Re: [Pound Mailing List]

2013-09-18 Thread Alan McGinlay - SICS
I believe that pound enables compression of ssl by default but it can 
be disabled via a patched version and a recompile, see this thread:


http://www.apsis.ch/pound/pound_list/archive/2012/2012-10/1349447985000/index_html?fullMode=1

/A

On 2013-09-18 14:04, Corrigan, Coleman wrote:

Hello,
   a recent Ubuntu security fix to openssl for CVE-2012-4929,
which turns off zlib compression of tls/ssl by default. It requires
OPENSSL_DEFAULT_ZLIB to be set in the environment before loading
openssl, if you want to re-enable the feature.

I would like to know if pound has, or is planning to introduce, a
configuration option to enable zlib compression for ssl connections ?

Regards,
Coleman Corrigan.


--
To unsubscribe send an email with subject unsubscribe to 
pound@apsis.ch.

Please contact ro...@apsis.ch for questions.


--
Alan McGinlay

UNIX & Network
0707731527

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] Err503: Unknown directive?

2013-07-17 Thread Alan McGinlay
Perhaps you could post a complete (sanitised) version of your pound.cfg 
and any imported files.


/A

On Wed 17 Jul 2013 11:51:07 CEST, Andreas Hilboll wrote:

On 17.07.2013 11:20, Bussi Andrea wrote:

On 07/17/2013 10:23 AM, Andreas Hilboll wrote:

Hi,

I want to configure an error page in my pound cfg. For that, I put the
line

 Err503 "/etc/pound/e503.html"



Is it inside a listener?


No, it's not. But the manpage lists the Err50x directives as "global
directives", so I assume it sould *not* go inside a listener?! Do I
understand something wrong? Is the manpage wrong?

-- Andreas.


--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] How to publish one page in https, the others in http

2013-06-28 Thread Alan McGinlay
In that case, if you don't want users to be able to browse the rest of 
the site with SSL enabled (even by their own manual choice) you could 
redirect them back to the non SSL site (unless the url is the login 
one.)


On fre 28 jun 2013 15:39:52, PIEUX Emmanuel wrote:

Thank you very much for this solution. I will try it as soon as possible.
I'm agree with the fact that full ssl is better (and simpler) than this 
solution, but I have no choice...

-Message d'origine-
De : Alan McGinlay [mailto:al...@sics.se]
Envoyé : vendredi 28 juin 2013 15:00
À : pound@apsis.ch
Objet : Re: [Pound Mailing List] How to publish one page in https, the others 
in http

Actually, just take out the URL check from the HTTPS listener and it will still 
work and your users will be able to browse the whole site with SSL if they so 
desire. Personally, I would just run the whole site behind SSL by default and 
redirect all non SSL requests to the ssl version. Overhead is minimal to say 
the least and you get a lot of benefits. It can solve issues of running say 
Varnish cache in front of drupal not working properly because of ssl as well.


On fre 28 jun 2013 14:51:59, Alan McGinlay wrote:

This should do the trick:

ListenHTTP
 Address IPADDR
 Port80
 Service
 HeadRequire "^Host:\s*mywebsite.com.*"
 URL "/Login?user.*"
 Redirect  301 "https://mywebsite.com";
 End
 Service
 HeadRequire "^Host:\s*mywebsite.com.*"
 BackEnd
 Address yournormalbackend
 Port80
 End
 End
End
ListenHTTPS
 Address IPADDR
 Port443
 Cert"/etc/ssl/certs/cert.pem"
 Service
 HeadRequire "^Host:\s*mywebsite.com.*"
 URL "/Login?user.*"
 BackEnd
 Address yournormalbackend
 Port80
 End
 End
End


That won't cover users trying to browse the rest of your site with
https enabled, add another service for that.




On 2013-06-28 14:08, PIEUX Emmanuel wrote:

Good morning,

I have a website to publish with Pound in http (ie
http://mywebsite.com).

I’d like the authentication page
(http://mywebsite.com/authentication/Login?user) be published in
https, and only this page.

How could I do that with Pound (and is it possible…)?

Sincerely

Emmanuel Pieux

*cid:image001.png@01CD9C8F.C7B90420
**Emmanuel PIEUX**– *Responsable de la sécurité des systèmes
d’information
*
*Chambre de Commerce et d'Industrie de Grenoble
   1, place André Malraux - BP 297
   38016 GRENOBLE CEDEX 1
   T. 04 76 70 64 06 – M. 06 22 96 19 63
**www.grenoble.cci.fr <http://www.grenoble.cci.fr>



--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.
N�r��zǧu�ޙ���+a���y�n�˛���m�h���u�l��!>W���(�֜��,z��+��+�笶*'s===


--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] How to publish one page in https, the others in http

2013-06-28 Thread Alan McGinlay
Actually, just take out the URL check from the HTTPS listener and it 
will still work and your users will be able to browse the whole site 
with SSL if they so desire. Personally, I would just run the whole site 
behind SSL by default and redirect all non SSL requests to the ssl 
version. Overhead is minimal to say the least and you get a lot of 
benefits. It can solve issues of running say Varnish cache in front of 
drupal not working properly because of ssl as well.



On fre 28 jun 2013 14:51:59, Alan McGinlay wrote:

This should do the trick:

ListenHTTP
Address IPADDR
Port80
Service
HeadRequire "^Host:\s*mywebsite.com.*"
URL "/Login?user.*"
Redirect  301 "https://mywebsite.com";
End
Service
HeadRequire "^Host:\s*mywebsite.com.*"
BackEnd
Address yournormalbackend
Port80
End
End
End
ListenHTTPS
Address IPADDR
Port443
Cert"/etc/ssl/certs/cert.pem"
Service
HeadRequire "^Host:\s*mywebsite.com.*"
URL "/Login?user.*"
BackEnd
Address yournormalbackend
Port80
End
End
End


That won't cover users trying to browse the rest of your site with
https enabled, add another service for that.




On 2013-06-28 14:08, PIEUX Emmanuel wrote:

Good morning,

I have a website to publish with Pound in http (ie
http://mywebsite.com).

I’d like the authentication page
(http://mywebsite.com/authentication/Login?user) be published in https,
and only this page.

How could I do that with Pound (and is it possible…)?

Sincerely

Emmanuel Pieux

*cid:image001.png@01CD9C8F.C7B90420
**Emmanuel PIEUX**– *Responsable de la sécurité des systèmes
d’information
*
*Chambre de Commerce et d'Industrie de Grenoble
  1, place André Malraux - BP 297
  38016 GRENOBLE CEDEX 1
  T. 04 76 70 64 06 – M. 06 22 96 19 63
**www.grenoble.cci.fr <http://www.grenoble.cci.fr>



--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] How to publish one page in https, the others in http

2013-06-28 Thread Alan McGinlay

This should do the trick:

ListenHTTP
Address IPADDR
Port80
Service
HeadRequire "^Host:\s*mywebsite.com.*"
URL "/Login?user.*"
Redirect  301 "https://mywebsite.com";
End
Service
HeadRequire "^Host:\s*mywebsite.com.*"
BackEnd
Address yournormalbackend
Port80
End
End
End
ListenHTTPS
Address IPADDR
Port443
Cert"/etc/ssl/certs/cert.pem"
Service
HeadRequire "^Host:\s*mywebsite.com.*"
URL "/Login?user.*"
BackEnd
Address yournormalbackend
Port80
End
End
End


That won't cover users trying to browse the rest of your site with https 
enabled, add another service for that.





On 2013-06-28 14:08, PIEUX Emmanuel wrote:

Good morning,

I have a website to publish with Pound in http (ie http://mywebsite.com).

I’d like the authentication page
(http://mywebsite.com/authentication/Login?user) be published in https,
and only this page.

How could I do that with Pound (and is it possible…)?

Sincerely

Emmanuel Pieux

*cid:image001.png@01CD9C8F.C7B90420
**Emmanuel PIEUX**– *Responsable de la sécurité des systèmes d’information
*
*Chambre de Commerce et d'Industrie de Grenoble
  1, place André Malraux - BP 297
  38016 GRENOBLE CEDEX 1
  T. 04 76 70 64 06 – M. 06 22 96 19 63
**www.grenoble.cci.fr 



--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] Too many redirects

2013-06-19 Thread Alan McGinlay
Hmm, I'm not awesome at spotting that kind of issue (sounds like one of 
those things you stare at for hours before noticing something really 
obvious :) )


A good start would be to enable redirect logging in Apache as this will 
tell you exactly what is going on:


RewriteLog "/var/log/apache/rewrite.log"
RewriteLogLevel 5 # higher numbers give more info, 5 is good start


Also, have you tried watching the headers during the requests? I use 
firefox extension "live http headers" really great for finding this kind 
of issue.


https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/

Chrome has something similar but it's not as good.

My personal preference is to do those simple redirects in Pound, as you 
are now doing, as it saves a pointless request to the backend.


Unfortunately Pound doesn't support paths in the destination 
(url.com/path.html -> url.com/newpath.html) or I would use it for all my 
redirects.


/A

On 2013-06-19 10:03, Martijn de Dood wrote:

I've setup pound on my Debian Squeeze server (pound package from the
repository 2.5-1) with the following config:

## Minimal sample pound.cfg
##
## see pound(8) for details

##
## global options:

User"www-data"
Group"www-data"
#RootJail"/chroot/pound"

## Logging: (goes to syslog by default)
##0no logging
##1normal
##2extended
##3Apache-style (common log format)
LogLevel0

## check backend every X secs:
Alive30

## use hardware-accelleration card supported by openssl(1):
#SSLEngine""

# poundctl control socket
Control "/var/run/pound/poundctl.socket"


##
## listen, redirect and ... to:

## redirect all requests on port 8080 ("ListenHTTP") to the local
webserver (see "Service" below):
ListenHTTP
Address 111.111.111.111 # My external IP
Port80

## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
xHTTP0

Service
BackEnd
Address127.0.0.1
Port80
End
End
End


Apache is running on localhost port 80.
When I visit my site via mysite.com all goes well. However when visiting
my site via www.mysite.com the browser replies with too many redirects.

The website on Apache has a .htaccess file which does the redirect from
www.mysite.com to mysite.com

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]


If I setup nginx as a reverse proxy I don't get too many redirects when
requesting www, but I don't want nginx I like Pound more.
What could cause the problem of the loop?

I made a fix with this:

Service
HeadRequire "^Host: www.mysite.com$"
Redirect 301 "http://mysite.com";
End

But I would like to know why the loop occurs and if there is a other
solution.





--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] Current development status

2013-06-19 Thread Alan McGinlay
I haven't posted much to the list so far but have tried to help out 
once or twice when I know the answer to a question, and have had 
questions of my own.. all of which have been answered. I also started a 
Puppet module a while back which I am using in production, it has more 
added to it than the one I announced before and needs a  bit of polish, 
I will try and get it in a nice enough state to show.


Overall, Pound *rocks* it's one of a few peices of Free Software which 
truly shine, it does exactly what it's supposed to do and it does it 
exceptionally well.


+1 for github

On tis 18 jun 2013 17:35:00, Joe Gooch wrote:

Seems like I didn't have to chime in. :)

Robert Segall is the maintainer... I haven't heard from him in awhile; I know 
his life is very busy.  He has put out v2.7b which is the next beta branch.

I maintain a github project with the source code at 
http://github.com/goochjj/pound/  Branches of note would be what Andreas posted 
from the prior thread, reposted here:

My suggestion to anyone who needs PCI-DSS compliance is to run my branch here:
https://github.com/goochjj/pound/tree/stage_for_upstream/v2.7b

Zip here: https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7b.zip

This is based on 2.7b, and includes a bunch of patches that I usually include
in pound, to do things like SNI, CertDir includes, IncludeDir, PCRE redirects,
etc.


If you don't feel comfortable running a 2.7 branch, or don't want to include
those patches, I've rolled a new branch:
https://github.com/goochjj/pound/tree/pcidss/v2.6
Zip here: https://github.com/goochjj/pound/archive/pcidss/v2.6.zip

Which includes only the XSRF, SSLv2, SSL compression and cipher enhancements
against a 2.6 baseline.




My overall goal for Pound is I feel it's a great product that does exactly what 
it's designed to do, no less, no more.  It's stable and I use it in multiple 
production environments for load balancing and SSL termination.  Any features 
it hasn't been able to do, I've added over the years.

It's also a product I'd like to see in continued use, and so I like to help out 
where I can, adding features, applying patches, keeping things secure (i.e. SSL 
fixes and such).  That's why I maintain my branches... Because I see the merit 
and I want to be sure people using pound are covered.

I'd love to see Pound gain more community support... perhaps moving to github 
as a primary distro, getting 2.7 polished and out the door and a bunch of 
things... Right now Robert's the only one we can make those sorts of 
decisions... and there are some bits that aren't available in releases that 
would need to be checked in. (things like the autoconf script source)   I am by 
no means the only contributor and it'd be great to wrap more people around the 
project.

As far as support, there are many people on this list who are active with 
config/production questions as well as code level support, so this project is 
very much alive. :)


Joe





-Original Message-
From: Andreas Hilboll [mailto:li...@hilboll.de]
Sent: Tuesday, June 18, 2013 9:09 AM
To: pound@apsis.ch
Cc: Scott McKeown
Subject: Re: [Pound Mailing List] Current development status

Hi,

Joe stated the links to updated  2.6 and 2.7 branches in this thread:


http://www.apsis.ch/pound/pound_list/archive/2013/2013-
04/136765000/index_html

Cheers, Andreas.


On 18.06.2013 14:55, Scott McKeown wrote:

Hi Peter,

Welcome to Pound.

I'm sure that Joe will jump in at some stage with more details but we
use Pound ourselves and you can find that the community is quite
active and supportive.

Patches and fixes are normally found being posted to this list which
if you know some basic Unix commands and you don't mind building

Pound

from source yourself you can have quite an efficient and productive
SSL Terminator at your disposal.

If memory serves me correctly Joe does keep a fork somewhere but I
don't know where it is.

However, once again welcome to the group.


~Scott



On 18 June 2013 13:45, Peter Shaw mailto:unthough...@googlemail.com>> wrote:

 Hi pound users and developers.
 I just want to know if there is a acive development on the pound
 project. Or is the last Date in 2.6 (2010) the last and final

commit?

 is this grub active? and may i get help if i ran my production

farm

 with pound.

 Thanx al lot,
 ps
 --
 To unsubscribe send an email with subject unsubscribe to
 pound@apsis.ch .
 Please contact ro...@apsis.ch  for

questions.





--
With Kind Regards.

Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org



--
To unsubscribe send an email with subject unsubscribe to
pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...

Re: [Pound Mailing List] Re: restarting pound with new config and session affinity (dynamically add a backend server)

2013-06-17 Thread Alan McGinlay
This previous thread from 2007 touches on the subject with some good 
advice:


http://www.apsis.ch/pound/pound_list/archive/2007/2007-09/118968985

Kristine, you mean like in most init scripts? Poundctl doesn't have 
"reload" as an option so neither does the init script (afaik)


/a

On mån 17 jun 2013 16:50:25, Kristine N. Putnam wrote:

Have you tried using the "reload" command instead of "restart"? -Kristine


*From: *"Brad Allison" 
*To: *pound@apsis.ch
*Sent: *Monday, June 17, 2013 10:39:29 AM
*Subject: *[Pound Mailing List] Re: restarting pound with new config
and session affinity (dynamically add a backend server)

Hello?  Is this thing on?  Someone hijacked my thread... but didn't
answer my questions...


On Mon, Jun 10, 2013 at 12:53 PM, Brad Allison mailto:brad.alli...@gmail.com>> wrote:

We use session affinity that pound offers (Type=Header, ID=Host).

But if we restart pound everyone goes to a different backend
server than the one they had affinity for.

1- Now, we want to dynamically add a new pound server to the pound
configuration, but we don't want to restart pound because again,
everyone would be logged off our product if we did that.

So how do we dynamically add in a new backend server without
restarting pound?

2- Same question except this time removing a backend server.  How
do I remove a backend server from pound without restarting pound
and losing all the session affinity?

-brad





--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] Defining multiple URL patterns in a Service

2013-01-30 Thread Alan McGinlay - SICS

On 2013-01-30 18:40, Andreas Hilboll wrote:

Hi,

on my pound 2.6-2, I would like to define multiple URL patterns in a
service. The manpage says it's possible:

   You may define multiple URL conditions per service.

However, in a service like this, none of the three patterns seems to
kick in:

  Service
URL "^/services/ddEmissionService"
URL "^/services/bbEmissionService2"
URL "^/services/ccEmissionService3"
BackEnd


In order to redirect URL's to a specific backend I am using the 
following:


Service
  HeadRequire "^Host:\s*www.domain.com.*"
  URL "/~.*"
  BackEnd
Add... etc

This will redirect any ~user directories (Apache UserDir's) to a 
specific backend.


For me this works very well, perhaps you have specified the URL 
matching after another service that also matches (so it never reaches 
your URL match).


/A

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] HTTP Listen Address as variable?

2013-01-25 Thread Alan McGinlay

2013-01-25 13:19, Pat Erler skrev:

hi,

we like to have a pound server on standby in case the live server fails.
problem is, that we can't keep the pound.cfg centralized as the
HTTP/HTTPS Listen -> Address line is server specific.

is there a way to fill this variable with the `hostname` for instance?

regards,

PAT

--
*Pat Erler*
Gtalk/G+: per...@gmail.com 
Skype: pat_erler


I am not actually sure if pound supports exactly what you are looking 
for. One alternative would be to use a virtual IP addres:


http://en.wikipedia.org/wiki/Virtual_IP_address

I have done this in my previous job and it worked very well (although it 
wasn't with pound). YMMV!


/A

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


[Pound Mailing List] HSTS implementation in Pound

2013-01-21 Thread Alan McGinlay

Hi,

I am just reading up on HSTS (HTTP Strict Transport Security) and notice 
that there is nothing (that I can find) that mentions using it with pound.


From what I have read, it is basically as difficult as setting a 
response header "Strict-Transport-Security", with max-age=desired-age as 
a value, inside an https listener.


Is this a correct assumption, is that really enough to implement HSTS 
when using a valid certificate or might it require changes on the 
backend servers as well?


I guess the pound config should include something like this line:

AddHeader "Strict-Transport-Security:max-age=31536000"


/A

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] Set backend for Apache "userdir"s

2013-01-09 Thread Alan McGinlay

2013-01-08 18:58, Robert Segall skrev:

On Mon, 2013-01-07 at 16:11 +0100, Alan McGinlay wrote:

Hi,

I am trying to find a good way to redirect example.com/~username to a
specific backend (which will run apache and nfs mounted home
directories) in order to keep users public_html and nfs mounts off of
our main webserver.

We also have multiple domains pointing at the same backend but I would
like the userdirs to only be available via one of them so that
example.com/~bob works but otherexample.com/~bob does not.

So far I have this:

  Service
  HeadRequire "^Host:\s*www.example.se.*"
URL "/~*"
  BackEnd
  Address userdirhost
  Port80
  End
  Emergency
  Address localhost
  Port 9090
  End
  End

Followed by:

  Service
  HeadRequire "^Host:\s*www.example.se.*"
  BackEnd
  Address standardbackend
  Port81
  End
  Emergency
  Address localhost
  Port 9090
  End
  End

However, although this allows the userdir to work, it also completely
breaks the second entry..


Any advice?

Thanks,

Alan

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Rpleace your URL with "/~.*" and the in the header use " *" rather than
"\s".



Great! The fixed regex worked, thanks!

I didn't need to adjust the header though, what is the thought behind 
using " *" rather than "\s"?


/Alan

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] Proxy a request to new URL

2013-01-08 Thread Alan McGinlay

Hi,

This is not a feature supported by pound.

Assuming you are using Apache, you can use rewrites as follows:

RewriteRule ^old/(.*)/$ http://example.com/new/app/$1 [R=301,L]

/Alan

Den tis  8 jan 2013 17:37:03 skrev Derr, Alex:

Hi,

I am attempting to proxy some image files from an old URL to the new
while redirecting the old URL to the new. See below:

Old URL: example.com/old/images/image.gif

New URL: example.com/*new/app/*images/image.gif

This configuration:

Service

 URL “^/old.*”

 Redirect “https://example.com/new/app”

End

Only redirects me to the home page of the new URL
(https://example.com/new/app), and the end of the URI
(/images/image.gif) is lost.

How can I get pound to redirect to the new URL and keep the end of the
URI string?

Thanks!

Alex



--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] Set backend for Apache "userdir"s

2013-01-08 Thread Alan McGinlay

2013-01-07 16:11, Alan McGinlay skrev:

Hi,

I am trying to find a good way to redirect example.com/~username to a
specific backend (which will run apache and nfs mounted home
directories) in order to keep users public_html and nfs mounts off of
our main webserver.

We also have multiple domains pointing at the same backend but I would
like the userdirs to only be available via one of them so that
example.com/~bob works but otherexample.com/~bob does not.

So far I have this:

 Service
 HeadRequire "^Host:\s*www.example.se.*"
 URL "/~*"
 BackEnd
 Address userdirhost
 Port80
 End
 Emergency
 Address localhost
 Port 9090
 End
 End

Followed by:

 Service
 HeadRequire "^Host:\s*www.example.se.*"
 BackEnd
 Address standardbackend
 Port81
 End
 Emergency
 Address localhost
 Port 9090
 End
 End

However, although this allows the userdir to work, it also completely
breaks the second entry..


Any advice?

Thanks,

Alan

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


I found the following similar question on the archives:

http://www.apsis.ch/pound/pound_list/archive/2009/2009-03/1236583386000

However it doesn't seem to work (ldd shows pound compiled against pcre 
libs).


with the original configuration i posted, browsing to site.com/ 
redirects to the userdir server and gives a 404. Browsing to 
site.com/~user does NOT redirect to the userdir server and gives a 404 
generated on the normal webserver but if i add a trailing slash to that 
url then it redirects to the userdir server correctly and shows the 
users content..


Not sure what the heck is going on here or how to debug it :(

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


[Pound Mailing List] Set backend for Apache "userdir"s

2013-01-07 Thread Alan McGinlay

Hi,

I am trying to find a good way to redirect example.com/~username to a 
specific backend (which will run apache and nfs mounted home 
directories) in order to keep users public_html and nfs mounts off of 
our main webserver.


We also have multiple domains pointing at the same backend but I would 
like the userdirs to only be available via one of them so that 
example.com/~bob works but otherexample.com/~bob does not.


So far I have this:

Service
HeadRequire "^Host:\s*www.example.se.*"
URL "/~*"
BackEnd
Address userdirhost
Port80
End
Emergency
Address localhost
Port 9090
End
End

Followed by:

Service
HeadRequire "^Host:\s*www.example.se.*"
BackEnd
Address standardbackend
Port81
End
Emergency
Address localhost
Port 9090
End
End

However, although this allows the userdir to work, it also completely 
breaks the second entry..



Any advice?

Thanks,

Alan

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] Puppet pound module

2012-09-27 Thread Alan McGinlay

Hi,

Now that I have been working with pound a little I have realised that my 
puppet module is overly focused on my own use case (and not very well at 
that).


I would like to make it usable for alternative scenarios and how I split 
up the module code depends on what sort of range of use cases there are 
out there. It would be really awesome if I could see some different 
config examples from real world sites using pound.


I think my own use case is one of the more common ones but it's still 
only using a tiny bit of the features of pound and the rest aren't 
currently covered by the module at all.


If you could send me some example configs I would really appreciate it. 
I will update the module to cover as many as possible and if your site 
is using puppet then it can only benefit you :)


/A

2012-09-25 13:15, Alan McGinlay skrev:

Hi,

I have created a Puppet module for the Pound service. It is both my
first attempt at a puppet module and also the first time I have
seriously used Pound.

https://github.com/mrintegrity/puppet-pound

It is pretty basic at the moment but covers the most basic usage
requirements. I would really love to get some feedback and suggestions
for new features.

Thanks,

Alan

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Driving me insane

2012-09-27 Thread Alan McGinlay

Fixed! thanks for the link, it put me on the right track.

All that was required was to concatenate the key, the crt and output a 
.pem file which i put in the ssl store and referenced it from pound.cfg.


I also ran "update-ca-certificates --verbose --fresh"

And restarted pound, success! This is just a test, the live site will 
use a "real" ssl cert.


Thanks,

Alan

2012-09-27 11:57, Scott McKeown skrev:

Hi Alan,
I'm sure that you will need to include the Private Key Chain in your PEM
file to resolve this error.

Have a look at http://www.digicert.com/ssl-support/pem-ssl-creation.htm
which shows the different ways of creating the PEM file.

Although now that I think about it, I don't remember if I had to include
this in mine the last time I created a Self Signed certificate so I
could be wrong on the self signed front. However, I would recommend the
full PEM file when you go live.


~Scott


On 27 September 2012 10:16, Alan McGinlay mailto:al...@sics.se>> wrote:

Hi All,

I have been getting this error now no matter what I do when trying
to setup and HTTPS listener with a self signed cert.

"/etc/pound/pound.cfg line 56: SSL_CTX_use_PrivateKey_file failed -
aborted"

I have generated the ssl cert in myriad different ways, always with
the same result. I have tried with pound 2.5 and 2.6 (from ubuntu
precise and quantal respectively) but there is no change! The
certificates test ok with the openssl command line so I am at a
complete loss!

Most of the info I have found on the net is from a few years back,
could this be a new bug?

pound.cfg listeners:

ListenHTTP
 Address 199.10.64.8
 Port80
 #Cert"/etc/ssl/certs/server.crt"
 Service
 HeadRequire "Host:.*redneck001-ext.__example.se.*"
 BackEnd
 Address localhost
 Port81
 End
 End

END

ListenHTTPS
 Address 193.10.64.8
 Port443
 Cert"/etc/ssl/certs/redneck001-__ext.example.se.cert"
 Service
 HeadRequire "Host:.*redneck001-ext.__example.se.*"
 BackEnd
 Address localhost
 Port81
 End
 End
End

Please help!

/Alan

--
To unsubscribe send an email with subject unsubscribe to
pound@apsis.ch <mailto:pound@apsis.ch>.
Please contact ro...@apsis.ch <mailto:ro...@apsis.ch> for questions.




--
With Kind Regards.

Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org



--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


[Pound Mailing List] SSL_CTX_use_PrivateKey_file Driving me insane

2012-09-27 Thread Alan McGinlay

Hi All,

I have been getting this error now no matter what I do when trying to 
setup and HTTPS listener with a self signed cert.


"/etc/pound/pound.cfg line 56: SSL_CTX_use_PrivateKey_file failed - aborted"

I have generated the ssl cert in myriad different ways, always with the 
same result. I have tried with pound 2.5 and 2.6 (from ubuntu precise 
and quantal respectively) but there is no change! The certificates test 
ok with the openssl command line so I am at a complete loss!


Most of the info I have found on the net is from a few years back, could 
this be a new bug?


pound.cfg listeners:

ListenHTTP
Address 199.10.64.8
Port80
#Cert"/etc/ssl/certs/server.crt"
Service
HeadRequire "Host:.*redneck001-ext.example.se.*"
BackEnd
Address localhost
Port81
End
End

END

ListenHTTPS
Address 193.10.64.8
Port443
Cert"/etc/ssl/certs/redneck001-ext.example.se.cert"
Service
HeadRequire "Host:.*redneck001-ext.example.se.*"
BackEnd
Address localhost
Port81
End
End
End

Please help!

/Alan

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] redirect to holding page?

2012-09-25 Thread Alan McGinlay

You are probably looking for the "Emergency Backend" feature:

Emergency
Directives enclosed between an Emergency and the following End 
directives define an emergency back-end server (see below for details). 
You may define only one emergency server per service, which Pound will 
attempt to use if all backends are down.


^ from the manpage.

/A

2012-09-25 14:25, mark hardwick skrev:

Hi all
I've had a look in the docs but can't see this.

Is it possible for pound to redirect to a holding page (on some "other" server) 
if all web servers in a service are down?

Cheers
Mark.


--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.



--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


Re: [Pound Mailing List] Puppet pound module

2012-09-25 Thread Alan McGinlay
Thanks! I will put that in as a feature for the next version, it is 
definitely possible.


If you manage a reasonably sized environment, puppet is a godsend 
(albeit with quite a lot of up front work).


Should I top post to this list?

/A

2012-09-25 13:33, Scott McKeown skrev:

Hi Alan,
I've never used Puppet myself but from just a quick look at what you
have done this looks like a great start.
One thing I will say though and I don't know if it is possible or not is
the option to select where the pound.cfg file is located as on most of
my servers I have moved it from its normal '/etc/pound/pound.cfg' location

~Yours,
Scott


On 25 September 2012 12:15, Alan McGinlay mailto:al...@sics.se>> wrote:

Hi,

I have created a Puppet module for the Pound service. It is both my
first attempt at a puppet module and also the first time I have
seriously used Pound.

https://github.com/__mrintegrity/puppet-pound
<https://github.com/mrintegrity/puppet-pound>

It is pretty basic at the moment but covers the most basic usage
requirements. I would really love to get some feedback and
suggestions for new features.

Thanks,

Alan

--
To unsubscribe send an email with subject unsubscribe to
pound@apsis.ch <mailto:pound@apsis.ch>.
Please contact ro...@apsis.ch <mailto:ro...@apsis.ch> for questions.




--
With Kind Regards.

Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org



--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.


[Pound Mailing List] Puppet pound module

2012-09-25 Thread Alan McGinlay

Hi,

I have created a Puppet module for the Pound service. It is both my 
first attempt at a puppet module and also the first time I have 
seriously used Pound.


https://github.com/mrintegrity/puppet-pound

It is pretty basic at the moment but covers the most basic usage 
requirements. I would really love to get some feedback and suggestions 
for new features.


Thanks,

Alan

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.