So your Pound Setup and the Web Site are running on the same server, sorry I have mine setup in a Proxy mode which is a slightly different setup. I don't know perlbal but at a guess you should be able to change the port that its listening on in its config file to something like 8080 and then with the pound redirect as above inplace but to port 8080 for the BackEnd
~Scott On 20 September 2012 12:51, Francoise Dehinbo < francoise.dehi...@foxtons.co.uk> wrote: > Just for testing, I stopped perlbal, added the ListenHTTP suggestion to > pound, so now pound runs on ports 443 and 80. The problem is worse. I > cannot go from http to https or from https to http. So it's definitely > something with pound! Previously I reinstalled pound with just plain 2.6 > without any patches and it's the same problem! > > From: Scott McKeown <sc...@loadbalancer.org<mailto:sc...@loadbalancer.org > >> > Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch>" <pound@apsis.ch<mailto: > pound@apsis.ch>> > Date: Thursday, 20 September 2012 12:30 > To: "pound@apsis.ch<mailto:pound@apsis.ch>" <pound@apsis.ch<mailto: > pound@apsis.ch>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot > get certificate > > Hi Francoise, > > OK think I've got it now. Try something like this: > > > User "nobody" > Group "nobody" > LogLevel 1 > > ListenHTTPS > Address xxx.xxx.xxx.xxx > Port 443 > Cert "/etc/pound/dev.pem" > Ciphers > "ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5" > AddHeader "X-Secure-Connection: true" > Service > BackEnd > # Send everything PSGI apps > Address 127.0.0.1 > Port 5555 > End > End > End > ListenHTTP > Address xxx.xxx.xxx.xxx > Port 80 > Service > BackEnd > Address 127.0.0.1 > Port 5555 > End > End > End > > This should stop the looping and catch anything that is HTTP and display > as normal. If you want for FORCE HTTP traffic to HTTPS the Redirect option > should work > > ~Scott > > > On 20 September 2012 12:08, Francoise Dehinbo < > francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>> > wrote: > Hi Scott, > > We use Perl 5.10, Catalyst and Plack/PSGI for the back end servers. Pound > is used for https and Perlbal for http front ends. > > So Pound config is something like: > > User "nobody" > Group "nobody" > > LogLevel 1 > > ListenHTTPS > > Address xxx.xxx.xxx.xxx > Port 443 > Cert "/etc/pound/dev.pem" > Ciphers > "ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5" > > AddHeader "X-Secure-Connection: true" > > Service > BackEnd > # Send everything PSGI apps > Address 127.0.0.1 > Port 5555 > End > End > > End > > I haven't applied the DisableSSLv2 patch yet. But going from an https to > any non secure page ends up in an infinite loop. > > Using Firefox or even Safari returns something like: > > Firefox has detected that the server is redirecting the request for this > address in a way that will never complete. > > > From: Scott McKeown <sc...@loadbalancer.org<mailto:sc...@loadbalancer.org > ><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>>> > Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch > <mailto:pound@apsis.ch>>" <pound@apsis.ch<mailto:pound@apsis.ch><mailto: > pound@apsis.ch<mailto:pound@apsis.ch>>> > Date: Thursday, 20 September 2012 10:54 > To: "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto: > pound@apsis.ch>>" <pound@apsis.ch<mailto:pound@apsis.ch><mailto: > pound@apsis.ch<mailto:pound@apsis.ch>>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot > get certificate > > Hi Francoise, > > I'm going to take a guess here but your pound.cfg should look something > like this for a basic redirection from HTTP to HTTPS (well this works well > for me but I'm sure others may know of another/better way to do this) > > > User "nobody" > Group "nobody" > LogLevel 1 > LogFacility local3 > Client 30 > TimeOut 60 > ListenHTTPS > Address xxx.xxx.xxx.xxx > Port 443 > xHTTP 3 > Cert "/etc/pound/ucc01.pem" > ReWriteLocation 1 > Ciphers "RC4:HIGH:!MD5:!aNULL" > SSLHonorCipherOrder 1 > SSLAllowClientRenegotiation 0 > DisableSSLv2 > Service > HeadRequire "Host: *support.*" > BackEnd > Address 172.16.0.40 > Port 80 > TProxy 1 > End > End > End > ListenHTTP > Address xxx.xxx.xxx.xxx > Port 80 > xHTTP 3 > ReWriteLocation 1 > Service > HeadRequire "Host: *support.*" > Redirect "[https full address goes here]" #eg > https://google.co.uk > End > End > > > ~Yours, > Scott > > > On 20 September 2012 10:36, Francoise Dehinbo < > francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk > ><mailto:francoise.dehi...@foxtons.co.uk<mailto: > francoise.dehi...@foxtons.co.uk>>> wrote: > Hi Scott, > > I hope you can help me again. Since upgrading to pound 2.6 as discussed > previously, we are having trouble re-directing a user from https to http. > But if I downgrade pound back to 2.5 and refresh it works fine. I am not > all familiar with how pound works. Do you have any recommendations on > where to look first? > > Many thanks. > > Francoise > > From: Scott McKeown <sc...@loadbalancer.org<mailto:sc...@loadbalancer.org > ><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>><mailto: > sc...@loadbalancer.org<mailto:sc...@loadbalancer.org><mailto: > sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>>>> > Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch > <mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch > ><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>>" <pound@apsis.ch<mailto: > pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto: > pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto: > pound@apsis.ch>>>> > Date: Wednesday, 19 September 2012 12:01 > To: "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto: > pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto: > pound@apsis.ch<mailto:pound@apsis.ch>>>" <pound@apsis.ch<mailto: > pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto: > pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto: > pound@apsis.ch>>>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot > get certificate > > Hi Francoise, > > Your more thank welcome. > On a side note you may also like the DisableSSLv2 Patch which can be found > here: > http://www.apsis.ch/pound/pound_list/archive/2012/2012-01/1327928733000 > > This will remove the need for the '!SSLv2' option in your Ciphers List > line. > > > ~Scott > > > On 19 September 2012 11:51, Francoise Dehinbo < > francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk > ><mailto:francoise.dehi...@foxtons.co.uk<mailto: > francoise.dehi...@foxtons.co.uk>><mailto:francoise.dehi...@foxtons.co.uk > <mailto:francoise.dehi...@foxtons.co.uk><mailto: > francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>>>> > wrote: > Hi Scott, > > It worked fine once I switched it to the live certificate instead of the > self-signed one used for testing. > > Much appreciated. > > Francoise > > From: Scott McKeown <sc...@loadbalancer.org<mailto:sc...@loadbalancer.org > ><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>><mailto: > sc...@loadbalancer.org<mailto:sc...@loadbalancer.org><mailto: > sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>>><mailto: > sc...@loadbalancer.org<mailto:sc...@loadbalancer.org><mailto: > sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>><mailto: > sc...@loadbalancer.org<mailto:sc...@loadbalancer.org><mailto: > sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>>>>> > Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch > <mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch > ><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>><mailto:pound@apsis.ch > <mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch > >><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch > <mailto:pound@apsis.ch>>>>" <pound@apsis.ch<mailto:pound@apsis.ch><mailto: > pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto: > pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>><mailto: > pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto: > pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto: > pound@apsis.ch<mailto:pound@apsis.ch>>>>> > Date: Wednesday, 19 September 2012 10:40 > To: "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto: > pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto: > pound@apsis.ch<mailto:pound@apsis.ch>>><mailto:pound@apsis.ch<mailto: > pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto: > pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto: > pound@apsis.ch>>>>" <pound@apsis.ch<mailto:pound@apsis.ch><mailto: > pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto: > pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>><mailto: > pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto: > pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto: > pound@apsis.ch<mailto:pound@apsis.ch>>>>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot > get certificate > > Hi Francoise, > > This looks more like a Certificate issue than a Pound issue. > What type of certificate have you created? > I would have another go at creating the PEM file myself and if you have > paid for a certificate from a CA you may need the intermediate and root > chains. > This site is a good reference on the creation of the PEM files. > http://www.digicert.com/ssl-support/pem-ssl-creation.htm > 9 time out of 10 I would use the full PEM file listed right at the bottom > of the page. > > ~Yours, > Scott > > > On 19 September 2012 10:11, Francoise Dehinbo < > francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk > ><mailto:francoise.dehi...@foxtons.co.uk<mailto: > francoise.dehi...@foxtons.co.uk>><mailto:francoise.dehi...@foxtons.co.uk > <mailto:francoise.dehi...@foxtons.co.uk><mailto: > francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk > >>><mailto:francoise.dehi...@foxtons.co.uk<mailto: > francoise.dehi...@foxtons.co.uk><mailto:francoise.dehi...@foxtons.co.uk > <mailto:francoise.dehi...@foxtons.co.uk>><mailto: > francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk > ><mailto:francoise.dehi...@foxtons.co.uk<mailto: > francoise.dehi...@foxtons.co.uk>>>>> wrote: > Hi All, > > My OS is debian squeeze which have Pound version 2.5 installed. I > downloaded the latest stable version 2.6 from > http://www.apsis.ch/pound/Pound-2.6.tgz and > applied the BEAST attack patch from > > https://github.com/goochjj/pound/commit/2f69c71b0314538f2a6218f624bdd2b954e5dbc8.patch > > After installing 2.6 and start up pound (as root), it fails with the > following error: > > /etc/pound/pound.cfg line 15: ListenHTTPS: could not get certificate CN > > Line 15 is: > Cert "/etc/pound/dev.pem" > > But /etc/pound/dev.pem does exist so I don't understand why it cannot read > it: > > >ls -la /etc/pound/dev.pem > -rw-r--r-- 1 root root 1.9K May 22 15:29 /etc/pound/dev.pem > > Here is my config for pound: > > User "web" > Group "web" > > # If the backend disappears check for it to come back every 'Alive' > seconds. > Alive 5 > > # no logging of individual requests > # start up etc errors are still logged to daemon.log > LogLevel 2 > > ListenHTTPS > > Address 0.0.0.0 > Port 443 > Cert "/etc/pound/dev.pem" > Ciphers > > "ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5" > > AddHeader "X-Secure-Connection: true" > > Service > BackEnd > Address 127.0.0.1 > Port 6000 > End > End > > End > > Any help would be greatly appreciated. > > Many thanks > > Francoise > > Privacy and Confidentiality Notice: > > This is strictly confidential and intended solely for the person or > organisation to whom it is addressed. It may contain privileged and > confidential information and if you are not an intended recipient, you must > not copy, distribute or take any action in reliance on it. If you have > received this message in error, please notify us as soon as possible and > delete it and any attached files from your system. > The views and opinions expressed in this email message are the author's > own and may not reflect the views and opinions of the author's employer. > > Foxtons Limited is registered in England and Wales (registered number > 01680058). Our registered office is at Building One, Chiswick Park, 566 > Chiswick High Road, London, W4 5BE. > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MessageLabs. > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch > <mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch > >><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch > <mailto:pound@apsis.ch>>><mailto:pound@apsis.ch<mailto:pound@apsis.ch > ><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch > <mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>>>. > Please contact ro...@apsis.ch<mailto:ro...@apsis.ch><mailto:ro...@apsis.ch > <mailto:ro...@apsis.ch>><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch > ><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch>>><mailto:ro...@apsis.ch > <mailto:ro...@apsis.ch><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch > >><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch><mailto:ro...@apsis.ch > <mailto:ro...@apsis.ch>>>> for questions. > > > > -- > With Kind Regards. > > Scott McKeown > Loadbalancer.org > http://www.loadbalancer.org > > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MessageLabs. > > Privacy and Confidentiality Notice: > > This is strictly confidential and intended solely for the person or > organisation to whom it is addressed. It may contain privileged and > confidential information and if you are not an intended recipient, you must > not copy, distribute or take any action in reliance on it. If you have > received this message in error, please notify us as soon as possible and > delete it and any attached files from your system. > The views and opinions expressed in this email message are the author's > own and may not reflect the views and opinions of the author's employer. > > Foxtons Limited is registered in England and Wales (registered number > 01680058). Our registered office is at Building One, Chiswick Park, 566 > Chiswick High Road, London, W4 5BE. > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MessageLabs. > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch > <mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch > >><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch > <mailto:pound@apsis.ch>>>. > Please contact ro...@apsis.ch<mailto:ro...@apsis.ch><mailto:ro...@apsis.ch > <mailto:ro...@apsis.ch>><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch > ><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch>>> for questions. > > > > -- > With Kind Regards. > > Scott McKeown > Loadbalancer.org > http://www.loadbalancer.org > > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MessageLabs. > > Privacy and Confidentiality Notice: > > This is strictly confidential and intended solely for the person or > organisation to whom it is addressed. It may contain privileged and > confidential information and if you are not an intended recipient, you must > not copy, distribute or take any action in reliance on it. If you have > received this message in error, please notify us as soon as possible and > delete it and any attached files from your system. > The views and opinions expressed in this email message are the author's > own and may not reflect the views and opinions of the author's employer. > > Foxtons Limited is registered in England and Wales (registered number > 01680058). Our registered office is at Building One, Chiswick Park, 566 > Chiswick High Road, London, W4 5BE. > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MessageLabs. > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch > <mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>. > Please contact ro...@apsis.ch<mailto:ro...@apsis.ch><mailto:ro...@apsis.ch > <mailto:ro...@apsis.ch>> for questions. > > > > -- > With Kind Regards. > > Scott McKeown > Loadbalancer.org > http://www.loadbalancer.org > > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MessageLabs. > > Privacy and Confidentiality Notice: > > This is strictly confidential and intended solely for the person or > organisation to whom it is addressed. It may contain privileged and > confidential information and if you are not an intended recipient, you must > not copy, distribute or take any action in reliance on it. If you have > received this message in error, please notify us as soon as possible and > delete it and any attached files from your system. > The views and opinions expressed in this email message are the author's > own and may not reflect the views and opinions of the author's employer. > > Foxtons Limited is registered in England and Wales (registered number > 01680058). Our registered office is at Building One, Chiswick Park, 566 > Chiswick High Road, London, W4 5BE. > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MessageLabs. > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch > <mailto:pound@apsis.ch>. > Please contact ro...@apsis.ch<mailto:ro...@apsis.ch> for questions. > > > > -- > With Kind Regards. > > Scott McKeown > Loadbalancer.org > http://www.loadbalancer.org > > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MessageLabs. > > Privacy and Confidentiality Notice: > > This is strictly confidential and intended solely for the person or > organisation to whom it is addressed. It may contain privileged and > confidential information and if you are not an intended recipient, you must > not copy, distribute or take any action in reliance on it. If you have > received this message in error, please notify us as soon as possible and > delete it and any attached files from your system. > The views and opinions expressed in this email message are the author's > own and may not reflect the views and opinions of the author's employer. > > Foxtons Limited is registered in England and Wales (registered number > 01680058). Our registered office is at Building One, Chiswick Park, 566 > Chiswick High Road, London, W4 5BE. > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MessageLabs. > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
