jake
-Original Message-
From: Joe Gooch [mailto:mrwiz...@k12system.com]
Sent: Monday, April 29, 2013 7:40 AM
To: 'pound@apsis.ch'
Cc: 'Lubomir Rintel'
Subject: RE: [Pound Mailing List]
: jacob anderson [mailto:j...@beyond-ordinary.com]
Sent: Wednesday, August 28, 2013 2:44 PM
To: pound@apsis.ch
Subject: RE: [Pound Mailing List] Re: NULL: get_thr_arg spamming my syslog
I like to refer to IBM's docs on pthreads when looking up this stuff:
http://publib.boulder.ibm.com
Software Solutions
( \ / ___ \ | Insurance * Entertainment * Defense * Government
) ) | | || --
| __ (| | | || Jacob Anderson President
| |__) ) |___| || j...@beyond-ordinary.com | www.beyond-ordinary.com
Yeah, I have not updated the box - it's been very stable for 3 years. I opted
to just replace all of it, hardware to OS,
with current stuff. I wanted to upgrade to 2.6 b/c we had a webserver go down
and 2.5 did not recognize it as down, so
50% of users were being directed to the dead node.
Nick,
Can you just build with openssl 0.9.8zc:
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
The advisory recommends using this version for 0.9.8 users (which is what we
are too).
http://www.openssl.org/news/secadv_20141015.txt
-- jake
From: Nick Rogers
Hi
Most of the time when I see pound stutter during processing it is the result of
DNS access/latency. Maybe there is some problems on your network with routing
to the DNS servers?
-- Jake
From: Nino Fink, Contria GmbH [mailto:f...@contria.com]
Sent: Thursday, April 9, 2015 9:01
Hey Pounders,
I have an ASP.NET application that redirects http connections to https using
the old Response.Redirect(https://blah/foo) method.
In Pound 2.5, this works fine and the client is properly redirected from
http to https.
I upgraded to Pound 2.7 (and 2.8), now when I try the
Freja,
There's not much you can do here. SSL binds on the port explicitly and
handles all traffic, unless you use the SSL name protocol (SNI). It sounds
like you don't want that.
So the "Head Require" in an HTTPS rule set is just perfunctory. It really
has no control over connections. SSL
These are the client breaking the connection.
From: John Hayward [mailto:john.hayw...@wheaton.edu]
Sent: Wednesday, December 9, 2015 6:37 AM
To: pound@apsis.ch
Subject: [Pound Mailing List] syslog error messages
In syslog we are seeing the following types of errors:
1) Dec 9
These are the client breaking the connection.
From: John Hayward [mailto:john.hayw...@wheaton.edu]
Sent: Wednesday, December 9, 2015 6:37 AM
To: pound@apsis.ch
Subject: [Pound Mailing List] syslog error messages
In syslog we are seeing the following types of errors:
1) Dec 9
Pound tells you the server is overloaded because your back end is telling
pound that it is overloaded.
10.5.4 503 Service Unavailable
The server is currently unable to handle the request due to a temporary
overloading or maintenance of the server. The implication is that this is a
temporary
It's sent to the back-end:
X-SSL-cipher= TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(128) Mac=AEAD
-Original Message-
From: Karl Rossing [mailto:karl.ross...@barobinson.com]
Sent: Wednesday, June 15, 2016 2:28 PM
To: pound@apsis.ch
Subject: [Pound Mailing
You could just take the draconian route and block the bot's IP addresses
using ipfw or iptables. That way you don't even take up resources in pound.
Just dump them at the gate...
-Original Message-
From: Mike Slinn [mailto:msl...@micronauticsresearch.com]
Sent: Tuesday, March 1, 2016
You could just take the draconian route and block the bot's IP addresses
using ipfw or iptables. That way you don't even take up resources in pound.
Just dump them at the gate...
-Original Message-
From: Mike Slinn [mailto:msl...@micronauticsresearch.com]
Sent: Tuesday, March 1, 2016
Neither is blocking by user-agent. You can spoof a user-agent more easily
than you can jump to a new IP.
-Original Message-
From: Mike Slinn [mailto:msl...@micronauticsresearch.com]
Sent: Tuesday, March 1, 2016 11:24 AM
To: pound@apsis.ch
Subject: Re: [Pound Mailing List] Blocking
What if you add the macro back into config.h:
# define LHM_lh_new(type, name) \
((LHASH_OF(type) *)lh_new(LHASH_HASH_FN(name), LHASH_COMP_FN(name)))
Here's where it seems to have been removed:
https://mta.openssl.org/pipermail/openssl-commits/2016-January/002778.html
seems to be equivalent
43 matches
Mail list logo