Re: [pound] Issues with Pound 3.0d
Hey Robert, Thanks for looking into this. Maybe there's something wrong with the procedure I am doing? I've just tested on a Fedora 31. Here is how it was tested (with the same certificate sent in the last email): - Backend with container to speed up the configuration: # podman run -d -p 8080:80 --name apache8080 -v /var/www/html:/var/www/html php:7.2-apache # echo '' >/var/www/html/index.php - Pound configuration: # chmod + r /etc/ssl/self-signed/cert.pem # mkdir /etc/pound/ # vim /etc/pound/pound.yaml: Backends: - &be Address: 127.0.0.1 Port: 8080 HTTPListeners: - Address: 0.0.0.0 Port: 80 Services: - Backends: - *be HTTPSListeners: - Address: 0.0.0.0 Port: 443 Services: - Backends: - *be Certificates: - "/etc/ssl/self-signed/cert.pem" - Installing dependencies # dnf install -y cmake gcc libyaml-devel nanomsg-devel mbedtls-devel pcre-devel openssl-devel openssl systemd-units automake autoconf gperftools-devel - Compiling # mkdir tmp; cd tmp; wget https://www.apsis.ch/pound/Pound-3.0d.tgz; tar xzvf Pound-3.0d.tg; cd Pound-3.0d/build # cmake .. && make - Running # ./pound -c && ./pound -d 1000 - last 5 lines from the debug: 7FB0DBB58700 peer address 127.0.0.1 /root/tmp/Pound/Pound-3.0d/src/http.c:525 7FB0DC359700 peer address 127.0.0.1 /root/tmp/Pound/Pound-3.0d/src/http.c:525 7FB0DBB58700 start sni /root/tmp/Pound/Pound-3.0d/src/util.c:157 7FB0DBB58700 sni for testing.mytest.com /root/tmp/Pound/Pound-3.0d/src/util.c:165 Segmentation fault (core dumped) - Breno On Tue, 6 Oct 2020 at 08:46, Robert Segall wrote: > Hallo Breno > > We tested with your certificate and it runs fine, thus: CANNOT > REPRODUCE (temporarily). I suggest you have a look at other things, > such as your environment and compilation. > > If somebody is running the same OS version (CentOS 8.2.2004) please try > to have a look and let us know. > > On Mon, 2020-10-05 at 17:09 -0400, Breno Brand Fernandes wrote: > > Hi Robert, > > > > Sure, you're welcome. > > > > To be frank, in my tests I was using a *real* certificate, used by > > the > > local environment we have running here and because of that, I can't > > share > > it. > > So this time I self-generated the certificate. I used a fictitious > > domain. > > And generated it with: > > > > 1 openssl req -x509 -nodes -newkey rsa:2048 -keyout cert.key -out > > cert.crt > > 2 openssl x509 -inform PEM -in cert.crt >> cert.pem > > > > It was tested both Pound and Pound3 with the exact configuration > > mentioned > > in the previous email. > > I've got the same error. The pem certificate file is here [1]. > > > > The output of running pound with debugging is here [2]. > > > > 1 https://pastebin.com/aMdxtd1P > > 2 https://pastebin.com/DGAFHDLE > > > > Please, let me know if there's anything else I could help you with. > > > > - Breno > -- > Robert Segall > Apsis GmbH > Postfach, Uetikon am See, CH-8707 > Tel: +41-32-512 30 19 > > > -- > pound mailing list > pound@apsis.ch > https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch > -- pound mailing list pound@apsis.ch https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
Re: [pound] Issues with Pound 3.0d
Hallo Breno We tested with your certificate and it runs fine, thus: CANNOT REPRODUCE (temporarily). I suggest you have a look at other things, such as your environment and compilation. If somebody is running the same OS version (CentOS 8.2.2004) please try to have a look and let us know. On Mon, 2020-10-05 at 17:09 -0400, Breno Brand Fernandes wrote: > Hi Robert, > > Sure, you're welcome. > > To be frank, in my tests I was using a *real* certificate, used by > the > local environment we have running here and because of that, I can't > share > it. > So this time I self-generated the certificate. I used a fictitious > domain. > And generated it with: > > 1 openssl req -x509 -nodes -newkey rsa:2048 -keyout cert.key -out > cert.crt > 2 openssl x509 -inform PEM -in cert.crt >> cert.pem > > It was tested both Pound and Pound3 with the exact configuration > mentioned > in the previous email. > I've got the same error. The pem certificate file is here [1]. > > The output of running pound with debugging is here [2]. > > 1 https://pastebin.com/aMdxtd1P > 2 https://pastebin.com/DGAFHDLE > > Please, let me know if there's anything else I could help you with. > > - Breno -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-32-512 30 19 -- pound mailing list pound@apsis.ch https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
Re: [pound] Issues with Pound 3.0d
Hi Robert, Sure, you're welcome. To be frank, in my tests I was using a *real* certificate, used by the local environment we have running here and because of that, I can't share it. So this time I self-generated the certificate. I used a fictitious domain. And generated it with: 1 openssl req -x509 -nodes -newkey rsa:2048 -keyout cert.key -out cert.crt 2 openssl x509 -inform PEM -in cert.crt >> cert.pem It was tested both Pound and Pound3 with the exact configuration mentioned in the previous email. I've got the same error. The pem certificate file is here [1]. The output of running pound with debugging is here [2]. 1 https://pastebin.com/aMdxtd1P 2 https://pastebin.com/DGAFHDLE Please, let me know if there's anything else I could help you with. - Breno On Mon, 21 Sep 2020 at 04:36, Robert Segall wrote: > Hallo Beno > > Many thanks for the report. I would need two additional things in order > to understand this: > > 1. Your certificate (human-readable dump if possible). > 2. Running Pound with high debug level, to see exactly what it does. > > Please post these and we'll take it from there. > > On Thu, 2020-09-17 at 14:20 -0400, Breno Brand Fernandes wrote: > > Hi all, > > > > I've been testing Pound 3.0d and I found some issues. > > Would you mind helping me out? Maybe I'm missing something. > > > > I list below the environment and tests that were produced. > > > > - The environment: > > OS: CentOS Linux release 8.2.2004 (Core) > > Kernel version: 4.18.0-193.14.2.el8_2.x86_64 > > > > Pound 2.8 > > /etc/pound.cfg: > > User"pound" > > Group "pound" > > Control "/var/lib/pound/pound.cfg" > > > > ListenHTTP > > Address 0.0.0.0 > > Port 80 > > Service > > BackEnd > > Address 127.0.0.1 > > Port 8080 > > End > > End > > End > > > > ListenHTTPS > > Address 0.0.0.0 > > Port 443 > > Cert "/etc/ssl/cert.pem" > > Service > > BackEnd > > Address 127.0.0.1 > > Port 8080 > > End > > End > > End > > > > Pound 3.0d > > /etc/pound/pound.yaml: > > Backends: > > - &be > > Address: 127.0.0.1 > > Port: 8080 > > > > HTTPListeners: > > - Address: 0.0.0.0 > > Port: 80 > > Services: > > - Backends: > > - *be > > > > HTTPSListeners: > > - Address: 0.0.0.0 > > Port: 443 > > Services: > > - Backends: > > - *be > > Certificates: > > - "/etc/ssl/cert.pem" > > > > Nginx 1.14.1: Default configuration listening in the port 8080 only > > with > > the module php-fpm enabled. No ssl configuration. > > Apache 2.4.37: Default configuration listening in the port 8080 only > > with > > the module php-fpm enabled. No ssl configuration. > > > > - The tests & results: > > 1 Pound 2.8 and Nginx or Apache with PHP configured. > > HTTP/HTTPS: > > - Html pages work through. > > - PHP pages work through. > > > > 2 Pound 3.0d and Nginx or Apache with PHP configured. > > HTTP: > > - Html pages work through. > > - PHP pages partially load. Using curl -v, it is possible to see > > errors > > related to encoding: Malformed encoding found in chunked-encoding. > > HTTPS: > > Either HTML or PHP pages throw a core dump in the function > > do_sni. > > > > You can see the backtrace here [1]. > > > > Another thing I noted is that some options from Pound 2 seem to be > > missing > > on Pound 3 or I couldn't find them in the man file. E.g. Alive, xHTTP > > values, HeadRemove, RewriteLocation, AddHeader vs HeadAdd, > > SSLHonorCipherOrder, SSLAllowClientRenegotiation, XSSLHeaders, > > Disable (for > > SSL/TSL protocols), among others (see man pound vs man pound3). > > > > Are we planing on having those options on Pound 3 as well? > > > > PS: I built an RPM for Pound 3 on el8 here [2]. > > It is just a draft and might require improvement. > > > > 1 > > https://copr.fedorainfracloud.org/coprs/brandfbb/Pound3-Experimental/ > > 2 https://pastebin.com/WfuB8a9F > > > > Thanks in advance. > > > > - Breno > -- > Robert Segall > Apsis GmbH > Postfach, Uetikon am See, CH-8707 > Tel: +41-32-512 30 19 > > > -- > pound mailing list > pound@apsis.ch > https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch > -- pound mailing list pound@apsis.ch https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
Re: [pound] Issues with Pound 3.0d
Hallo Beno Many thanks for the report. I would need two additional things in order to understand this: 1. Your certificate (human-readable dump if possible). 2. Running Pound with high debug level, to see exactly what it does. Please post these and we'll take it from there. On Thu, 2020-09-17 at 14:20 -0400, Breno Brand Fernandes wrote: > Hi all, > > I've been testing Pound 3.0d and I found some issues. > Would you mind helping me out? Maybe I'm missing something. > > I list below the environment and tests that were produced. > > - The environment: > OS: CentOS Linux release 8.2.2004 (Core) > Kernel version: 4.18.0-193.14.2.el8_2.x86_64 > > Pound 2.8 > /etc/pound.cfg: > User"pound" > Group "pound" > Control "/var/lib/pound/pound.cfg" > > ListenHTTP > Address 0.0.0.0 > Port 80 > Service > BackEnd > Address 127.0.0.1 > Port 8080 > End > End > End > > ListenHTTPS > Address 0.0.0.0 > Port 443 > Cert "/etc/ssl/cert.pem" > Service > BackEnd > Address 127.0.0.1 > Port 8080 > End > End > End > > Pound 3.0d > /etc/pound/pound.yaml: > Backends: > - &be > Address: 127.0.0.1 > Port: 8080 > > HTTPListeners: > - Address: 0.0.0.0 > Port: 80 > Services: > - Backends: > - *be > > HTTPSListeners: > - Address: 0.0.0.0 > Port: 443 > Services: > - Backends: > - *be > Certificates: > - "/etc/ssl/cert.pem" > > Nginx 1.14.1: Default configuration listening in the port 8080 only > with > the module php-fpm enabled. No ssl configuration. > Apache 2.4.37: Default configuration listening in the port 8080 only > with > the module php-fpm enabled. No ssl configuration. > > - The tests & results: > 1 Pound 2.8 and Nginx or Apache with PHP configured. > HTTP/HTTPS: > - Html pages work through. > - PHP pages work through. > > 2 Pound 3.0d and Nginx or Apache with PHP configured. > HTTP: > - Html pages work through. > - PHP pages partially load. Using curl -v, it is possible to see > errors > related to encoding: Malformed encoding found in chunked-encoding. > HTTPS: > Either HTML or PHP pages throw a core dump in the function > do_sni. > > You can see the backtrace here [1]. > > Another thing I noted is that some options from Pound 2 seem to be > missing > on Pound 3 or I couldn't find them in the man file. E.g. Alive, xHTTP > values, HeadRemove, RewriteLocation, AddHeader vs HeadAdd, > SSLHonorCipherOrder, SSLAllowClientRenegotiation, XSSLHeaders, > Disable (for > SSL/TSL protocols), among others (see man pound vs man pound3). > > Are we planing on having those options on Pound 3 as well? > > PS: I built an RPM for Pound 3 on el8 here [2]. > It is just a draft and might require improvement. > > 1 > https://copr.fedorainfracloud.org/coprs/brandfbb/Pound3-Experimental/ > 2 https://pastebin.com/WfuB8a9F > > Thanks in advance. > > - Breno -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-32-512 30 19 -- pound mailing list pound@apsis.ch https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
