Re: [Pound Mailing List] Correct use of Threads for Pound 2.7
Perdue wrote: >> >> All I get is Version 2.0 >> >> Exiting… >> >> >> >> *From:* Aaron West [mailto:aa...@loadbalancer.org] >> *Sent:* Wednesday, May 03, 2017 3:54 PM >> *To:* wper...@valcom.com; pound@apsis.ch >> >> >> *Subject:* Re: [Pound Mailing List] Correct use of Threads for Pound 2.7 >> >> >> >> Can I also compare the output of "pound -V", mine shows: >> >> >> >> starting... >> >> detect_tproxy(): tproxy is is detected >> >> tproxy: available >> >> Version 2.7 >> >> Configuration switches: >> >> --enable-cert1l >> >> --with-ssl=/usr/src/binaries/OpenSSL_1_0_1q-no_march/usr/local/ >> >> --with-maxbuf=4096 >> >> --with-dh=2048 >> >> Exiting... >> >> >> >> My config looks like this: >> >> >> >> User "nobody" Group "nobody" LogLevel 0 Client 30 Timeout 60 Threads 4000 >> ListenHTTPS # Label: TEST Address 172.16.200.114 Port 443 Cert "/etc/ >> loadbalancer.org/certs/server.pem" ReWriteLocation 1 Ciphers >> "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA- >> AES256-SHA:AES128-GCM-SHA256:AES 256-SHA256:AES128-SHA256:AES25 >> 6-SHA:AES128-SHA:DHE-RSA-AES256-SHA256!RC4:!MD5:!aNULL:!EDH:!3DES" >> SSLHonorCipherOrder 1 SSLAllowClientRenegotiation 0 Disable SSLv2 >> Disable SSLv3 Disable TLSv1 Service BackEnd Address 172.16.200.108 Port >> 80 End End End >> >> >> Aaron West >> >> >> >> Loadbalancer.org Limited >> >> +44 (0)330 380 1064 <0330%20380%201064> >> www.loadbalancer.org >> >> >> >> On 3 May 2017 at 20:19, Warren Perdue wrote: >> >> Hey Aaron, >> >> >> >> Thank you for responding to my email. I am trying to limit the amount of >> threads to less than 10. I am working on a new protocol and Pound is my >> encryption and decryption software. I have not touched the “ulimit –n” yet. >> My config file is the simple config file. >> >> >> >> Threads 8 >> >> TimeOut 5 >> >> Grace 5 >> >> >> >> ListenHTTPS >> >> Address 192.168.1.5 >> >> Port443 >> >> Cert"/etc/pound/sign.pem" >> >> Service >> >>BackEnd >> >> Address 192.168.1.80 >> >> Port 80 >> >>End >> >> End >> >> End >> >> >> >> For whatever reason, I cannot get ulimit –n to run. Just like my Pound >> 2.7 doesn’t recognize Threads, Alive, Grace and several other commands. >> Pound is compiled and runs and recognizes the encryption and controls the >> backend perfect and also controls both HTTP and HTTPS transferring to back >> backend. It also will handle Pound PEMs and transfer cert information to my >> OpenSSL as a second layer of encryption and security. But for whatever >> reason my config will not recognize any of the globals commands in this >> link. So I am not sure what is going on but I am not sure where to go form >> here. >> >> >> >> https://linux.die.net/man/8/pound >> >> >> >> >> >> >> >> *From:* Aaron West [mailto:aa...@loadbalancer.org] >> *Sent:* Wednesday, May 03, 2017 2:02 PM >> *To:* pound@apsis.ch; wper...@valcom.com >> *Subject:* Re: [Pound Mailing List] Correct use of Threads for Pound 2.7 >> >> >> >> Sorry I mean "ulimit -n" not "unlimit...". >> >> >> Aaron West >> >> >> >> Loadbalancer.org Limited >> >> +44 (0)330 380 1064 <0330%20380%201064> >> www.loadbalancer.org >> >> >> >> On 3 May 2017 at 18:57, Aaron West wrote: >> >> Hi Warren, >> >> >> >> Yes, I've had threads at about 4000 or so, I don't have a config to hand >> but I'm fairly sure you need to increase the ulimit to about twice the >> desired threads and then simply add the threads directive with a number and >> you're set. >> >> >> >> Can we see your config and an output of "unlimit -n" for the user running >> pound, out of interest I believe the default for pound is 128 without the >> threads directive even set. >> >> >> Aaron West >> >> >> >> Loadbalancer.org Limited >> >> +44 (0)330 380 1064 <0330%20380%201064> >> www.loadbalancer.org >> >> >> >> On 3 May 2017 at 16:22, Warren Perdue wrote: >> >> Hey guys, >> >> >> >> Does anyone have an example of a pound.cfg properly using Threads? >> >> I have been trying to get my Thread limitation to work and Pound 2.7 does >> like Threads 100 or any thread implementation. Have any of you used Pound’s >> Thread command and if so did it work and if you could include an example of >> the .cfg file utilizing Threads? >> >> >> >> Warren >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> Load balancer distribution - Open Source Project >> http://www.zenloadbalancer.com >> Distribution list (subscribe): zenloadbalancer-support@lists. >> sourceforge.net >> > > > > -- > Load balancer distribution - Open Source Project > http://www.zenloadbalancer.com > Distribution list (subscribe): zenloadbalancer-support@lists. > sourceforge.net > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
Re: [Pound Mailing List] Pound failing SSL Labs tests
Hi Stefan, Thanks I was looking for Joes link but couldn't find it. I'll build that now and see what I get thanks again. On 19 August 2016 at 13:00, qutic development wrote: > > > Am 19.08.2016 um 11:57 schrieb Scott McKeown : > > > > I have just found out that for some very strange reason our build of > Pound is failing the SSL Labs tests for: > > DROWN attack & OpesnSSL Padding Oracle vaulnerability (CVE-2016-2107) > > this is happening even after we have taken the steps to resolve the > issue. > > We are using Joes branch and get an A+ > > https://github.com/goochjj/pound/archive/stage_for_upstream/v2.8a.zip > > - Stefan > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
[Pound Mailing List] Pound failing SSL Labs tests
Hi Guys, I have just found out that for some very strange reason our build of Pound is failing the SSL Labs tests for: DROWN attack & OpesnSSL Padding Oracle vaulnerability (CVE-2016-2107) this is happening even after we have taken the steps to resolve the issue. # pound -V starting... detect_tproxy(): tproxy is is detected tproxy: available Version 2.7 Configuration switches: --enable-cert1l --with-ssl=/usr/local/bin/openssl --with-maxbuf=4096 --with-dh=2048 Exiting... # more /etc/pound/pound.cfg User"nobody" Group"nobody" LogLevel0 Client30 Timeout60 ListenHTTPS # Label: pound1 Address192.168.63.70 Port443 Cert"/etc/loadbalancer.org/certs/server.pem" ReWriteLocation1 Ciphers "ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA:HIGH:!RC4:!MD5:!aNULL:!EDH" SSLHonorCipherOrder 1 SSLAllowClientRenegotiation 0 Disable SSLv2 Disable SSLv3 Disable TLSv1 Disable TLSv1_1 Service BackEnd Address10.0.0.20 Port80 End End End # /usr/local/bin/openssl version OpenSSL 1.0.1t 3 May 2016 Does anyone have any ideas on what I can do try and resolve either of these issues? As a side note we also have both STunnel and HAProxy with SSL enabled on different servers and they all pass with an A+ rating its just pound ~Ta Scott -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
Re: [Pound Mailing List] SSL Backend not responding after upgrade from 2.6 to 2.7
Hi Maciej, If you backends are using HTTPS or a cert you should set the 'HTTPS' flag in the backend section of your pound configuration file. *HTTPS* [ "cert" ]The back-end is using HTTPS. If the optional parameter *cert* is specified, *Pound* will present this certificate to the back-end. On 27 October 2015 at 14:17, Maciej Szeliga wrote: > Hi > > I've just upgraded our pound from ver. 2.6 to ver. 2.7 > After this upgrade we are not able to connect to an older SSLv3 backend > with https > > pound.cfg has Disable SSL2 and Disable SSL3 statements but afaik this only > affected the frontend. > > Is this a new feature (and is there a way to disable it) ? > > The backend is running with a "fake" certificate, not a self signed but > signed by a nonexisting CA, it has however been working on pound ver. 2.6 > > NB. The backend can't be reconfigured to run http easily. > > > /Maciej -- To unsubscribe send an email with subject unsubscribe to > pound@apsis.ch. Please contact ro...@apsis.ch for questions. -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
Re: [Pound Mailing List] Connection reset on non-SSL sites instead of presenting first SSL mentioned in configuration
Hello Freja, The HeadRequire should be what you require for this but can you send us over a quick example it maybe just your make up of the required match value. On 23 October 2015 at 14:37, Freja Borginger wrote: > Hello, > > > > We’re hosting a bunch of both SSL and non-SSL enabled sites and we’re > using pound for SSL-termination. > > > > The issue appears when someone visits a non-SSL enabled site by prepending > https:// to the address. > > I’m expecting a connection reset or similar because this site doesn’t have > SSL to begin with. > > But instead of that I get “This is an untrusted connection” in the browser > and I see that pound serves up the first certificate it specified in the > configuration. > > > > I tried adding HeadRequire in the Service section of the HTTPS section > with all the SSL-enabled sites only, but it didn’t work as expected. > > If I understand it correctly those headers are sent encrypted, so they’re > only sent after the encrypted connection has been fully established, and > then it’s too late. > > > > I suppose this could only be done during the SNI negotiation phase when > the server name is sent by the browser. Then I’d guess pound would check if > the sent server name has a certificate. If it doesn’t then a connection > reset or similar should happen. > > > > How would I achieve this? Or am I missing something? > > > > Thanks > > > > Freja Borginger > > IT > > > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
Re: [Pound Mailing List] Pound 2.7 and TProxy
Hi Everyone, Right we finally got this working so anyone that is also wanting to use TProxy with Pound v2.7 the patch file is attached. patch -i pound_2.7_with_tproxy.patch --verbose --ignore-whitespace On 20 October 2015 at 16:19, Scott McKeown wrote: > Hi Joe, > > Thanks for the reply. > > Yes that TPROXY=1 is set when running the make command > > make TPROXY=1 > > However, we 'think' we may have found the issue now after some more > digging around looks like I'm missing a section from within the config.c > file to allow the TProxy directive to be understood but I'm going to have > another look tomorrow now. > > Likewise I'll do a gitpull on your branch and give the 'IPTransparent' > option ago. > > > ~Scott > > On 20 October 2015 at 16:04, Joe Gooch wrote: > >> Did you change TPROXY=1 in the Makefile? Looks like unless you do that, >> it's not included. >> >> The other option I see is to use my version of a similar thing: >> >> https://github.com/goochjj/pound/commit/65e14aa8b52f9170f513399bfe430a1c66a9e34b >> >> Your kernel headers need to include the IP options, and then transproxy >> works for ipv6 listeners, freebind for ipv4 listeners. >> -- >> Joe >> >> Confidentiality Notice: This e-mail transmission may contain confidential >> and legally privileged information that is intended only for the individual >> named in the e-mail address. If you are not the intended recipient, you are >> hereby notified that any disclosure, copying, distribution, or reliance >> upon the contents of this e-mail message is strictly prohibited. If you >> have received this e-mail transmission in error, please reply to the >> sender, so that proper delivery can be arranged, and please delete the >> message from your mail box. >> >> >> >> Joseph Gooch >> >> www.sapphirek12.org | office: (866) 366-9540 >> >> >> >> *CONFIDENTIALITY STATEMENT* >> >> *The documents and communication included in this email transmission may >> contain confidential information. All information is intended only for the >> use of the above named recipient(s). If you are not the named recipient, >> you are NOT authorized to read, disclose, copy, distribute, or take any >> action on the information and any action other than immediate delivery to >> the named recipient is strictly prohibited. If you have received this email >> in error, do NOT read the information and please immediately notify sender >> by telephone and email and immediately delete this email. If you are the >> named recipient, you are NOT authorized to reveal any of this information >> to any unauthorized person and are hereby instructed to delete this email >> when no longer needed. * >> >> From: Scott McKeown >> Reply-To: "pound@apsis.ch" >> Date: Tuesday, October 20, 2015 at 5:25 AM >> To: Pound Mailing List >> Subject: [Pound Mailing List] Pound 2.7 and TProxy >> >> Hello Everyone, >> >> I've finally got to admit defeat on getting this patch to work and I was >> wondering if anyone out there could please give me a hand getting this to >> work. >> >> I've attached the patch file for anyone to play with but what I'm trying >> to do is get Unix TProxy to work with pound 2.7 again, the original version >> of this patch has been working since pound v2.4. >> >> Anyhow, the patch compiles into the latest version but if you add "TProxy >> 1" into the configuration you get a 'unknown directive' error >> >> >> *Config File:* >> # cat /etc/pound/pound.cfg >> # Pound configuration file generated by loadbalancer.org appliance >> User"nobody" >> Group "nobody" >> LogLevel0 >> Client 30 >> Timeout 60 >> Threads 250 >> TProxy 1 >> >> ListenHTTPS >> # Label: pound1 >> Address 192.168.63.59 >> Port443 >> Cert"/etc/loadbalancer.org/certs/server.pem" >> xHTTP 3 >> ReWriteLocation 1 >> Ciphers >> "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> SSLHonorCipherOrder 1 >> SSLAllowClientRenegotiation 0 >> Disable SSLv2 >> Disable SSLv3 >> Service >> BackEnd >> Address 192.168.64.254
Re: [Pound Mailing List] Pound 2.7 and TProxy
Hi Joe, Thanks for the reply. Yes that TPROXY=1 is set when running the make command make TPROXY=1 However, we 'think' we may have found the issue now after some more digging around looks like I'm missing a section from within the config.c file to allow the TProxy directive to be understood but I'm going to have another look tomorrow now. Likewise I'll do a gitpull on your branch and give the 'IPTransparent' option ago. ~Scott On 20 October 2015 at 16:04, Joe Gooch wrote: > Did you change TPROXY=1 in the Makefile? Looks like unless you do that, > it's not included. > > The other option I see is to use my version of a similar thing: > > https://github.com/goochjj/pound/commit/65e14aa8b52f9170f513399bfe430a1c66a9e34b > > Your kernel headers need to include the IP options, and then transproxy > works for ipv6 listeners, freebind for ipv4 listeners. > -- > Joe > > Confidentiality Notice: This e-mail transmission may contain confidential > and legally privileged information that is intended only for the individual > named in the e-mail address. If you are not the intended recipient, you are > hereby notified that any disclosure, copying, distribution, or reliance > upon the contents of this e-mail message is strictly prohibited. If you > have received this e-mail transmission in error, please reply to the > sender, so that proper delivery can be arranged, and please delete the > message from your mail box. > > > > Joseph Gooch > > www.sapphirek12.org | office: (866) 366-9540 > > > > *CONFIDENTIALITY STATEMENT* > > *The documents and communication included in this email transmission may > contain confidential information. All information is intended only for the > use of the above named recipient(s). If you are not the named recipient, > you are NOT authorized to read, disclose, copy, distribute, or take any > action on the information and any action other than immediate delivery to > the named recipient is strictly prohibited. If you have received this email > in error, do NOT read the information and please immediately notify sender > by telephone and email and immediately delete this email. If you are the > named recipient, you are NOT authorized to reveal any of this information > to any unauthorized person and are hereby instructed to delete this email > when no longer needed. * > > From: Scott McKeown > Reply-To: "pound@apsis.ch" > Date: Tuesday, October 20, 2015 at 5:25 AM > To: Pound Mailing List > Subject: [Pound Mailing List] Pound 2.7 and TProxy > > Hello Everyone, > > I've finally got to admit defeat on getting this patch to work and I was > wondering if anyone out there could please give me a hand getting this to > work. > > I've attached the patch file for anyone to play with but what I'm trying > to do is get Unix TProxy to work with pound 2.7 again, the original version > of this patch has been working since pound v2.4. > > Anyhow, the patch compiles into the latest version but if you add "TProxy > 1" into the configuration you get a 'unknown directive' error > > > *Config File:* > # cat /etc/pound/pound.cfg > # Pound configuration file generated by loadbalancer.org appliance > User"nobody" > Group "nobody" > LogLevel0 > Client 30 > Timeout 60 > Threads 250 > TProxy 1 > > ListenHTTPS > # Label: pound1 > Address 192.168.63.59 > Port443 > Cert"/etc/loadbalancer.org/certs/server.pem" > xHTTP 3 > ReWriteLocation 1 > Ciphers > "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" > SSLHonorCipherOrder 1 > SSLAllowClientRenegotiation 0 > Disable SSLv2 > Disable SSLv3 > Service > BackEnd > Address 192.168.64.254 > Port80 > TProxy 1 > End > End > End > > > *Start Up:* > # /usr/local/sbin/pound > starting... > detect_tproxy(): tproxy is is detected > tproxy: available > /etc/pound/pound.cfg line 8: unknown directive - aborted > > > > > -- > With Kind Regards. > > Scott McKeown > Loadbalancer.org > http://www.loadbalancer.org > Tel (UK) - +44 (0) 3303801064 (24x7) > Tel (US) - +1 888.867.9504 (Toll Free)(24x7) > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
[Pound Mailing List] Pound 2.7 and TProxy
Hello Everyone, I've finally got to admit defeat on getting this patch to work and I was wondering if anyone out there could please give me a hand getting this to work. I've attached the patch file for anyone to play with but what I'm trying to do is get Unix TProxy to work with pound 2.7 again, the original version of this patch has been working since pound v2.4. Anyhow, the patch compiles into the latest version but if you add "TProxy 1" into the configuration you get a 'unknown directive' error *Config File:* # cat /etc/pound/pound.cfg # Pound configuration file generated by loadbalancer.org appliance User"nobody" Group "nobody" LogLevel0 Client 30 Timeout 60 Threads 250 TProxy 1 ListenHTTPS # Label: pound1 Address 192.168.63.59 Port443 Cert"/etc/loadbalancer.org/certs/server.pem" xHTTP 3 ReWriteLocation 1 Ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" SSLHonorCipherOrder 1 SSLAllowClientRenegotiation 0 Disable SSLv2 Disable SSLv3 Service BackEnd Address 192.168.64.254 Port80 TProxy 1 End End End *Start Up:* # /usr/local/sbin/pound starting... detect_tproxy(): tproxy is is detected tproxy: available /etc/pound/pound.cfg line 8: unknown directive - aborted -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7) pound_2.7_tproxy.patch Description: Binary data
Re: [Pound Mailing List] Crime vulnerability on 2.7f upstream
Hi Mirek, What version of pound are you using for this, we have as of yet net been able to get FS with pound... On 10 July 2015 at 08:31, Miroslav Danek wrote: > Hi Rick, > > i used this one: > > Disable SSLv3 > SSLAllowClientRenegotiation 0 > SSLHonorCipherOrder 1 > Ciphers "HIGH:!aNULL:!SSLv2:!ADH:!EXP:!eNULL:!RC4:MEDIUM:!LOW" > > Result A with FS. > > regards > Mirek > > On 10. 7. 2015, at 9:07, Scott McKeown wrote: > > Hi Rick, > > Your current Cipher list is very open if you can give this one a go and > let us know the report status (we get an A- with no FS) > > EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+ > AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:! > eNULL:!LOW:!aNULL:!MD5:!DSS > > If you could also post a sanitised copy of your pound config file we can > see what we can do for you. > > > > > On 9 July 2015 at 22:55, Rick Smith wrote: > >> I am running Pound 2.7f from >> https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7f.zip >> >> I am also running openssl version 1.01p from Jul 9, 2015. >> >> I am trying to achieve a better ranking for our SSL support. >> >> I have been able to move up to a C rating but for some reason here are my >> results. >> >> I am using the following ciphers: RC4-SHA:HIGH:!ADH:!SSLv2:!AES >> I enabled the Disable SSLv3 directive and I have the following also >> enabled for the listener: >> >> SSLAllowClientRenegotiation 0 >> SSLHonorCipherOrder 1 >> >> This is after much trial and error. I thought that this upstream version >> disabled TLS compression but it appears to still be active. >> >> Questions: >> >> 1) How can I disable TLS compression? >> 2) Can I enable TLS 1.1 and 1.2? >> 3) How can I disable support for weak DH key exchanges? >> 4) WHy isn't PFS enabled? I assume the ciphers need fixing? >> >> Thanks, >> >> Rick >> >> >> This server supports weak Diffie-Hellman (DH) key exchange parameters. >> Grade capped to B. MORE INFO » <https://weakdh.org/> >> This server does not mitigate the CRIME attack >> <https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls>. >> Grade capped to C. >> The server supports only older protocols, but not the current best TLS >> 1.2. Grade capped to C. MORE INFO » >> <https://community.qualys.com/blogs/securitylabs/2015/05/22/ssl-labs-increased-penalty-when-tls-12-is-not-supported> >> This server accepts the RC4 cipher, which is weak. Grade capped to B. >> MORE INFO » >> <https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what> >> The server does not support Forward Secrecy with the reference browsers. >> MORE INFO » <https://en.wikipedia.org/wiki/Forward_secrecy> >> > > > > -- > With Kind Regards. > > Scott McKeown > Loadbalancer.org > http://www.loadbalancer.org > Tel (UK) - +44 (0) 3303801064 (24x7) > Tel (US) - +1 888.867.9504 (Toll Free)(24x7) > > > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
Re: [Pound Mailing List] Crime vulnerability on 2.7f upstream
Hi Rick, Your current Cipher list is very open if you can give this one a go and let us know the report status (we get an A- with no FS) EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+ AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:! eNULL:!LOW:!aNULL:!MD5:!DSS If you could also post a sanitised copy of your pound config file we can see what we can do for you. On 9 July 2015 at 22:55, Rick Smith wrote: > I am running Pound 2.7f from > https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7f.zip > > I am also running openssl version 1.01p from Jul 9, 2015. > > I am trying to achieve a better ranking for our SSL support. > > I have been able to move up to a C rating but for some reason here are my > results. > > I am using the following ciphers: RC4-SHA:HIGH:!ADH:!SSLv2:!AES > I enabled the Disable SSLv3 directive and I have the following also > enabled for the listener: > > SSLAllowClientRenegotiation 0 > SSLHonorCipherOrder 1 > > This is after much trial and error. I thought that this upstream version > disabled TLS compression but it appears to still be active. > > Questions: > > 1) How can I disable TLS compression? > 2) Can I enable TLS 1.1 and 1.2? > 3) How can I disable support for weak DH key exchanges? > 4) WHy isn't PFS enabled? I assume the ciphers need fixing? > > Thanks, > > Rick > > > This server supports weak Diffie-Hellman (DH) key exchange parameters. > Grade capped to B. MORE INFO » <https://weakdh.org/> > This server does not mitigate the CRIME attack > <https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls>. > Grade capped to C. > The server supports only older protocols, but not the current best TLS > 1.2. Grade capped to C. MORE INFO » > <https://community.qualys.com/blogs/securitylabs/2015/05/22/ssl-labs-increased-penalty-when-tls-12-is-not-supported> > This server accepts the RC4 cipher, which is weak. Grade capped to B. > MORE INFO » > <https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what> > The server does not support Forward Secrecy with the reference browsers. > MORE INFO » <https://en.wikipedia.org/wiki/Forward_secrecy> > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
Re: [Pound Mailing List] SSL Parameter
I'm guessing that the SSLNoFragment & SSLNoCompression options didn't make it into the latest build or got a name change. You should be alright to remove these two options as they do what the name suggests. I've not built a 2.7 version yet but it is on my to-do-list. On 21 May 2015 at 12:48, Daniel wrote: > Hi, > > i just updated it to : > > Version 2.7f > Configuration switches: > --enable-cert1l > --with-dh=2048 > > > But when i use this Options > > DisableSSLv2 DisableSSLv3 SSLNoFragment 0 SSLNoCompression 1 > > it shows this error : unknown directive > > thanks > > > > 2015-05-21 13:17 GMT+02:00 Scott McKeown : > >> Hi Daniel, >> >> First off what version on Pound are you running? >> >> There were a few patch files written a while back that should resolve >> most of these issues and if I remember correctly are in the latest build: >> >> Try adding the following options into your configuration file: >> SSLHonorCipherOrder 1 SSLAllowClientRenegotiation 0 DisableSSLv2 >> DisableSSLv3 SSLNoFragment 0 SSLNoCompression 1 >> >> You may also need to change your Cipher List to some thing like: >> >> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4:HIGH:!MD5:!aNULL:!EDH >> >> >> >> On 21 May 2015 at 11:54, Daniel wrote: >> >>> Hello, >>> >>> i just made a test via ssllabs.com. And i got a grade F for my SSL >>> connection. >>> >>> The issues are : >>> >>> This server supports insecure Diffie-Hellman (DH) key exchange >>> parameters. Grade set to F. >>> This server supports 512-bit export suites and might be vulnerable to >>> the FREAK attack. Grade set to F. >>> This server is vulnerable to the POODLE attack. If possible, disable SSL >>> 3 to mitigate. Grade capped to C. >>> This server accepts the RC4 cipher, which is weak. Grade capped to B. >>> >>> My pound.cfg is this in the https section: >>> >>> ListenHTTPS >>> HeadRemove "X-Forwarded-Proto" >>> AddHeader "X-Forwarded-Proto: https" >>> Address0.0.0.0 >>> Port 443 >>> Cert "/etc/ssl/mydomain.com/mydomain.com.pem" >>> Ciphers >>> >>> "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"/"ALL:!SSLv2:!SSLv3" >>> Service >>> HeadRequire "Host: mydomain.com" >>> Redirect "https://www.mydomain.com"; >>> End >>> Service >>> BackEnd >>> Address 127.0.0.1 >>> Port6081 >>> End >>> End >>> End >>> >>> Can anyone advise what i need to change to get a better rating and make >>> it more secure? >>> >>> thanks, >>> >>> Daniel >>> >>> >> >> >> -- >> With Kind Regards. >> >> Scott McKeown >> Loadbalancer.org >> http://www.loadbalancer.org >> Tel (UK) - +44 (0) 3303801064 (24x7) >> Tel (US) - +1 888.867.9504 (Toll Free)(24x7) >> > > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
Re: [Pound Mailing List] SSL Parameter
Hi Daniel, First off what version on Pound are you running? There were a few patch files written a while back that should resolve most of these issues and if I remember correctly are in the latest build: Try adding the following options into your configuration file: SSLHonorCipherOrder 1 SSLAllowClientRenegotiation 0 DisableSSLv2 DisableSSLv3 SSLNoFragment 0 SSLNoCompression 1 You may also need to change your Cipher List to some thing like: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4:HIGH:!MD5:!aNULL:!EDH On 21 May 2015 at 11:54, Daniel wrote: > Hello, > > i just made a test via ssllabs.com. And i got a grade F for my SSL > connection. > > The issues are : > > This server supports insecure Diffie-Hellman (DH) key exchange parameters. > Grade set to F. > This server supports 512-bit export suites and might be vulnerable to the > FREAK attack. Grade set to F. > This server is vulnerable to the POODLE attack. If possible, disable SSL 3 > to mitigate. Grade capped to C. > This server accepts the RC4 cipher, which is weak. Grade capped to B. > > My pound.cfg is this in the https section: > > ListenHTTPS > HeadRemove "X-Forwarded-Proto" > AddHeader "X-Forwarded-Proto: https" > Address0.0.0.0 > Port 443 > Cert "/etc/ssl/mydomain.com/mydomain.com.pem" > Ciphers > > "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"/"ALL:!SSLv2:!SSLv3" > Service > HeadRequire "Host: mydomain.com" > Redirect "https://www.mydomain.com"; > End > Service > BackEnd > Address 127.0.0.1 > Port6081 > End > End > End > > Can anyone advise what i need to change to get a better rating and make it > more secure? > > thanks, > > Daniel > > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
Re: [Pound Mailing List] disbaling ssl3 but not ssl3 ciphers
Hi Pat, The same options should be included in the v2.7 branch. I'm sure Joe would have included it - the options you would need to add to your config is 'DisableSSLv3' On 4 March 2015 at 11:06, Pat Erler wrote: > is there really no way to do this in 2.7? I would like to stay at 2.7, now > that it is stable.. > > On Tue, Mar 3, 2015 at 5:16 PM Scott McKeown > wrote: > >> Hi OAT, >> >> I've found the patch that I think you need for this which I've attached. >> >> this is for the v2.6 version though. >> >> >> ~Scott >> >> >> On 3 March 2015 at 15:32, Pat Erler wrote: >> >>> hi, >>> >>> we think we stumbled over this problem: >>> http://security.stackexchange.com/questions/70832/why-doesnt-the-tls-protocol-work-without-the-sslv3-ciphersuites >>> >>> is there a way in pound to disable the SSL3 protocol bt not the SSL3 >>> cipher suite? >>> >>> best, >>> >>> OAT >>> >> >> >> >> -- >> With Kind Regards. >> >> Scott McKeown >> Loadbalancer.org >> http://www.loadbalancer.org >> Tel (UK) - +44 (0) 3303801064 (24x7) >> Tel (US) - +1 888.867.9504 (Toll Free)(24x7) >> > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
Re: [Pound Mailing List] disbaling ssl3 but not ssl3 ciphers
Hi OAT, I've found the patch that I think you need for this which I've attached. this is for the v2.6 version though. ~Scott On 3 March 2015 at 15:32, Pat Erler wrote: > hi, > > we think we stumbled over this problem: > http://security.stackexchange.com/questions/70832/why-doesnt-the-tls-protocol-work-without-the-sslv3-ciphersuites > > is there a way in pound to disable the SSL3 protocol bt not the SSL3 > cipher suite? > > best, > > OAT > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7) pound-disable-ssl.patch Description: Binary data
Re: [Pound Mailing List] problem with a ev-ssl certificate /key
Hi fatcharly, >From the error returned I would say that your SSL Certificate PEM file has not been created in the correct order. Have a read over the following link which I nearly always refer back to when I'm doing a PEM file. https://www.digicert.com/ssl-support/pem-ssl-creation.htm Also did you do the: cat keyfile.key >>domain.pem cat certfile.crt >>domain.pem onto the original PEM file or was this a new file? On 9 December 2014 at 14:01, wrote: > Hi, > > we are using a pound cluster under CentOS 6.5 with the latest pci.2.6 > Version. When I try to change an older pem-File I get the following > error-message when I restart the pound: > /etc/pound.cfg line 77: SSL_CTX_use_PrivateKey_file failed - aborted > > pound.cfg line 77 is: > Cert "/etc/pki/tls/pound/domainname/domainname.pem" > > I just did a: > cat keyfile.key >>domain.pem > cat certfile.crt >>domain.pem > > Any suggestions are welcome ! > > Kind regards > > fatcharly > > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
Re: [Pound Mailing List] problem with a ev-ssl certificate /key
Hi fatcharly, >From the error returned I would say that your SSL Certificate PEM file has not been created in the correct order. Have a read over the following link which I nearly always refer back to when I'm doing a PEM file. https://www.digicert.com/ssl-support/pem-ssl-creation.htm Also did you do the: cat keyfile.key >>domain.pem cat certfile.crt >>domain.pem onto the original PEM file or was this a new file? On 9 December 2014 at 14:01, wrote: > Hi, > > we are using a pound cluster under CentOS 6.5 with the latest pci.2.6 > Version. When I try to change an older pem-File I get the following > error-message when I restart the pound: > /etc/pound.cfg line 77: SSL_CTX_use_PrivateKey_file failed - aborted > > pound.cfg line 77 is: > Cert "/etc/pki/tls/pound/domainname/domainname.pem" > > I just did a: > cat keyfile.key >>domain.pem > cat certfile.crt >>domain.pem > > Any suggestions are welcome ! > > Kind regards > > fatcharly > > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
Re: [Pound Mailing List] HTTPS BackEnd certificate issues
Hi Karl, I only noticed yesterday that Centos now has OpenSSL 1.0.1e (I think it was) in the repository so you maybe looking in the wrong place as before it was on 0.9.8 I think. It might be worth just double checking the versions. On 5 December 2013 21:48, Karl Rossing wrote: > I am running into the same issue below since upgrading from Centos 6.4 to > 6.5. > > I was running Pound 2.7a. I also tried with Pound 2.7b and I'm still > getting > > BIO_do_handshake with :443 failed: error:1412F152:SSL > routines:SSL_PARSE_SERVERHELLO_TLSEXT:unsafe legacy renegotiation disabled > > The is a windows box. I tried disabling the cyphers using > https://www.nartac.com/Products/IISCrypto/Default.aspx > and selected "Best Practices" which is pretty much the screenshot on the > page. > > I might have to restore Centos 6.4 but i would prefer not to. > > Any suggestions would be appreciated. > > Karl > > > On 10/8/2012, 11:00 AM, Thomas M Steenholdt wrote: > >> On 10/08/2012 11:10 AM, Thomas M Steenholdt wrote: >> >>> Hi there, >>> >>> I have a pound 2.6 installation with a HTTPS listener and several HTTPS >>> BackEnds. >>> >>> The HTTPS BackEnds are mostly using self-signed certificates, which >>> should be fine for our needs, but one of them is failing with the error: >>> >>> pound: BIO_do_handshake with :443 failed: >>> error:1412F152:SSL routines:SSL_PARSE_SERVERHELLO_TLSEXT:unsafe legacy >>> renegotiation disabled >>> >>> Although I'm not sure, I guess this is an error with the certificate on >>> the BackEnd HTTPS server. But is there some way to get more information on >>> the error or perhaps just make pound ignore the error all together? >>> >>> Thanks in advance. >>> >>> /Thomas >>> >> >> Turned out to be an unpatched Windows 2003 server. The problem was fixed >> for Windows in September of 2010: >> >> http://technet.microsoft.com/en-us/security/bulletin/MS10-049 >> >> Applying this fix solved the problem. >> >> /Thomas >> >> -- >> To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. >> Please contact ro...@apsis.ch for questions. >> > > > > CONFIDENTIALITY NOTICE: This communication (including all attachments) is > confidential and is intended for the use of the named addressee(s) only and > may contain information that is private, confidential, privileged, and > exempt from disclosure under law. All rights to privilege are expressly > claimed and reserved and are not waived. Any use, dissemination, > distribution, copying or disclosure of this message and any attachments, in > whole or in part, by anyone other than the intended recipient(s) is > strictly > prohibited. If you have received this communication in error, please > notify > the sender immediately, delete this communication from all data storage > devices and destroy all hard copies. > > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] HTTPS redirect on HTTP
Hi Peter, I believe what you are trying to do can be achieved by adding a HeadRequire and a Redirect to the ListenHTTP Service section with the details of your HTTPS URL and adding just the HeadRequire to the ListenHTTPS section. I normally do something along the same lines with HAProxy though so this is a little bit of a guess. ~Scott On 5 August 2013 08:48, Peter Shaw wrote: > Hi *, > > how you would configure pound, when the apaches have a https-redirect on > port 80? > For example, i have two sections in my config: ListenHTTP, with a Backend > Address to 192.168.n.n, Port 80 and a ListenHTTPS section to the same host > and port. So internally i speak http only. > The Apache will force redirect all http connections to https… Ahhh dead > end! > Is it possible to redirect on Pound site? Or is it possible to send a > special header, that apache have to look after? Any ideas how i can do this? > > Thanks in advance. > > --- > ps > > B. unthoughted.wordpress.com > T. @peter_shaw > F. facebook.com/PeterDunstonShaw > G. github.com/petershaw > > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] multiple URLs configured on Pound not working
Hi Q.Xie, I'm guessing that you are using Pound to terminate your SSL front end and your back end servers are listening on normal HTTP if this is the case I would have a look at using Pound as your front end still but pass the decrypted traffic into HAProxy which with its ACL rules you should be able to achieve what you want. ~Scott On 1 July 2013 08:28, Leo wrote: > Hello Q.Xie, > > we have had this discussion several times on the list. Robert Segall has > already explained why multiple URLs are ANDed: > > "There is a reason for it: it is easy to write an OR regular expression, > but AND expressions can be more difficult." > ( > http://www.apsis.ch/pound/pound_list/archive/2013/2013-05/1367581651000/index_html#1367583174000 > ) > > If you want a different behaviour take a look at Joe Gooch's Pound > patches. As far as I know he has written a patch to use a "URLMatch" > directive with "AND"/"OR" value ... (https://github.com/goochjj/pound/) > > Hope this helps! > > Leo > > > On 06/29/2013 12:32 AM, Qingshan Xie wrote: > > I realized it, the Multiple URLs are ANDed not ORed relation in Pound. > Not sure why Multiple URLs are designed as AND relation not OR? At least > from my experience OR relation should be available in Pound in order to > split traffics. For example a group applications have URLs /A, /B, /C, > ., and another group of apps have URLs /x, /y, /z, ..., but they > share the same virtual. it is very difficulty to manage thousands apps in > a big company to use regx in one URL, especially this URLs may change > frequently.If Pound can handle multiple URLs in OR relation. That will > make this job much easier. > > Thanks, Q.Xie > > > -- > *From:* Qingshan Xie > *To:* "pound@apsis.ch" > *Sent:* Friday, June 28, 2013 11:53 AM > *Subject:* [Pound Mailing List] multiple URLs configured on Pound not > working > > Hello, expert, > > According to manual, Pound should be able to configure multiple URLs. > However, it failed when I tried to configure two URLs as below in service > showed as below, but it worked if I remove on URL. > .. > Service > URL "/ccivm0" > URL "/ccivm4" > BackEnd > Address xxx.xx.x.xxx > Port84 > End > End > .. > > am I configured it wrongly? what is the right way to configure it? > > Thanks, Q.Xie > > > > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] cpu load issues still a issue?
This is quite an old blog post and very lax on any real information. It does not say what the server setup is as in is Pound on its own hardware with HAProxy directing traffic to different backend servers it also does not say what version of Pound is being used or even what the spec of the hardware is. I've got Pound build on about 5 personal production units and god knows how many customers are using Pound for the SSL Termination and HAProxy to handle the loadbalancing at Layer7 with no problems at all. To be honest I would say that this post is out of date and as long as you are running the latest build on a dedicated 'Load Balancer' your should be fine. ~Scott On 21 June 2013 00:27, Peter Shaw wrote: > Hi, > > we stumbled over this Article form 2008: > http://blog.emmettshear.com/post/2008/03/03/Dont-use-Pound-for-load-balancing > It says that the CPU Load of pound is a real problem. I never had those > problems back in 200x, what i have was RAM issues. > Can anyone tell me if this is real and how this was fixed? > > Thanx a lot, > pm > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] How to unsubscribe?
Hi Roberto, I'm sure its just a case of sending an eMail to pound@apsis.ch with the subject of 'unsubscribe' On 18 June 2013 14:52, Roberto Geraldo Pimenta Ribeiro Junior < rpime...@senado.gov.br> wrote: > ** ** > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] Current development status
Thanks Andreas now bookmarked. Don't know how I didn't see that before. ~Scott On 18 June 2013 14:08, Andreas Hilboll wrote: > Hi, > > Joe stated the links to updated 2.6 and 2.7 branches in this thread: > > > > http://www.apsis.ch/pound/pound_list/archive/2013/2013-04/136765000/index_html > > Cheers, Andreas. > > > On 18.06.2013 14:55, Scott McKeown wrote: > > Hi Peter, > > > > Welcome to Pound. > > > > I'm sure that Joe will jump in at some stage with more details but we > > use Pound ourselves and you can find that the community is quite active > > and supportive. > > > > Patches and fixes are normally found being posted to this list which if > > you know some basic Unix commands and you don't mind building Pound from > > source yourself you can have quite an efficient and productive SSL > > Terminator at your disposal. > > > > If memory serves me correctly Joe does keep a fork somewhere but I don't > > know where it is. > > > > However, once again welcome to the group. > > > > > > ~Scott > > > > > > > > On 18 June 2013 13:45, Peter Shaw > <mailto:unthough...@googlemail.com>> wrote: > > > > Hi pound users and developers. > > I just want to know if there is a acive development on the pound > > project. Or is the last Date in 2.6 (2010) the last and final commit? > > is this grub active? and may i get help if i ran my production farm > > with pound. > > > > Thanx al lot, > > ps > > -- > > To unsubscribe send an email with subject unsubscribe to > > pound@apsis.ch <mailto:pound@apsis.ch>. > > Please contact ro...@apsis.ch <mailto:ro...@apsis.ch> for questions. > > > > > > > > > > -- > > With Kind Regards. > > > > Scott McKeown > > Loadbalancer.org > > http://www.loadbalancer.org > > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] Current development status
Hi Peter, Welcome to Pound. I'm sure that Joe will jump in at some stage with more details but we use Pound ourselves and you can find that the community is quite active and supportive. Patches and fixes are normally found being posted to this list which if you know some basic Unix commands and you don't mind building Pound from source yourself you can have quite an efficient and productive SSL Terminator at your disposal. If memory serves me correctly Joe does keep a fork somewhere but I don't know where it is. However, once again welcome to the group. ~Scott On 18 June 2013 13:45, Peter Shaw wrote: > Hi pound users and developers. > I just want to know if there is a acive development on the pound project. > Or is the last Date in 2.6 (2010) the last and final commit? > is this grub active? and may i get help if i ran my production farm with > pound. > > Thanx al lot, > ps > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] send source IP of HTTP requests to web servers in the cluster
Hi Pat, You will need to rebuild your version of pound with the TProxy Patch. A slightly out dated How To can be found at * http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/ * however, the whole principle is still the same. Also depending on what OS your running on you may need to modify your Kernel to allow TProxy use but most modern/new Kernels already have this enabled Centos 6.x does for example. ~Yours, Scott On 21 May 2013 09:38, Pat Erler wrote: > hi, > > we have some nginx servers clustered behind a pound server and wonder if > it is possible to have the original source IP, as it is received by pound, > relayed to the nginx server (so that it appears in the logs there)? > > regards, > > PAT > > -- > *Pat Erler* > Gtalk/G+: per...@gmail.com > Skype: pat_erler > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] "Too many open files" errors running pound 2.5-1.1 on Ubuntu 12.04
Hi Nigel, OK thats fine. Do you have 'Alive', 'TimeOut' and 'ConnTo' values set in your Global or BackEnd sections? By default the Alive section is 30 seconds and the TimeOut & ConnTo is 15 seconds you may also find that a 'Grace' setting increase may help. Although if you are just terminating an SSL Certificate and then trying to Load Balance over multiple backend servers you may want to have a look at HAProxy and let that do the heavy work instead of Pound. You will also get better debug logging (thats just my opinion though). ~Scott On 25 February 2013 15:48, Nigel Pallett wrote: > Scott, > > Pound is talking to backend apache webservers (on the 10.10.5.xxx > addressess on the logs) configured with the rpaf module to talk back to > pound. > > This has been working successfully for almost two years now. > > Is it possible that recent changes to the website application being served > up by the backends could give rise to these errors ? > > Regards, > Nigel. > > > On 25/02/13 15:23, Scott McKeown wrote: > > Hi Nigel, > > I'm guessing that you are passing this to something like HAProxy which is > your backend server on '10.10.5.122' its this that is passing the error > back to Pound so I would have a look there. > > However, I could be wrong but a copy of your pound.cfg would help (remove > real world IP's etc.) > > > ~Scott > > > > On 25 February 2013 14:58, Nigel Pallett wrote: > >> Hi, >> >> I'm running pound 2.5-1.1 on Ubuntu 12.04.2 LTS , and I'm getting lot's >> of "Too many open files" errors in syslog >> (See example below) >> >> >> -- >> >> Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: (7f3273bc4700) e503 backend >> 10.10.5.122:80socket create: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: (7f325330c700) e503 backend >> 10.10.5.122:80socket create: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: (7f3273bc4700) e503 backend >> 10.10.5.123:80socket create: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: (7f3270380700) e503 backend >> 10.10.5.123:80socket create: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: (7f325b69a700) e503 backend >> 10.10.5.122:80socket create: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: (7f3271136700) e503 backend >> 10.10.5.121:80socket create: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: (7f32712bc700) e503 backend >> 10.10.5.124:80socket create: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: (7f32712bc700) e503 backend >> 10.10.5.122:80socket create: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: (7f3271136700) e503 backend >> 10.10.5.124:80socket create: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: (7f325b69a700) e503 backend >> 10.10.5.124:80socket create: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: (7f325b69a700) e503 backend >> 10.10.5.122:80socket create: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: (7f3271136700) e503 backend >> 10.10.5.122:80socket create: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: (7f3271136700) e503 backend >> 10.10.5.124:80socket create: Too many open files >> Feb 25 14:53:30 gr-lb01 pound: (7f325b69a700) e503 backend >> 10.10.5.123:80socket create: Too many open files >> Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files >> Feb 25 14:53:33 gr-lb01 pound: (7f325a75e700) e503 backend >> 10.10.5.124:80socket create: Too many open files >> Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files >> Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files >> Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files >> Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files >> Feb 25 14:53:33 gr-lb01 pound: (7f325a75e700) e503 backend >> 10.10.5.121:80socket create: Too many open files >> Feb 25 14:53:33 gr-lb01 pound: HTTP
Re: [Pound Mailing List] "Too many open files" errors running pound 2.5-1.1 on Ubuntu 12.04
Hi Nigel, I'm guessing that you are passing this to something like HAProxy which is your backend server on '10.10.5.122' its this that is passing the error back to Pound so I would have a look there. However, I could be wrong but a copy of your pound.cfg would help (remove real world IP's etc.) ~Scott On 25 February 2013 14:58, Nigel Pallett wrote: > Hi, > > I'm running pound 2.5-1.1 on Ubuntu 12.04.2 LTS , and I'm getting lot's of > "Too many open files" errors in syslog > (See example below) > > --**--** > --**--** > -- > > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f3273bc4700) e503 backend > 10.10.5.122:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f325330c700) e503 backend > 10.10.5.122:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f3273bc4700) e503 backend > 10.10.5.123:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f3270380700) e503 backend > 10.10.5.123:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f325b69a700) e503 backend > 10.10.5.122:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f3271136700) e503 backend > 10.10.5.121:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f32712bc700) e503 backend > 10.10.5.124:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f32712bc700) e503 backend > 10.10.5.122:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f3271136700) e503 backend > 10.10.5.124:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f325b69a700) e503 backend > 10.10.5.124:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f325b69a700) e503 backend > 10.10.5.122:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f3271136700) e503 backend > 10.10.5.122:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f3271136700) e503 backend > 10.10.5.124:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f325b69a700) e503 backend > 10.10.5.123:80socket create: Too many open files > Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:33 gr-lb01 pound: (7f325a75e700) e503 backend > 10.10.5.124:80socket create: Too many open files > Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:33 gr-lb01 pound: (7f325a75e700) e503 backend > 10.10.5.121:80socket create: Too many open files > Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:33 gr-lb01 pound: (7f3272293700) e503 backend > 10.10.5.122:80socket create: Too many open files > Feb 25 14:53:33 gr-lb01 pound: (7f3271f46700) e503 backend > 10.10.5.124:80socket create: Too many open files > > --**--** > --**--** > -- > > Any Ideas ? > > Regards, > > Nigel. > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] "Too many open files" errors running pound 2.5-1.1 on Ubuntu 12.04
Hi Nigel, I'm guessing that you are passing this to something like HAProxy which is your backend server on '10.10.5.122' its this that is passing the error back to Pound so I would have a look there. However, I could be wrong but a copy of your pound.cfg would help (remove real world IP's etc.) ~Scott On 25 February 2013 14:58, Nigel Pallett wrote: > Hi, > > I'm running pound 2.5-1.1 on Ubuntu 12.04.2 LTS , and I'm getting lot's of > "Too many open files" errors in syslog > (See example below) > > --**--** > --**--** > -- > > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f3273bc4700) e503 backend > 10.10.5.122:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f325330c700) e503 backend > 10.10.5.122:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f3273bc4700) e503 backend > 10.10.5.123:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f3270380700) e503 backend > 10.10.5.123:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f325b69a700) e503 backend > 10.10.5.122:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f3271136700) e503 backend > 10.10.5.121:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f32712bc700) e503 backend > 10.10.5.124:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f32712bc700) e503 backend > 10.10.5.122:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f3271136700) e503 backend > 10.10.5.124:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f325b69a700) e503 backend > 10.10.5.124:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f325b69a700) e503 backend > 10.10.5.122:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f3271136700) e503 backend > 10.10.5.122:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f3271136700) e503 backend > 10.10.5.124:80socket create: Too many open files > Feb 25 14:53:30 gr-lb01 pound: (7f325b69a700) e503 backend > 10.10.5.123:80socket create: Too many open files > Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:33 gr-lb01 pound: (7f325a75e700) e503 backend > 10.10.5.124:80socket create: Too many open files > Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:33 gr-lb01 pound: (7f325a75e700) e503 backend > 10.10.5.121:80socket create: Too many open files > Feb 25 14:53:33 gr-lb01 pound: HTTP accept: Too many open files > Feb 25 14:53:33 gr-lb01 pound: (7f3272293700) e503 backend > 10.10.5.122:80socket create: Too many open files > Feb 25 14:53:33 gr-lb01 pound: (7f3271f46700) e503 backend > 10.10.5.124:80socket create: Too many open files > > --**--** > --**--** > -- > > Any Ideas ? > > Regards, > > Nigel. > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] OpenSSL SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS patch
Hi Joe, Your right, I've just finished running another test and changing the option to a '0' (zero) instead of a '1' has fixed the issue. Thank you for looking over this for me. I'll give the name some thought and I'll post the updated patch once I've had a good think. ~Scott On 19 February 2013 23:23, Joe Gooch wrote: > Yeah, you have the option states reversed. > > ** ** > > ssl_op_enable starts with SSL_OP_ALL, which includes the > SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option. (Which turns off the > countermeasure) > > ** ** > > To pass PCI you want pound to insert empty fragments, so you want to > remove SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS from ssl_op_enable and add it to > ssl_op_disable > > ** ** > > Seems to me your code is fine, you just need SSLNoFragment 0 in your > config. (Which means it **will** insert fragments, which is what you > want) > > ** ** > > Or name it something like SSLBeastAvoid 1 and swap the flag states. > > ** ** > > ** ** > > ** ** > > Joe > > ** ** > > *From:* Scott McKeown [mailto:sc...@loadbalancer.org] > *Sent:* Tuesday, February 19, 2013 11:26 AM > *To:* pound@apsis.ch > *Subject:* Re: [Pound Mailing List] OpenSSL > SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS patch > > ** ** > > Hi Joe, > > Thanks for having a look at this for me. > > I've tested with SSL Labs and that all shows correct, although it does not > show anything for the Empty Fragments but it could be labeled as something > else that I'm missing. > > I've come across http://www.mcafee.com/us/mcafeesecure/index.html which > offers a free scan (nice) but I've also used > https://www.hackerguardian.com and they both show the same thing I'm > guessing it could be a false positive but I was going for a second opinion > first. > > > ~Scott > > > > On 19 February 2013 15:53, Joe Gooch wrote: > > It looks to me like you’ve done the patch correctly. Not sure why it > wouldn’t be working for you. > > > > Are you using SSL labs to test? > > > > > > > > Joe > > > > *From:* Scott McKeown [mailto:sc...@loadbalancer.org] > *Sent:* Monday, February 18, 2013 6:07 AM > *To:* pound@apsis.ch > *Subject:* [Pound Mailing List] OpenSSL > SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS patch > > > > Hi Guys, > > I've been trying to add a new option to Pound that will allow you to set a > 'SSLNoFragment' option in your pound.cfg file that when set to '1' will > enable the OpenSSL 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option. > > A copy of my attempt is below. However, with this added to my pound.cfg > file and all rebuilt using Pound 2.6 and my new option enabled like this: > > User"nobody" > Group "nobody" > LogLevel0 > Client 30 > Timeout 60 > > ListenHTTPS > # Label: pound_vip > Address 192.168.82.199 > Port443 > Cert"/etc/pound/certs/pound_vip.pem" > SSLHonorCipherOrder 1 > SSLAllowClientRenegotiation 0 > DisableSSLv2 > ReWriteLocation 1 > Ciphers "RC4:HIGH:!MD5:!DSS:!aNULL" > SSLNoCompression 1 > SSLNoFragment 1 > Service > BackEnd > Address 172.16.0.5 > Port80 > End > End > End > > It seems to accept the value. However, if I run a scan on the Real IP > Address (the above addresses have been changed to protect the innocent) I > still get a warning stating: > > A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information > disclosure if an attacker intercepts encrypted traffic served from an > affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use > CBC mode are not affected. This script tries to establish an SSL/TLS remote > connection using an affected SSL version and cipher suite, and then > solicits return data. If returned application data is not fragmented with > an empty or one-byte record, it is likely vulnerable. OpenSSL uses empty > fragments as a countermeasure unless the > 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is > initialized. Microsoft implemented one-byte fragments as a countermeasure, > and the setting can be controlled via the registry key > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendExtraRecord. > Therefore, if multiple applic
Re: [Pound Mailing List] OpenSSL SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS patch
Hi Joe, Thanks for having a look at this for me. I've tested with SSL Labs and that all shows correct, although it does not show anything for the Empty Fragments but it could be labeled as something else that I'm missing. I've come across http://www.mcafee.com/us/mcafeesecure/index.html which offers a free scan (nice) but I've also used https://www.hackerguardian.comand they both show the same thing I'm guessing it could be a false positive but I was going for a second opinion first. ~Scott On 19 February 2013 15:53, Joe Gooch wrote: > It looks to me like you’ve done the patch correctly. Not sure why it > wouldn’t be working for you. > > ** ** > > Are you using SSL labs to test? > > ** ** > > ** ** > > ** ** > > Joe > > ** ** > > *From:* Scott McKeown [mailto:sc...@loadbalancer.org] > *Sent:* Monday, February 18, 2013 6:07 AM > *To:* pound@apsis.ch > *Subject:* [Pound Mailing List] OpenSSL > SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS patch > > ** ** > > Hi Guys, > > I've been trying to add a new option to Pound that will allow you to set a > 'SSLNoFragment' option in your pound.cfg file that when set to '1' will > enable the OpenSSL 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option. > > A copy of my attempt is below. However, with this added to my pound.cfg > file and all rebuilt using Pound 2.6 and my new option enabled like this: > > User"nobody" > Group "nobody" > LogLevel0 > Client 30 > Timeout 60 > > ListenHTTPS > # Label: pound_vip > Address 192.168.82.199 > Port443 > Cert"/etc/pound/certs/pound_vip.pem" > SSLHonorCipherOrder 1 > SSLAllowClientRenegotiation 0 > DisableSSLv2 > ReWriteLocation 1 > Ciphers "RC4:HIGH:!MD5:!DSS:!aNULL" > SSLNoCompression 1 > SSLNoFragment 1 > Service > BackEnd > Address 172.16.0.5 > Port80 > End > End > End > > It seems to accept the value. However, if I run a scan on the Real IP > Address (the above addresses have been changed to protect the innocent) I > still get a warning stating: > > A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information > disclosure if an attacker intercepts encrypted traffic served from an > affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use > CBC mode are not affected. This script tries to establish an SSL/TLS remote > connection using an affected SSL version and cipher suite, and then > solicits return data. If returned application data is not fragmented with > an empty or one-byte record, it is likely vulnerable. OpenSSL uses empty > fragments as a countermeasure unless the > 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is > initialized. Microsoft implemented one-byte fragments as a countermeasure, > and the setting can be controlled via the registry key > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendExtraRecord. > Therefore, if multiple applications use the same SSL/TLS implementation, > some may be vulnerable while others may not, depending on whether or not a > countermeasure has been enabled. Note that this script detects the > vulnerability in the SSLv3/TLSv1 protocol implemented in the server. It > does not detect the BEAST attack where it exploits the vulnerability at > HTTPS client-side (i.e., Internet browser). The detection at server-side > does not necessarily means your server is vulnerable to the BEAST attack > because the attack exploits the vulnerability at client-side, and both > SSL/TLS clients and servers can independently employ the split record > countermeasure. > > > My Pound Version details: > > # pound -V > starting... > detect_tproxy(): tproxy is is detected > tproxy: available > Version 2.6 > Configuration switches: > --enable-cert1l > --with-maxbuf=8192 > Exiting... > > > My attempted patch: > > config.c | 12 +++- > 1 file changed, 11 insertions(+), 1 deletions(-) > > diff --git a/config.c b/config.c > > --- a/config.c 2013-02-15 11:38:19.634450776 + > +++ bconfig.c 2013-02-15 15:37:22.668452304 + > @@ -76,7 +76,7 @@ > static regex_t Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, > RewriteLocation, RewriteDestination; > static regex_t Service, ServiceName, URL, HeadRequire, HeadDeny, > BackEnd, Emergency, Priority, HAport, HAportAddr; > static regex_t Redirect
[Pound Mailing List] OpenSSL SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS patch
LNoCompression, "^[ \t]*SSLNoCompression[ \t]+([01])[
\t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+|| regcomp(&SSLNoFragment, "^[ \t]*SSLNoFragment[ \t]+([01])[ \t]*$",
REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&Ciphers, "^[ \t]*Ciphers[ \t]+\"(.+)\"[ \t]*$", REG_ICASE
| REG_NEWLINE | REG_EXTENDED)
|| regcomp(&CAlist, "^[ \t]*CAlist[ \t]+\"(.+)\"[ \t]*$", REG_ICASE |
REG_NEWLINE | REG_EXTENDED)
|| regcomp(&VerifyList, "^[ \t]*VerifyList[ \t]+\"(.+)\"[ \t]*$",
REG_ICASE | REG_NEWLINE | REG_EXTENDED)
@@ -1541,6 +1550,7 @@
regfree(&DisableSSLv2);
regfree(&SSLHonorCipherOrder);
regfree(&SSLNoCompression);
+regfree(&SSLNoFragment);
regfree(&Ciphers);
regfree(&CAlist);
regfree(&VerifyList);
Any help or advice would be most welcome.
--
With Kind Regards.
Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org
Re: [Pound Mailing List] Send login and register to https - redirect loop
;
> >>> BackEnd
> >>> Address 192.168.0.2
> >>> Port80
> >>> End
> >>> BackEnd
> >>> Address 192.168.0.3
> >>> Port80
> >>> End
> >>> End
> >>> End
> >>>
> >>>
> >>> I have configured apache ReWrite rules as follows:
> >>>
> >>>RewriteEngine On
> >>>RewriteBase /
> >>>
> >>># force https for /login and /register etc
> >>>RewriteCond %{HTTPS} =off
> >>>RewriteRule ^(login|register)$ https://%{HTTP_HOST}%{REQUEST_URI}
> [R=301,L]
> >>>
> >>># don't do anything for images/css/js (leave protocol as is)
> >>>RewriteRule \.(gif|jpe?g|png|css|js)$ - [NC,L]
> >>>
> >>># force http for all other URLs
> >>>RewriteCond %{HTTPS} =on
> >>>RewriteCond %{REQUEST_URI}
> !^/(login|register|payment\/status|gopro)$
> >>>RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
> >>>
> >>>
> >>> However the configuration does not work.
> >>> It leads to a redirect loop error, which *appears* to be in pound.
> >>> I say that because if I browse to flooting.com/login, pound attempts
> to send the request to /login about 10 times and then gives up.
> >>> At this point the browser responds with a "this webpage has a redirect
> loop" error. there are no errors in the apache logs.
> >>>
> >>> I've tried get this working with just one backend webserver configured
> in pound, however I still get a mail loop.
> >>> So, what am I doing wrong? Is this even remotely the correct approach
> to this problem or is there a better way?
> >>>
> >>> Thanks for your help
> >>> Mark.
> >>>
> >>>
> >>> --
> >>> To unsubscribe send an email with subject unsubscribe to
> pound@apsis.ch.
> >>> Please contact ro...@apsis.ch for questions.
> >>
> >>
> >> --
> >> To unsubscribe send an email with subject unsubscribe to pound@apsis.ch
> .
> >> Please contact ro...@apsis.ch for questions.
> >>
> >
> >
> >
> > --
> > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
> > Please contact ro...@apsis.ch for questions.
>
>
> --
> To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
> Please contact ro...@apsis.ch for questions.
>
--
With Kind Regards.
Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org
Re: [Pound Mailing List] Send login and register to https - redirect loop
Hi Mark,
Not a problem.
What you would need then is a mix of both my HTTP Listener and yours. I've
not actually tried to do this myself but I would think it should look
something like this:
ListenHTTP
Address 91.187.69.155
Port80
Service
Url "/login*"
HeadRequire "*.flooting.com <http://flooting.com>*"
Redirect "https://flooting.com";
End
Service
HeadRequire "*.flooting.com*"
BackEnd
Address 192.168.0.2
Port80
End
BackEnd
Address 192.168.0.3
Port80
End
End
End
~Scott
On 15 January 2013 10:43, mark hardwick wrote:
> Hi Scott
> Thanks for your help.
> That seems to redirect every page to https?
> I only want to direct login and register to https if possible.
>
> Cheers
> Mark.
>
> On Jan 15, 2013, at 11:22 AM, Scott McKeown wrote:
>
> Hi Mark,
>
> Personally I would be tempted to use the 'Redirect' directive in your
> pound configuration file under the HTTP listener but keep the HTTPS
> listener as it is.
>
> So replace your HTTP Listener with something like this:
>
> ListenHTTP
>Address 91.187.69.155
> Port80
>
> Service
>HeadRequire "*.flooting.com <http://flooting.com/>*"
>Redirect "https://flooting.com";
> End
> End
>
> Also you can simplify the HeadRequire directive to something like what I
> have put above.
>
> Let us know how this works for you.
>
>
> ~Scott
>
>
> On 15 January 2013 09:58, mark hardwick wrote:
>
>> Hi All,
>> I'm fairly new to both pound and apache configuration. I think the issue
>> I'm having is with pound configuration, but please excuse me if it's
>> actually apache.
>>
>> Ok, I want to configure my site so that if people head to
>> http://site.com/login they are redirected to https://site.com/login but,
>> if they try to browse to https://site.com/somewhere_else then they are
>> redirected to http://site.com/somewhere_else.
>>
>> I have installed my security certificate which is working. I can browse
>> http and https.
>> I have configured pound to deal with the http and https as follows:
>>
>> ListenHTTP
>>Address 91.187.69.155
>> Port80
>>
>> Service
>>HeadRequire "(Host: flooting.com|Host: www.flooting.com)"
>>BackEnd
>>Address 192.168.0.2
>>Port80
>>End
>>BackEnd
>>Address 192.168.0.3
>>Port80
>>End
>> End
>> End
>>
>> ListenHTTPS
>> Address 91.187.69.155
>> Port443
>> Cert"/etc/ssl/flooting.com.pem"
>>
>> Service
>> HeadRequire "(Host: flooting.com|Host: www.flooting.com)"
>>BackEnd
>>Address 192.168.0.2
>>Port80
>>End
>>BackEnd
>>Address 192.168.0.3
>>Port80
>>End
>>End
>> End
>>
>>
>> I have configured apache ReWrite rules as follows:
>>
>> RewriteEngine On
>> RewriteBase /
>>
>> # force https for /login and /register etc
>> RewriteCond %{HTTPS} =off
>> RewriteRule ^(login|register)$
>> https://%{HTTP_HOST}%{REQUEST_URI}[R=301,L]
>>
>> # don't do anything for images/css/js (leave protocol as is)
>> RewriteRule \.(gif|jpe?g|png|css|js)$ - [NC,L]
>>
>> # force http for all other URLs
>> RewriteCond %{HTTPS} =on
>> RewriteCond %{REQUEST_URI} !^/(login|register|payment\/status|gopro)$
>> RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
>>
>>
>> However the configuration does not work.
>> It leads to a redirect loop error, which *appears* to be in pound.
>> I say that because if I browse to flooting.com/login, pound attempts to
>> send the request to /login about 10 times and then gives up.
>> At this point the browser responds with a "this webpage has a redirect
>> loop" error. there are no errors in the apache logs.
>>
>> I've tried get this working with just one backend webserver configured in
>> pound, however I still get a mail loop.
>> So, what am I doing wrong? Is this even remotely the correct approach to
>> this problem or is there a better way?
>>
>> Thanks for your help
>> Mark.
>>
>>
>> --
>> To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
>> Please contact ro...@apsis.ch for questions.
>>
>
>
>
> --
> With Kind Regards.
>
> Scott McKeown
> Loadbalancer.org
> http://www.loadbalancer.org
>
>
>
--
With Kind Regards.
Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org
Re: [Pound Mailing List] Send login and register to https - redirect loop
Hi Mark,
Not a problem.
What you would need then is a mix of both my HTTP Listener and yours. I've
not actually tried to do this myself but I would think it should look
something like this:
ListenHTTP
Address 91.187.69.155
Port80
Service
Url "/login*"
HeadRequire "*.flooting.com <http://flooting.com>*"
Redirect "https://flooting.com";
End
Service
HeadRequire "*.flooting.com*"
BackEnd
Address 192.168.0.2
Port80
End
BackEnd
Address 192.168.0.3
Port80
End
End
End
~Scott
On 15 January 2013 10:43, mark hardwick wrote:
> Hi Scott
> Thanks for your help.
> That seems to redirect every page to https?
> I only want to direct login and register to https if possible.
>
> Cheers
> Mark.
>
> On Jan 15, 2013, at 11:22 AM, Scott McKeown wrote:
>
> Hi Mark,
>
> Personally I would be tempted to use the 'Redirect' directive in your
> pound configuration file under the HTTP listener but keep the HTTPS
> listener as it is.
>
> So replace your HTTP Listener with something like this:
>
> ListenHTTP
>Address 91.187.69.155
> Port80
>
> Service
>HeadRequire "*.flooting.com <http://flooting.com/>*"
>Redirect "https://flooting.com";
> End
> End
>
> Also you can simplify the HeadRequire directive to something like what I
> have put above.
>
> Let us know how this works for you.
>
>
> ~Scott
>
>
> On 15 January 2013 09:58, mark hardwick wrote:
>
>> Hi All,
>> I'm fairly new to both pound and apache configuration. I think the issue
>> I'm having is with pound configuration, but please excuse me if it's
>> actually apache.
>>
>> Ok, I want to configure my site so that if people head to
>> http://site.com/login they are redirected to https://site.com/login but,
>> if they try to browse to https://site.com/somewhere_else then they are
>> redirected to http://site.com/somewhere_else.
>>
>> I have installed my security certificate which is working. I can browse
>> http and https.
>> I have configured pound to deal with the http and https as follows:
>>
>> ListenHTTP
>>Address 91.187.69.155
>> Port80
>>
>> Service
>>HeadRequire "(Host: flooting.com|Host: www.flooting.com)"
>>BackEnd
>>Address 192.168.0.2
>>Port80
>>End
>>BackEnd
>>Address 192.168.0.3
>>Port80
>>End
>> End
>> End
>>
>> ListenHTTPS
>> Address 91.187.69.155
>> Port443
>> Cert"/etc/ssl/flooting.com.pem"
>>
>> Service
>> HeadRequire "(Host: flooting.com|Host: www.flooting.com)"
>>BackEnd
>>Address 192.168.0.2
>>Port80
>>End
>>BackEnd
>>Address 192.168.0.3
>>Port80
>>End
>>End
>> End
>>
>>
>> I have configured apache ReWrite rules as follows:
>>
>> RewriteEngine On
>> RewriteBase /
>>
>> # force https for /login and /register etc
>> RewriteCond %{HTTPS} =off
>> RewriteRule ^(login|register)$
>> https://%{HTTP_HOST}%{REQUEST_URI}[R=301,L]
>>
>> # don't do anything for images/css/js (leave protocol as is)
>> RewriteRule \.(gif|jpe?g|png|css|js)$ - [NC,L]
>>
>> # force http for all other URLs
>> RewriteCond %{HTTPS} =on
>> RewriteCond %{REQUEST_URI} !^/(login|register|payment\/status|gopro)$
>> RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
>>
>>
>> However the configuration does not work.
>> It leads to a redirect loop error, which *appears* to be in pound.
>> I say that because if I browse to flooting.com/login, pound attempts to
>> send the request to /login about 10 times and then gives up.
>> At this point the browser responds with a "this webpage has a redirect
>> loop" error. there are no errors in the apache logs.
>>
>> I've tried get this working with just one backend webserver configured in
>> pound, however I still get a mail loop.
>> So, what am I doing wrong? Is this even remotely the correct approach to
>> this problem or is there a better way?
>>
>> Thanks for your help
>> Mark.
>>
>>
>> --
>> To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
>> Please contact ro...@apsis.ch for questions.
>>
>
>
>
> --
> With Kind Regards.
>
> Scott McKeown
> Loadbalancer.org
> http://www.loadbalancer.org
>
>
>
--
With Kind Regards.
Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org
Re: [Pound Mailing List] Send login and register to https - redirect loop
Hi Mark,
Personally I would be tempted to use the 'Redirect' directive in your pound
configuration file under the HTTP listener but keep the HTTPS listener as
it is.
So replace your HTTP Listener with something like this:
ListenHTTP
Address 91.187.69.155
Port80
Service
HeadRequire "*.flooting.com <http://flooting.com>*"
Redirect "https://flooting.com";
End
End
Also you can simplify the HeadRequire directive to something like what I
have put above.
Let us know how this works for you.
~Scott
On 15 January 2013 09:58, mark hardwick wrote:
> Hi All,
> I'm fairly new to both pound and apache configuration. I think the issue
> I'm having is with pound configuration, but please excuse me if it's
> actually apache.
>
> Ok, I want to configure my site so that if people head to
> http://site.com/login they are redirected to https://site.com/login but,
> if they try to browse to https://site.com/somewhere_else then they are
> redirected to http://site.com/somewhere_else.
>
> I have installed my security certificate which is working. I can browse
> http and https.
> I have configured pound to deal with the http and https as follows:
>
> ListenHTTP
>Address 91.187.69.155
> Port80
>
> Service
>HeadRequire "(Host: flooting.com|Host: www.flooting.com)"
>BackEnd
>Address 192.168.0.2
>Port80
>End
>BackEnd
>Address 192.168.0.3
>Port80
>End
> End
> End
>
> ListenHTTPS
> Address 91.187.69.155
> Port443
> Cert"/etc/ssl/flooting.com.pem"
>
> Service
> HeadRequire "(Host: flooting.com|Host: www.flooting.com)"
>BackEnd
>Address 192.168.0.2
>Port80
>End
>BackEnd
>Address 192.168.0.3
>Port80
>End
>End
> End
>
>
> I have configured apache ReWrite rules as follows:
>
> RewriteEngine On
> RewriteBase /
>
> # force https for /login and /register etc
> RewriteCond %{HTTPS} =off
> RewriteRule ^(login|register)$ https://%{HTTP_HOST}%{REQUEST_URI}
> [R=301,L]
>
> # don't do anything for images/css/js (leave protocol as is)
> RewriteRule \.(gif|jpe?g|png|css|js)$ - [NC,L]
>
> # force http for all other URLs
> RewriteCond %{HTTPS} =on
> RewriteCond %{REQUEST_URI} !^/(login|register|payment\/status|gopro)$
> RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
>
>
> However the configuration does not work.
> It leads to a redirect loop error, which *appears* to be in pound.
> I say that because if I browse to flooting.com/login, pound attempts to
> send the request to /login about 10 times and then gives up.
> At this point the browser responds with a "this webpage has a redirect
> loop" error. there are no errors in the apache logs.
>
> I've tried get this working with just one backend webserver configured in
> pound, however I still get a mail loop.
> So, what am I doing wrong? Is this even remotely the correct approach to
> this problem or is there a better way?
>
> Thanks for your help
> Mark.
>
>
> --
> To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
> Please contact ro...@apsis.ch for questions.
>
--
With Kind Regards.
Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org
Re: [Pound Mailing List] Multiple SSL Certs
Hi Sander, OK that kind of makes sense. However, I guess I'm missing something can you just send over a quick and dirty basic config file so that I can see this in its full glory. I'm not saying that your incorrect or anything I just don't seem to be able to get my head around how each service will work out what certificate it should be using. If I have three certificates and four backend services for example with two backends using 'domain1.co.uk' and one backend using 'domain2.co.uk' finally one backend using 'domain1.net' ~Scott > Yes just load all certificates: > Cert "cert1.pem" > Cert "cert1.pem" > Cert "certX.pem" > > Pound uses the domain in the CN field of the certificate to match the > correct certificate to the request with SNI. > > > > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] Multiple SSL Certs
Hi James, First of all welcome to Pound... ... I'm guessing that you have a WildCard SSL Certificate or a UCC Certificate that will allow you to correctly encrypt the required traffic to your backend servers as you can only enable one SSL Certificate per real IP Address. Myself I have a UCC Certificate from GoDaddy which I've setup to cover three different top level domains (domain1.co.uk, domain2.co.uk, domain1.net) and this works perfectly. The only downside is that if you need to add another domain to the Certificate you need to rekey the whole certificate. Where as with a wildcard certificate it will allow any subdomain of one top level domain only (a.domain1.co.uk, b.domain1.co.uk, c.domain1.co.uk, etc.). Sorry if I'm teaching you to suck eggs but I just wanted to check first. Second Here is a basic pound.cfg file that will do what you require with a UCC certificate this config file also forces HTTP back to HTTPS which you can remove if not needed: User"nobody" Group "nobody" LogLevel1 LogFacility local3 Client 30 TimeOut 60 ListenHTTPS Address xxx.xxx.xxx.xxx Port 443 xHTTP 3 Cert "/etc/pound/ucc01.pem" ReWriteLocation 1 Ciphers "RC4:HIGH:!MD5:!aNULL" Service HeadRequire "Host: *domain1.co.uk*" BackEnd Address 172.16.0.10 Port 80 End End Service HeadRequire "Host: *domain2.co.uk*" BackEnd Address 172.16.0.20 Port 80 End End Service HeadRequire "Host: *domain1.net*" BackEnd Address 172.16.0.30 Port 80 End End End ListenHTTP Address xxx.xxx.xxx.xxx Port 80 xHTTP 3 ReWriteLocation 1 Service HeadRequire "Host: *domain1.co.uk*" Redirect "https://domain1.co.uk"; End Service HeadRequire "Host: *domain2.co.uk*" Redirect "https://domain1.co.uk"; End Service HeadRequire "Host: *domain1.netk*" Redirect "https://domain1.net"; End End ~Yours, Scott On 11 October 2012 18:53, James Bensley wrote: > Hi all, > > First post to the list, Pounder newcomer here! > > I have a Pound proxy providing SSL off-load for HAProxy (they are > installed on the same server, Pound passes request onto HAproxy over > the 127.0.0.1 loop-back address). I have some HTTP servers all hosting > the same sites behind this load-balancer. I would like for a couple of > them to use SSL. The only way I could see to have more than one SSL > site behind this Pound box was to assign multiple IPs to the box and > set up a different HTTPS listening on each IP, but this isn't very > scalable or IP conservative. > > Then. I saw the following text on the Pound website: > > Update June 2010: starting with with the 2.6 series, Pound has SNI > support, if your OpenSSL version supports it. Basically you supply > Pound with several certificates, one for each virtual host (wild card > certificates - as described above - are allowed). On connecting the > client signals to which server it wants to talk, and Pound searches > among its certificates which would fit. Not all versions of OpenSSL > and not all clients support this mode, but if available it allows for > virtual hosts over HTTPS. > > Can anyone provide me with a configuration example of how I can > achieve this, or the correct direction to be looking in? > > Many thanks, > James. > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] Direct Routing or DSR with pound
Hi Budiwijaya, OK so you are just after a simple HTTP Loadbalancer with no SSL Termination. Pound is primarily an SSL Terminator with the option to do some basic loadbalancing. If you are after a HTTP LoadBalancer and are happy to do this yourself have a look at HAProxy http://haproxy.1wt.eu/ This Blog Posting http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/will give you a good start. Yours, Scott On 8 October 2012 03:22, Budiwijaya wrote: > Hello Scott, > > I want to do a loadbalancing not a SSL Termination. > What I want to do is just like this [1]. I did a test in a virtualbox > environment. But the webserver is returning the answer to pound. I Already > did the loopback things on webserver. But no luck. > > On Fri, Oct 5, 2012 at 3:40 PM, Scott McKeown wrote: > >> Hi Budiwijaya, >> >> If I understand the question correctly you want Pound SSL termination -> >> LVS DSR -> backend servers >> Unfortunately the basic answer is NO, LVS can only work in local mode >> when using NAT. >> Although I'm assuming that you want Pound and LVS on the same box? I >> guess it would work fine if the LVS box was separate. >> >> > > [1]http://loadbalancer.org/load_balancing_methods.php#dr > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] Disabling SSL Compression (one line patch)
Hi Coops, Its a great option to enable as I'm sure we all know, browser updates can be a little on the slow side and even then some Company IT Policies don't allow patches/updates to be put into place until they have been tested and checked 20 times. However, my understanding is that this is more of a Browser Issue than a server issue. Don't get me wrong if we can stop it from happening on our servers great but the problem still lies with the Browser developers and they need to address the problem that end. (Just my 2 pence worth, and I don't mean any offense.). Saying that I'll have a play with your patch and give it a good testing as like I said its a good option to have at our disposal. ~Yours, Scott On 5 October 2012 15:39, Hereward Cooper wrote: > Hi pound folks, > > I've successfully disabled SSL compression in pound (a requirement for > a platform which needs to be hardened against the CRIME attack). > > I'd not seen any mention of this on the mailing lists so far, so I > thought I'd mention how I did it (and ask for any comments for > improvements on my method). > > This site[1] described the SSL_OP_NO_COMPRESSION option, which I've > added to my pound's config.c file. > > Just for the record this is built against "OpenSSL 1.0.1c-fips" which > I described putting into place on CentOS 6 here[2]. > > Any comments on my first pound patch? > > --- config.c.orig 2012-10-05 14:57:53.652702376 +0100 > +++ config.c2012-10-05 15:12:36.516952267 +0100 > @@ -1136,6 +1136,7 @@ > SSL_CTX_set_app_data(pc->ctx, res); > SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY); > SSL_CTX_set_options(pc->ctx, ssl_op_enable); > +SSL_CTX_set_options(pc->ctx, SSL_OP_NO_COMPRESSION); > SSL_CTX_clear_options(pc->ctx, ssl_op_disable); > sprintf(lin, "%d-Pound-%ld", getpid(), random()); > SSL_CTX_set_session_id_context(pc->ctx, (unsigned > char *)lin, strlen(lin)); > > > [1] http://www.dest-unreach.org/socat/contrib/socat-opensslcompress.html > [2] http://tech.fawk.eu/233/ > > -- > Coops > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] Direct Routing or DSR with pound
Hi Budiwijaya, If I understand the question correctly you want Pound SSL termination -> LVS DSR -> backend servers Unfortunately the basic answer is NO, LVS can only work in local mode when using NAT. Although I'm assuming that you want Pound and LVS on the same box? I guess it would work fine if the LVS box was separate. On 5 October 2012 03:57, Budiwijaya wrote: > Hello, > > I've search the mailing list archive, I found this[1]. That's an 2007 > posts. > So maybe is there anyone can achieve DSR/DR with pound nowadays ? > > Thank you. > > [1] > http://www.apsis.ch/pound/pound_list/archive/2007/2007-03/1175075319000#1175104217000 > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] How to deny attacker?
iptabels would be the best option if your on a unix platform as this is at the kernel level and not software level which would save some processor overhead. Otherwise if you have an upstream firewall I would look at blocking the addresses or whole subnet there. Other than that Im not sure you can do what you want with pound itself. ~Scott On Sep 27, 2012 5:38 PM, "Jaroslav Lukesh" wrote: > Dear Sirs, > > I want to block some DoS attacker at pound side (pound 1.8, does not have > other possibilities - tiny HW), but none of this does not work: > > UrlGroup. > HeadRequire > HeadDeny REMOTE_ADDR "ipaddress" > HeadDeny HTTP_X_FORWARDED_FOR "ipaddress1, ipaddress2" > EndGroup > > How to do it successfully, please? > > Regards, J. Lukesh > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. >
Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Driving me insane
Hi Alan, Your more than welcome. Some of the messages from Pound can be a little confusing until you've been playing with it for a while. Any further issues just drop us a line and I'm sure someone will be able to help. ~Scott On 27 September 2012 11:14, Alan McGinlay wrote: > Fixed! thanks for the link, it put me on the right track. > > All that was required was to concatenate the key, the crt and output a > .pem file which i put in the ssl store and referenced it from pound.cfg. > > I also ran "update-ca-certificates --verbose --fresh" > > And restarted pound, success! This is just a test, the live site will use > a "real" ssl cert. > > Thanks, > > Alan > > 2012-09-27 11:57, Scott McKeown skrev: > >> Hi Alan, >> I'm sure that you will need to include the Private Key Chain in your PEM >> file to resolve this error. >> >> Have a look at >> http://www.digicert.com/ssl-**support/pem-ssl-creation.htm<http://www.digicert.com/ssl-support/pem-ssl-creation.htm> >> which shows the different ways of creating the PEM file. >> >> Although now that I think about it, I don't remember if I had to include >> this in mine the last time I created a Self Signed certificate so I >> could be wrong on the self signed front. However, I would recommend the >> full PEM file when you go live. >> >> >> ~Scott >> >> >> On 27 September 2012 10:16, Alan McGinlay > <mailto:al...@sics.se>> wrote: >> >> Hi All, >> >> I have been getting this error now no matter what I do when trying >> to setup and HTTPS listener with a self signed cert. >> >> "/etc/pound/pound.cfg line 56: SSL_CTX_use_PrivateKey_file failed - >> aborted" >> >> I have generated the ssl cert in myriad different ways, always with >> the same result. I have tried with pound 2.5 and 2.6 (from ubuntu >> precise and quantal respectively) but there is no change! The >> certificates test ok with the openssl command line so I am at a >> complete loss! >> >> Most of the info I have found on the net is from a few years back, >> could this be a new bug? >> >> pound.cfg listeners: >> >> ListenHTTP >> Address 199.10.64.8 >> Port80 >> #Cert"/etc/ssl/certs/server.crt" >> Service >> HeadRequire "Host:.*redneck001-ext.__**example.se.*" >> >> BackEnd >> Address localhost >> Port81 >> End >> End >> >> END >> >> ListenHTTPS >> Address 193.10.64.8 >> Port443 >> Cert"/etc/ssl/certs/redneck001-__**ext.example.se.cert" >> Service >> HeadRequire "Host:.*redneck001-ext.__**example.se.*" >> >> BackEnd >> Address localhost >> Port81 >> End >> End >> End >> >> Please help! >> >> /Alan >> >> -- >> To unsubscribe send an email with subject unsubscribe to >> pound@apsis.ch <mailto:pound@apsis.ch>. >> Please contact ro...@apsis.ch <mailto:ro...@apsis.ch> for questions. >> >> >> >> >> >> -- >> With Kind Regards. >> >> Scott McKeown >> Loadbalancer.org >> http://www.loadbalancer.org >> >> > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] SSL_CTX_use_PrivateKey_file Driving me insane
Hi Alan, I'm sure that you will need to include the Private Key Chain in your PEM file to resolve this error. Have a look at http://www.digicert.com/ssl-support/pem-ssl-creation.htmwhich shows the different ways of creating the PEM file. Although now that I think about it, I don't remember if I had to include this in mine the last time I created a Self Signed certificate so I could be wrong on the self signed front. However, I would recommend the full PEM file when you go live. ~Scott On 27 September 2012 10:16, Alan McGinlay wrote: > Hi All, > > I have been getting this error now no matter what I do when trying to > setup and HTTPS listener with a self signed cert. > > "/etc/pound/pound.cfg line 56: SSL_CTX_use_PrivateKey_file failed - > aborted" > > I have generated the ssl cert in myriad different ways, always with the > same result. I have tried with pound 2.5 and 2.6 (from ubuntu precise and > quantal respectively) but there is no change! The certificates test ok with > the openssl command line so I am at a complete loss! > > Most of the info I have found on the net is from a few years back, could > this be a new bug? > > pound.cfg listeners: > > ListenHTTP > Address 199.10.64.8 > Port80 > #Cert"/etc/ssl/certs/server.crt" > Service > HeadRequire "Host:.*redneck001-ext.**example.se.*" > BackEnd > Address localhost > Port81 > End > End > > END > > ListenHTTPS > Address 193.10.64.8 > Port443 > Cert"/etc/ssl/certs/redneck001-**ext.example.se.cert" > Service > HeadRequire "Host:.*redneck001-ext.**example.se.*" > BackEnd > Address localhost > Port81 > End > End > End > > Please help! > > /Alan > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] redirect to holding page?
Hi Mark, You can use the Emergency section in the same way that you would a BackEnd section, which is something like this. ListenHTTPS Address 192.168.1.50 Port 80 Cert "/etc/pound/server0.pem" Service BackEnd Address 10.10.10.5 Port 80 End Emergency Address 127.0.0.1 Port 8090 End End Hope this helps. ~Yours, Scott On 25 September 2012 13:25, mark hardwick wrote: > Hi all > I've had a look in the docs but can't see this. > > Is it possible for pound to redirect to a holding page (on some "other" > server) if all web servers in a service are down? > > Cheers > Mark. > > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] Puppet pound module
Hi Alan, I've never used Puppet myself but from just a quick look at what you have done this looks like a great start. One thing I will say though and I don't know if it is possible or not is the option to select where the pound.cfg file is located as on most of my servers I have moved it from its normal '/etc/pound/pound.cfg' location ~Yours, Scott On 25 September 2012 12:15, Alan McGinlay wrote: > Hi, > > I have created a Puppet module for the Pound service. It is both my first > attempt at a puppet module and also the first time I have seriously used > Pound. > > https://github.com/**mrintegrity/puppet-pound<https://github.com/mrintegrity/puppet-pound> > > It is pretty basic at the moment but covers the most basic usage > requirements. I would really love to get some feedback and suggestions for > new features. > > Thanks, > > Alan > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get certificate
Hi Francoise, Can you show me your current pound.cfg file please (replace anything with X's) ~Scott On 20 September 2012 15:49, Francoise Dehinbo < francoise.dehi...@foxtons.co.uk> wrote: > I tried your suggestion below so pound runs on 443 and 80. All http goes > from pound to the new perlbal port 8080. And all https goes through pound > as usual. I still have the same problem. Cannot redirect from http to > https and vise versa (now that pound is running both ports). > > From: Scott McKeown mailto:sc...@loadbalancer.org > >> > Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch>" pound@apsis.ch>> > Date: Thursday, 20 September 2012 13:40 > To: "pound@apsis.ch<mailto:pound@apsis.ch>" pound@apsis.ch>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot > get certificate > > So your Pound Setup and the Web Site are running on the same server, sorry > I have mine setup in a Proxy mode which is a slightly different setup. > I don't know perlbal but at a guess you should be able to change the port > that its listening on in its config file to something like 8080 and then > with the pound redirect as above inplace but to port 8080 for the BackEnd > > > ~Scott > > > On 20 September 2012 12:51, Francoise Dehinbo < > francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>> > wrote: > Just for testing, I stopped perlbal, added the ListenHTTP suggestion to > pound, so now pound runs on ports 443 and 80. The problem is worse. I > cannot go from http to https or from https to http. So it's definitely > something with pound! Previously I reinstalled pound with just plain 2.6 > without any patches and it's the same problem! > > From: Scott McKeown mailto:sc...@loadbalancer.org > ><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>>> > Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch > <mailto:pound@apsis.ch>>" mailto:pound@apsis.ch> pound@apsis.ch<mailto:pound@apsis.ch>>> > Date: Thursday, 20 September 2012 12:30 > To: "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch pound@apsis.ch>>" mailto:pound@apsis.ch> pound@apsis.ch<mailto:pound@apsis.ch>>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot > get certificate > > Hi Francoise, > > OK think I've got it now. Try something like this: > > > User"nobody" > Group "nobody" > LogLevel 1 > > ListenHTTPS > Address xxx.xxx.xxx.xxx > Port443 > Cert"/etc/pound/dev.pem" > Ciphers > "ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5" > AddHeader "X-Secure-Connection: true" > Service > BackEnd > # Send everything PSGI apps > Address 127.0.0.1 > Port > End > End > End > ListenHTTP > Address xxx.xxx.xxx.xxx > Port80 > Service > BackEnd > Address 127.0.0.1 > Port > End > End > End > > This should stop the looping and catch anything that is HTTP and display > as normal. If you want for FORCE HTTP traffic to HTTPS the Redirect option > should work > > ~Scott > > Privacy and Confidentiality Notice: > > This is strictly confidential and intended solely for the person or > organisation to whom it is addressed. It may contain privileged and > confidential information and if you are not an intended recipient, you must > not copy, distribute or take any action in reliance on it. If you have > received this message in error, please notify us as soon as possible and > delete it and any attached files from your system. > The views and opinions expressed in this email message are the author's > own and may not reflect the views and opinions of the author's employer. > > Foxtons Limited is registered in England and Wales (registered number > 01680058). Our registered office is at Building One, Chiswick Park, 566 > Chiswick High Road, London, W4 5BE. > > _ > This e-mail has been scanned for viruses by MessageLabs. > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get certificate
So your Pound Setup and the Web Site are running on the same server, sorry I have mine setup in a Proxy mode which is a slightly different setup. I don't know perlbal but at a guess you should be able to change the port that its listening on in its config file to something like 8080 and then with the pound redirect as above inplace but to port 8080 for the BackEnd ~Scott On 20 September 2012 12:51, Francoise Dehinbo < francoise.dehi...@foxtons.co.uk> wrote: > Just for testing, I stopped perlbal, added the ListenHTTP suggestion to > pound, so now pound runs on ports 443 and 80. The problem is worse. I > cannot go from http to https or from https to http. So it's definitely > something with pound! Previously I reinstalled pound with just plain 2.6 > without any patches and it's the same problem! > > From: Scott McKeown mailto:sc...@loadbalancer.org > >> > Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch>" pound@apsis.ch>> > Date: Thursday, 20 September 2012 12:30 > To: "pound@apsis.ch<mailto:pound@apsis.ch>" pound@apsis.ch>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot > get certificate > > Hi Francoise, > > OK think I've got it now. Try something like this: > > > User"nobody" > Group "nobody" > LogLevel 1 > > ListenHTTPS > Address xxx.xxx.xxx.xxx > Port443 > Cert"/etc/pound/dev.pem" > Ciphers > "ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5" > AddHeader "X-Secure-Connection: true" > Service > BackEnd > # Send everything PSGI apps > Address 127.0.0.1 > Port > End > End > End > ListenHTTP > Address xxx.xxx.xxx.xxx > Port80 > Service > BackEnd > Address 127.0.0.1 > Port > End > End > End > > This should stop the looping and catch anything that is HTTP and display > as normal. If you want for FORCE HTTP traffic to HTTPS the Redirect option > should work > > ~Scott > > > On 20 September 2012 12:08, Francoise Dehinbo < > francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>> > wrote: > Hi Scott, > > We use Perl 5.10, Catalyst and Plack/PSGI for the back end servers. Pound > is used for https and Perlbal for http front ends. > > So Pound config is something like: > > User"nobody" > Group "nobody" > > LogLevel 1 > > ListenHTTPS > > Address xxx.xxx.xxx.xxx > Port443 > Cert"/etc/pound/dev.pem" > Ciphers > "ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5" > > AddHeader "X-Secure-Connection: true" > > Service > BackEnd > # Send everything PSGI apps > Address 127.0.0.1 > Port > End > End > > End > > I haven't applied the DisableSSLv2 patch yet. But going from an https to > any non secure page ends up in an infinite loop. > > Using Firefox or even Safari returns something like: > > Firefox has detected that the server is redirecting the request for this > address in a way that will never complete. > > > From: Scott McKeown mailto:sc...@loadbalancer.org > ><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>>> > Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch > <mailto:pound@apsis.ch>>" mailto:pound@apsis.ch> pound@apsis.ch<mailto:pound@apsis.ch>>> > Date: Thursday, 20 September 2012 10:54 > To: "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch pound@apsis.ch>>" mailto:pound@apsis.ch> pound@apsis.ch<mailto:pound@apsis.ch>>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot > get certificate > > Hi Francoise, > > I'm going to take a guess here but your pound.cfg should look something > like this for a basic redirection from HTTP to HTTPS (well this works well > for me but I'm sure others may know of another/better way to do this) > > > User"nobody" > Group"nobody" > LogLevel1 > LogFacilitylocal3 > Client30 > TimeOut60 > ListenHTTPS > Address xxx.xxx.xxx.xxx > Po
Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get certificate
Hi Francoise, OK think I've got it now. Try something like this: User"nobody" Group "nobody" LogLevel 1 ListenHTTPS Address xxx.xxx.xxx.xxx Port443 Cert"/etc/pound/dev.pem" Ciphers "ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5" AddHeader "X-Secure-Connection: true" Service BackEnd # Send everything PSGI apps Address 127.0.0.1 Port End End End ListenHTTP Address xxx.xxx.xxx.xxx Port80 Service BackEnd Address 127.0.0.1 Port End End End This should stop the looping and catch anything that is HTTP and display as normal. If you want for FORCE HTTP traffic to HTTPS the Redirect option should work ~Scott On 20 September 2012 12:08, Francoise Dehinbo < francoise.dehi...@foxtons.co.uk> wrote: > Hi Scott, > > We use Perl 5.10, Catalyst and Plack/PSGI for the back end servers. Pound > is used for https and Perlbal for http front ends. > > So Pound config is something like: > > User"nobody" > Group "nobody" > > LogLevel 1 > > ListenHTTPS > > Address xxx.xxx.xxx.xxx > Port443 > Cert"/etc/pound/dev.pem" > Ciphers > "ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5" > > AddHeader "X-Secure-Connection: true" > > Service > BackEnd > # Send everything PSGI apps > Address 127.0.0.1 > Port > End > End > > End > > I haven't applied the DisableSSLv2 patch yet. But going from an https to > any non secure page ends up in an infinite loop. > > Using Firefox or even Safari returns something like: > > Firefox has detected that the server is redirecting the request for this > address in a way that will never complete. > > > From: Scott McKeown mailto:sc...@loadbalancer.org > >> > Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch>" pound@apsis.ch>> > Date: Thursday, 20 September 2012 10:54 > To: "pound@apsis.ch<mailto:pound@apsis.ch>" pound@apsis.ch>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot > get certificate > > Hi Francoise, > > I'm going to take a guess here but your pound.cfg should look something > like this for a basic redirection from HTTP to HTTPS (well this works well > for me but I'm sure others may know of another/better way to do this) > > > User"nobody" > Group"nobody" > LogLevel1 > LogFacilitylocal3 > Client30 > TimeOut60 > ListenHTTPS > Address xxx.xxx.xxx.xxx > Port 443 > xHTTP 3 > Cert "/etc/pound/ucc01.pem" > ReWriteLocation 1 > Ciphers "RC4:HIGH:!MD5:!aNULL" > SSLHonorCipherOrder 1 > SSLAllowClientRenegotiation 0 > DisableSSLv2 > Service > HeadRequire "Host: *support.*" > BackEnd > Address 172.16.0.40 > Port 80 > TProxy 1 > End > End > End > ListenHTTP > Address xxx.xxx.xxx.xxx > Port 80 > xHTTP 3 > ReWriteLocation 1 > Service > HeadRequire "Host: *support.*" > Redirect "[https full address goes here]" #eg > https://google.co.uk > End > End > > > ~Yours, > Scott > > > On 20 September 2012 10:36, Francoise Dehinbo < > francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>> > wrote: > Hi Scott, > > I hope you can help me again. Since upgrading to pound 2.6 as discussed > previously, we are having trouble re-directing a user from https to http. > But if I downgrade pound back to 2.5 and refresh it works fine. I am not > all familiar with how pound works. Do you have any recommendations on > where to look first? > > Many thanks. > > Francoise > > From: Scott McKeown mailto:sc...@loadbalancer.org > ><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>>> > Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch > <mailto:pound@apsis.ch>>" mailto:pound@apsis.ch> pound@apsis.ch<mailto:pound@apsis.ch>>> > Date: Wednesday, 19 September 2012 12:
Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get certificate
Hi Francoise, I'm going to take a guess here but your pound.cfg should look something like this for a basic redirection from HTTP to HTTPS (well this works well for me but I'm sure others may know of another/better way to do this) User"nobody" Group"nobody" LogLevel1 LogFacilitylocal3 Client30 TimeOut60 ListenHTTPS Address xxx.xxx.xxx.xxx Port 443 xHTTP 3 Cert "/etc/pound/ucc01.pem" ReWriteLocation 1 Ciphers "RC4:HIGH:!MD5:!aNULL" SSLHonorCipherOrder 1 SSLAllowClientRenegotiation 0 DisableSSLv2 Service HeadRequire "Host: *support.*" BackEnd Address 172.16.0.40 Port 80 TProxy 1 End End End ListenHTTP Address xxx.xxx.xxx.xxx Port 80 xHTTP 3 ReWriteLocation 1 Service HeadRequire "Host: *support.*" Redirect "[https full address goes here]" #eg https://google.co.uk End End ~Yours, Scott On 20 September 2012 10:36, Francoise Dehinbo < francoise.dehi...@foxtons.co.uk> wrote: > Hi Scott, > > I hope you can help me again. Since upgrading to pound 2.6 as discussed > previously, we are having trouble re-directing a user from https to http. > But if I downgrade pound back to 2.5 and refresh it works fine. I am not > all familiar with how pound works. Do you have any recommendations on > where to look first? > > Many thanks. > > Francoise > > From: Scott McKeown mailto:sc...@loadbalancer.org > >> > Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch>" pound@apsis.ch>> > Date: Wednesday, 19 September 2012 12:01 > To: "pound@apsis.ch<mailto:pound@apsis.ch>" pound@apsis.ch>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot > get certificate > > Hi Francoise, > > Your more thank welcome. > On a side note you may also like the DisableSSLv2 Patch which can be found > here: > http://www.apsis.ch/pound/pound_list/archive/2012/2012-01/1327928733000 > > This will remove the need for the '!SSLv2' option in your Ciphers List > line. > > > ~Scott > > > On 19 September 2012 11:51, Francoise Dehinbo < > francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>> > wrote: > Hi Scott, > > It worked fine once I switched it to the live certificate instead of the > self-signed one used for testing. > > Much appreciated. > > Francoise > > From: Scott McKeown mailto:sc...@loadbalancer.org > ><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>>> > Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch > <mailto:pound@apsis.ch>>" mailto:pound@apsis.ch> pound@apsis.ch<mailto:pound@apsis.ch>>> > Date: Wednesday, 19 September 2012 10:40 > To: "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch pound@apsis.ch>>" mailto:pound@apsis.ch> pound@apsis.ch<mailto:pound@apsis.ch>>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot > get certificate > > Hi Francoise, > > This looks more like a Certificate issue than a Pound issue. > What type of certificate have you created? > I would have another go at creating the PEM file myself and if you have > paid for a certificate from a CA you may need the intermediate and root > chains. > This site is a good reference on the creation of the PEM files. > http://www.digicert.com/ssl-support/pem-ssl-creation.htm > 9 time out of 10 I would use the full PEM file listed right at the bottom > of the page. > > ~Yours, > Scott > > > On 19 September 2012 10:11, Francoise Dehinbo < > francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk > ><mailto:francoise.dehi...@foxtons.co.uk francoise.dehi...@foxtons.co.uk>>> wrote: > Hi All, > > My OS is debian squeeze which have Pound version 2.5 installed. I > downloaded the latest stable version 2.6 from > http://www.apsis.ch/pound/Pound-2.6.tgz and > applied the BEAST attack patch from > > https://github.com/goochjj/pound/commit/2f69c71b0314538f2a6218f624bdd2b954e5dbc8.patch > > After installing 2.6 and start up pound (as root), it fails with the > following error: > > /etc/pound/pound.cfg line 15: ListenHTTPS: could not get certificate CN > > Line 15 is: > Cert"/etc/pound/dev.pem" > > But /etc/pound/dev.pem does exist so I don't understand why it cannot read > it: > > >ls -la /etc/pound/dev.pem > -rw-r--r-- 1 root root 1.9K May 22 15:29 /etc/pound/dev.pem > >
Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get certificate
Hi Francoise, Your more thank welcome. On a side note you may also like the DisableSSLv2 Patch which can be found here: http://www.apsis.ch/pound/pound_list/archive/2012/2012-01/1327928733000 This will remove the need for the '!SSLv2' option in your Ciphers List line. ~Scott On 19 September 2012 11:51, Francoise Dehinbo < francoise.dehi...@foxtons.co.uk> wrote: > Hi Scott, > > It worked fine once I switched it to the live certificate instead of the > self-signed one used for testing. > > Much appreciated. > > Francoise > > From: Scott McKeown mailto:sc...@loadbalancer.org > >> > Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch>" pound@apsis.ch>> > Date: Wednesday, 19 September 2012 10:40 > To: "pound@apsis.ch<mailto:pound@apsis.ch>" pound@apsis.ch>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot > get certificate > > Hi Francoise, > > This looks more like a Certificate issue than a Pound issue. > What type of certificate have you created? > I would have another go at creating the PEM file myself and if you have > paid for a certificate from a CA you may need the intermediate and root > chains. > This site is a good reference on the creation of the PEM files. > http://www.digicert.com/ssl-support/pem-ssl-creation.htm > 9 time out of 10 I would use the full PEM file listed right at the bottom > of the page. > > ~Yours, > Scott > > > On 19 September 2012 10:11, Francoise Dehinbo < > francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>> > wrote: > Hi All, > > My OS is debian squeeze which have Pound version 2.5 installed. I > downloaded the latest stable version 2.6 from > http://www.apsis.ch/pound/Pound-2.6.tgz and > applied the BEAST attack patch from > > https://github.com/goochjj/pound/commit/2f69c71b0314538f2a6218f624bdd2b954e5dbc8.patch > > After installing 2.6 and start up pound (as root), it fails with the > following error: > > /etc/pound/pound.cfg line 15: ListenHTTPS: could not get certificate CN > > Line 15 is: > Cert"/etc/pound/dev.pem" > > But /etc/pound/dev.pem does exist so I don't understand why it cannot read > it: > > >ls -la /etc/pound/dev.pem > -rw-r--r-- 1 root root 1.9K May 22 15:29 /etc/pound/dev.pem > > Here is my config for pound: > > User"web" > Group "web" > > # If the backend disappears check for it to come back every 'Alive' > seconds. > Alive 5 > > # no logging of individual requests > # start up etc errors are still logged to daemon.log > LogLevel 2 > > ListenHTTPS > > Address 0.0.0.0 > Port443 > Cert"/etc/pound/dev.pem" > Ciphers > > "ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5" > > AddHeader "X-Secure-Connection: true" > > Service > BackEnd > Address 127.0.0.1 > Port6000 > End > End > > End > > Any help would be greatly appreciated. > > Many thanks > > Francoise > > Privacy and Confidentiality Notice: > > This is strictly confidential and intended solely for the person or > organisation to whom it is addressed. It may contain privileged and > confidential information and if you are not an intended recipient, you must > not copy, distribute or take any action in reliance on it. If you have > received this message in error, please notify us as soon as possible and > delete it and any attached files from your system. > The views and opinions expressed in this email message are the author's > own and may not reflect the views and opinions of the author's employer. > > Foxtons Limited is registered in England and Wales (registered number > 01680058). Our registered office is at Building One, Chiswick Park, 566 > Chiswick High Road, London, W4 5BE. > > _ > This e-mail has been scanned for viruses by MessageLabs. > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch > <mailto:pound@apsis.ch>. > Please contact ro...@apsis.ch<mailto:ro...@apsis.ch> for questions. > > > > -- > With Kind Regards. > > Scott McKeown > Loadbalancer.org > http://www.loadbalancer.org > > > _ > This e-mail has been scanned for viruses by MessageLabs. > > Privacy and Confidentiality Notice: > > This is st
Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get certificate
Hi Francoise, This looks more like a Certificate issue than a Pound issue. What type of certificate have you created? I would have another go at creating the PEM file myself and if you have paid for a certificate from a CA you may need the intermediate and root chains. This site is a good reference on the creation of the PEM files. http://www.digicert.com/ssl-support/pem-ssl-creation.htm 9 time out of 10 I would use the full PEM file listed right at the bottom of the page. ~Yours, Scott On 19 September 2012 10:11, Francoise Dehinbo < francoise.dehi...@foxtons.co.uk> wrote: > Hi All, > > My OS is debian squeeze which have Pound version 2.5 installed. I > downloaded the latest stable version 2.6 from > http://www.apsis.ch/pound/Pound-2.6.tgz and > applied the BEAST attack patch from > > https://github.com/goochjj/pound/commit/2f69c71b0314538f2a6218f624bdd2b954e5dbc8.patch > > After installing 2.6 and start up pound (as root), it fails with the > following error: > > /etc/pound/pound.cfg line 15: ListenHTTPS: could not get certificate CN > > Line 15 is: > Cert"/etc/pound/dev.pem" > > But /etc/pound/dev.pem does exist so I don't understand why it cannot read > it: > > >ls -la /etc/pound/dev.pem > -rw-r--r-- 1 root root 1.9K May 22 15:29 /etc/pound/dev.pem > > Here is my config for pound: > > User"web" > Group "web" > > # If the backend disappears check for it to come back every 'Alive' > seconds. > Alive 5 > > # no logging of individual requests > # start up etc errors are still logged to daemon.log > LogLevel 2 > > ListenHTTPS > > Address 0.0.0.0 > Port443 > Cert"/etc/pound/dev.pem" > Ciphers > > "ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5" > > AddHeader "X-Secure-Connection: true" > > Service > BackEnd > Address 127.0.0.1 > Port6000 > End > End > > End > > Any help would be greatly appreciated. > > Many thanks > > Francoise > > Privacy and Confidentiality Notice: > > This is strictly confidential and intended solely for the person or > organisation to whom it is addressed. It may contain privileged and > confidential information and if you are not an intended recipient, you must > not copy, distribute or take any action in reliance on it. If you have > received this message in error, please notify us as soon as possible and > delete it and any attached files from your system. > The views and opinions expressed in this email message are the author's > own and may not reflect the views and opinions of the author's employer. > > Foxtons Limited is registered in England and Wales (registered number > 01680058). Our registered office is at Building One, Chiswick Park, 566 > Chiswick High Road, London, W4 5BE. > > _ > This e-mail has been scanned for viruses by MessageLabs. > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] re-writing requests so i get the original IP address
Hi KFCI, Depending on the OS that you have your Pound service running on this maybe of some help to you: http://blog.loadbalancer.org/ssl-termination-the-beast/ This post will allow you to add an option into your Pound configuration file that allows for Transparent Proxy to be enabled. Simply enter 'TProxy 1' after the 'Timeout 60' section and you should then see the source IP recorded into your Apache logs. ~Yours, Scott On 14 September 2012 10:56, KFCI Webmaster wrote: > Hi all, > > ** ** > > I have a working and “reasonably” well configures pound installation. Its > load balancing and controlling many websites on the backend rather well.** > ** > > ** ** > > My backend servers are running apache. I have changed my logs on my > backend servers to use find the originating IP address for requests and log > them in my apache logs. This certainly helps to identify where my requests > are coming from without having the view my pound logs. > > ** ** > > My problem is that any IP address checks using PHP or other scripts on my > apache servers identify the request as the pound server IP address. This is > a pain as I have “out of the box” stats software and tracking software for > specific websites that relies on the original requester IP address, yet I > am getting the pound server IP address. > > ** ** > > Is there any way I can get pound/apache to send/receive (respectively) the > originators IP address so all scripts also see the originators IP address? > > > ** ** > > Any help much appreciated. > > ** ** > > Many thanks, > > KFCI > > ** ** > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] Editing Information:
Hi Garrett, The pound.cfg file is only read the once when you start/restart the service so the only way that know of that you can get the new settings to take effect is to restart the pound service. There is a script that you can place in the 'init.d' folder which allows you to stop/start/restart the pound service. If you don't already have this on your server I would recommend it as stopping pound and then restarting it means you typing the commands manually where as '/etc/init.d/pound restart' does both in one go. As for any apps that you can use to edit Pound I'm not sure of but I'm sure that some may exist. We actually use Pound in our Product for our SSL Terminations which we have written a simple web front end for which allows the configuration of the most common options and some of the extra ones that we have included from the patches that have been included. ~Yours, Scott On 13 September 2012 17:28, Garrett Hampton wrote: > Hello Everyone, > > ** ** > > I am using Pound in a virtual server to route traffic to various web > servers we have. Anytime I want to make a change to IP, port, or add a new > application I log into the virtual server, VIM my pound.cfg file, and then > restart the pound service. When I do that, for a brief moment, access to > our sites is lost. > > ** ** > > My questions are: > > ** ** > > **1. **Do I have to reboot the Pound service every time I edit the > .cfg file? > > **a. **Is there anyone to limit downtime when making a new entry in > the .cfg file? > > > > **2. **Is there another way to add/edit/manage the Pound.cfg file? > Are there any web apps I can use that tie into Pound?**** > > ** ** > > Thanks for the help! > > ** ** > > Garrett H. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] Subdomains SSL and one IP address
Hi ?, I use something along the same sort of lines all on one IP Address to different backend servers by doing the following: User"nobody" #Group "nobody" LogLevel2 Client 30 TimeOut 60 ListenHTTPS Address xxx.xxx.xxx.xxx Port 443 xHTTP 3 Cert "/usr/local/etc/server.pem" ReWriteLocation 1 Ciphers "RC4:HIGH:!MD5:!aNULL" SSLHonorCipherOrder 1 SSLAllowClientRenegotiation 0 DisableSSLv2 Service HeadRequire "Host: *support.*" BackEnd Address 172.16.0.40 Port 80 End End Service HeadRequire "Host: *customers.*" BackEnd Address 172.16.0.20 Port 80 End End Service HeadRequire "Host: *userpanel.*" BackEnd Address 172.16.0.30 Port 80 End End Service HeadRequire "Host: *support.dev.*" BackEnd Address 172.16.0.10 Port 80 End End End And this works like a charm. Yours, Scott On 6 September 2012 15:34, KFCI Webmaster wrote: > Hi, > > ** ** > > Is it possible to use Pound to listen on one IP address for several > subdomains using SSL? > > ** ** > > e.g. > > ListenHTTPS > > Address xxx.xxx.xxx.xxx > > Port 443 > > Cert "/etc/ssl/xxx.pem" > > Service > > HeadRequire "Host: .*www.domain.com.*" > > BackEnd > > Address xxx.xxx.xxx.xxx > > Port 80 > > TimeOut 60 > > End > > End > > Service > > HeadRequire "Host: .*subdomain1.domain.com.*" > > BackEnd > > Address xxx.xxx.xxx.xxx > > Port 80 > > TimeOut 60 > > End > > End > > End > > ** ** > > Or something like this? > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
Re: [Pound Mailing List] Session Tracking Issue
Hi Peter, I think that the problem lies in that your Pound configuration file is not nested correctly. Your Listening on '192.168.10.41:80' but the services are outside of the scope of the ListenHTTP Give this change a go and let us know what you get: ## ## listen, redirect and ... to: ListenHTTP Address 192.168.10.41 Port 80 Service BackEnd Address 192.168.10.41 Port 8088 End BackEnd Address 192.168.10.41 Port 8099 End Session Type COOKIE ID "VinClientSession" TTL 300 End End End On 5 September 2012 17:15, P. Broennimann wrote: > Hi there > > I have Pound 2.6 installed. Two instances of my back-end application are > running on different ports and I am trying to load-balance (using a > sessionID stored in a cookie). > > I noticed in the Pound log that requests (from a same client) are not all > directed toward a same application/port, and I am now trying to > trace/figure out why. > > In the Pound config file I have "LogLevel = 2". Is there some more > detailed logging where I can trace my issue (example trace how the > session/cookie is handled in Pound)? > > An extract of my Pound log: > > ... > Sep 5 17:58:40 VINCLIENTPROD pound: 192.168.10.12 POST > /json?1346860699038 HTTP/1.1 - HTTP/1.1 200 OK (192.168.10.41/- -> > 192.168.10.41:8099) 0.019 sec > Sep 5 17:58:40 VINCLIENTPROD pound: 192.168.10.12 GET > /html/dashboard.html HTTP/1.1 - HTTP/1.1 200 OK (192.168.10.41/- -> > 192.168.10.41:8088) 0.001 sec > ... > > > An HTTP header looks like: > > GET /html/dashboard.html HTTP/1.1 > Host: 192.168.10.41 > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 > Firefox/15.0 FirePHP/0.7.1 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 > Accept-Encoding: gzip, deflate > Connection: keep-alive > Referer: http://192.168.10.41/html/index.html > Cookie: VinClientSession=c497289a-7b58-4f2b-bff2-1334445370fd > x-insight: activate > > > And my pound config looks like: > > ## > ## global options: > User "www-data" > Group "www-data" > #RootJail "/chroot/pound" > ## Logging: (goes to syslog by default) > ## 0 no logging > ## 1 normal > ## 2 extended > ## 3 Apache-style (common log format) > LogLevel 2 > ## check backend every X secs: > Alive 30 > ## use hardware-accelleration card supported by openssl(1): > #SSLEngine "" > # poundctl control socket > Control "/var/run/pound/poundctl.socket" > > ## > ## listen, redirect and ... to: > ListenHTTP > Address 192.168.10.41 > Port 80 > End > Service > BackEnd > Address 192.168.10.41 > Port 8088 > End > BackEnd > Address 192.168.10.41 > Port 8099 > End > Session > Type COOKIE > ID "VinClientSession" > TTL 300 > End > End > > > Thanks & cheers, > Peter > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
