Hi Scott/Joe/Andreas,
Thanks for all your help. I just wanted to update you with the progress
that was made with regards to not being able to redirect from https to
http.
For testing purposing, I simplified the backend code to only print 'Hello
world' for http request. And all https requests were simply redirected
back to http. In the live environment, this scenario would occur when a
logged in user goes from a secure to an unsecured page by clicking a link.
I was able to replicate the endless redirect with the code below. This
was fixed by adding 'RewriteLocation 0' to the pound.cfg which was not
required for version 2.5 but is required for 2.6.
Here is the Plack/PSGI app for the backend which runs on port 80:
use strict;
use Plack::Builder;
# Run this app on port 80
my $app = sub {
my $env = shift;
if ( $env->{HTTP_X_SECURE_CONNECTION} ) {
# redirect https://www.frankydev.co.uk to
http://www.frankydev.co.uk
return redirect( 'http://www.frankydev.co.uk');
} else {
# just print text to confirm success
return [
200,
[ 'Content-Type', 'text/plain' ],
[ 'Hello World!' ],
];
}
};
builder {
$app;
};
# Method to redirect to the supplied url
sub redirect {
my $url = shift;
return [
302,
[ "Location", $url ],
[]
];
}
Here is my pound.cfg:
User "nobody"
Group "nobody"
Alive 5
LogLevel 2
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/pound/dev.pem"
Ciphers
"ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNU
L:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-
CBC-MD5:!EXP-RC4-MD5"
AddHeader "X-Secure-Connection: true"
Service
BackEnd
Address 127.0.0.1
Port 80
End
End
End
I used curl for testing:
curl https://www.frankydev.co.uk -v --insecure -b
session_dev=2a6b6346fc9772a597ba083d063d3618e8d7dyyh
This is the result before the fix (Location still points to https):
> GET / HTTP/1.1
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4
>OpenSSL/0.9.8r zlib/1.2.5
> Host: www.frankydev.co.uk
> Accept: */*
> Cookie: session_dev= 2a6b6346fc9772a597ba083d063d3618e8d7dyyh
>
* HTTP 1.0, assume close after body
< HTTP/1.0 302 Found
< Date: Mon, 24 Sep 2012 15:25:01 GMT
< Server: HTTP::Server::PSGI
< Location: https://www.frankydev.co.uk/
< Content-Length: 0
<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
This is the result after adding 'RewriteLocation 0':
> GET / HTTP/1.1
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4
>OpenSSL/0.9.8r zlib/1.2.5
> Host: www.frankydev.co.uk
> Accept: */*
> Cookie: session_dev= 2a6b6346fc9772a597ba083d063d3618e8d7dyyh
>
* HTTP 1.0, assume close after body
< HTTP/1.0 302 Found
< Date: Mon, 24 Sep 2012 15:26:53 GMT
< Server: HTTP::Server::PSGI
< Location: http://www.frankydev.co.uk
< Content-Length: 0
<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
Location now points to http
On 20/09/2012 20:58, "Joe Gooch" <mrwiz...@k12system.com> wrote:
>Do not include the csr in the pem for pound. Key, then crt.
>
>I'll admit, I've only partly been paying attention.. But from what I've
>been reading I'm having a hard time figuring out what you're trying to
>accomplish. Are you trying to use Pound for SSL termination, and as such
>you just want it to pass everything through to a backend? Is the backend
>doing SSL? Is the backend smart enough to read the header coming from
>pound and not redirect? Is something else listening on port 80 to pick
>up the traffic? If so, is it redirecting properly? (and if it's
>redirecting to a backend, why isn't that doing SSL termination?)
>
>If I were a user, what would a diagram of a normal request look like? In
>my situation it's:
>
>Port 80 = pound -> redirect to https://pound.hostname.domain/
>Port 443 = pound -> HTTP to one of several backends on ports
>81,82,83,etc. Backends redirect if the HTTPS header isn't set, and
>RewriteDestination 2 is on the pound config.
>
>
>
>Joe
>
>> -----Original Message-----
>> From: Andreas Hilboll [mailto:li...@hilboll.de]
>> Sent: Thursday, September 20, 2012 3:11 PM
>> To: pound@apsis.ch
>> Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6
>> cannot get certificate
>>
>> Is it possible that your Perl application tries to enforce HTTPS? If
>> so, HTTPS would go from user to Pound, HTTP from Pound to Perl, and
>> Perl would then redirect to HTTPS, ending in an infinite loop.
>>
>> Cheers, A.
>>
>> > It is pretty much what I emailed earlier. /etc/pound/dev.pem is a
>> > self-sign certificate for testing. This is how I created the
>> certificate:
>> >
>> >
>> > openssl req -new -newkey rsa:2048 -nodes -keyout dev.key -out dev.csr
>> >
>> > openssl x509 -req -days 3650 -in dev.csr -signkey dev.key -out
>> dev.crt
>> >
>> > cat dev.key dev.csr dev.crt > dev.pem
>> >
>> > And here is the pound config:
>> >
>> > User "nobody"
>> > Group "nobody"
>> >
>> > Alive 5
>> > LogLevel 0
>> >
>> > ListenHTTPS
>> >
>> > Address x.x.x.x
>> > Port 443
>> > Cert "/etc/pound/dev.pem"
>> > Ciphers
>> >
>> "ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:
>> !eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-
>> SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5"
>> >
>> > AddHeader "X-Secure-Connection: true"
>> >
>> > Service
>> > BackEnd
>> > Address x.x.x.x
>> > Port xxxx
>> > End
>> > End
>> >
>> > End
>> >
>> > From: Scott McKeown
>> > <sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>>
>> > Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch>"
>> > <pound@apsis.ch<mailto:pound@apsis.ch>>
>> > Date: Thursday, 20 September 2012 16:30
>> > To: "pound@apsis.ch<mailto:pound@apsis.ch>"
>> > <pound@apsis.ch<mailto:pound@apsis.ch>>
>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6
>> > cannot get certificate
>> >
>> > Hi Francoise,
>> > Can you show me your current pound.cfg file please (replace anything
>> > with
>> > X's)
>> >
>> > ~Scott
>> >
>> >
>> > On 20 September 2012 15:49, Francoise Dehinbo
>> >
>> <francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.u
>> > k>>
>> > wrote:
>> > I tried your suggestion below so pound runs on 443 and 80. All http
>> > goes from pound to the new perlbal port 8080. And all https goes
>> > through pound as usual. I still have the same problem. Cannot
>> > redirect from http to https and vise versa (now that pound is running
>> both ports).
>> >
>> > From: Scott McKeown
>> >
>> <sc...@loadbalancer.org<mailto:sc...@loadbalancer.org><mailto:scott@lo
>> > adbalancer.org<mailto:sc...@loadbalancer.org>>>
>> > Reply-To:
>> >
>> "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pou
>> n...@apsis.ch>>"
>> >
>> <pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:po
>> > u...@apsis.ch>>>
>> > Date: Thursday, 20 September 2012 13:40
>> > To:
>> >
>> "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pou
>> n...@apsis.ch>>"
>> >
>> <pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:po
>> > u...@apsis.ch>>>
>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6
>> > cannot get certificate
>> >
>> > So your Pound Setup and the Web Site are running on the same server,
>> > sorry I have mine setup in a Proxy mode which is a slightly different
>> setup.
>> > I don't know perlbal but at a guess you should be able to change the
>> > port that its listening on in its config file to something like 8080
>> > and then with the pound redirect as above inplace but to port 8080
>> for
>> > the BackEnd
>> >
>> >
>> > ~Scott
>> >
>> >
>> > On 20 September 2012 12:51, Francoise Dehinbo
>> >
>> <francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.u
>> >
>> k><mailto:francoise.dehi...@foxtons.co.uk<mailto:francoise.dehinbo@fox
>> > tons.co.uk>>>
>> > wrote:
>> > Just for testing, I stopped perlbal, added the ListenHTTP suggestion
>> > to pound, so now pound runs on ports 443 and 80. The problem is
>> > worse. I cannot go from http to https or from https to http. So
>> it's
>> > definitely something with pound! Previously I reinstalled pound with
>> > just plain 2.6 without any patches and it's the same problem!
>> >
>> > From: Scott McKeown
>> >
>> <sc...@loadbalancer.org<mailto:sc...@loadbalancer.org><mailto:scott@lo
>> >
>> adbalancer.org<mailto:sc...@loadbalancer.org>><mailto:scott@loadbalanc
>> >
>> er.org<mailto:sc...@loadbalancer.org><mailto:sc...@loadbalancer.org<ma
>> > ilto:sc...@loadbalancer.org>>>>
>> > Reply-To:
>> >
>> "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pou
>> n...@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound
>> @apsis.ch<mailto:pound@apsis.ch>>>"
>> >
>> <pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:po
>> >
>> u...@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pou
>> > n...@apsis.ch<mailto:pound@apsis.ch>>>>
>> > Date: Thursday, 20 September 2012 12:30
>> > To:
>> >
>> "pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pou
>> n...@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound
>> @apsis.ch<mailto:pound@apsis.ch>>>"
>> >
>> <pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:po
>> >
>> u...@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pou
>> > n...@apsis.ch<mailto:pound@apsis.ch>>>>
>> > Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6
>> > cannot get certificate
>> >
>> > Hi Francoise,
>> >
>> > OK think I've got it now. Try something like this:
>> >
>> >
>> > User "nobody"
>> > Group "nobody"
>> > LogLevel 1
>> >
>> > ListenHTTPS
>> > Address xxx.xxx.xxx.xxx
>> > Port 443
>> > Cert "/etc/pound/dev.pem"
>> > Ciphers
>> >
>> "ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:
>> !eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-
>> SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5"
>> > AddHeader "X-Secure-Connection: true"
>> > Service
>> > BackEnd
>> > # Send everything PSGI apps
>> > Address 127.0.0.1
>> > Port 5555
>> > End
>> > End
>> > End
>> > ListenHTTP
>> > Address xxx.xxx.xxx.xxx
>> > Port 80
>> > Service
>> > BackEnd
>> > Address 127.0.0.1
>> > Port 5555
>> > End
>> > End
>> > End
>> >
>> > This should stop the looping and catch anything that is HTTP and
>> > display as normal. If you want for FORCE HTTP traffic to HTTPS the
>> > Redirect option should work
>> >
>> > ~Scott
>> >
>> > Privacy and Confidentiality Notice:
>> >
>> > This is strictly confidential and intended solely for the person or
>> > organisation to whom it is addressed. It may contain privileged and
>> > confidential information and if you are not an intended recipient,
>> you
>> > must not copy, distribute or take any action in reliance on it. If
>> you
>> > have received this message in error, please notify us as soon as
>> > possible and delete it and any attached files from your system.
>> > The views and opinions expressed in this email message are the
>> > author's own and may not reflect the views and opinions of the
>> author's employer.
>> >
>> > Foxtons Limited is registered in England and Wales (registered number
>> > 01680058). Our registered office is at Building One, Chiswick Park,
>> > 566 Chiswick High Road, London, W4 5BE.
>> >
>> > _____________________________________________________________________
>> > This e-mail has been scanned for viruses by MessageLabs.
>> >
>> > --
>> > To unsubscribe send an email with subject unsubscribe to
>> > pound@apsis.ch<mailto:pound@apsis.ch>.
>> > Please contact ro...@apsis.ch<mailto:ro...@apsis.ch> for questions.
>> >
>> >
>> >
>> > --
>> > With Kind Regards.
>> >
>> > Scott McKeown
>> > Loadbalancer.org
>> > http://www.loadbalancer.org
>> >
>> >
>> > _____________________________________________________________________
>> > This e-mail has been scanned for viruses by MessageLabs.
>> >
>> > Privacy and Confidentiality Notice:
>> >
>> > This is strictly confidential and intended solely for the person or
>> > organisation to whom it is addressed. It may contain privileged and
>> > confidential information and if you are not an intended recipient,
>> you
>> > must not copy, distribute or take any action in reliance on it. If
>> you
>> > have received this message in error, please notify us as soon as
>> > possible and delete it and any attached files from your system.
>> > The views and opinions expressed in this email message are the
>> > author's own and may not reflect the views and opinions of the
>> author's employer.
>> >
>> > Foxtons Limited is registered in England and Wales (registered number
>> > 01680058). Our registered office is at Building One, Chiswick Park,
>> > 566 Chiswick High Road, London, W4 5BE.
>> >
>> > _____________________________________________________________________
>> > This e-mail has been scanned for viruses by MessageLabs.
>> >
>> > --
>> > To unsubscribe send an email with subject unsubscribe to
>> pound@apsis.ch.
>> > Please contact ro...@apsis.ch for questions.
>> >
>>
>>
>>
>> --
>> To unsubscribe send an email with subject unsubscribe to
>> pound@apsis.ch.
>> Please contact ro...@apsis.ch for questions.
>N�����r��zǧu�ޙ���+a���y�n�˛���m�h���u�l��!>W���(�֜��,z���+���+�笶*'
>
>_____________________________________________________________________
>This e-mail has been scanned for viruses by MessageLabs.
Privacy and Confidentiality Notice:
This is strictly confidential and intended solely for the person or
organisation to whom it is addressed. It may contain privileged and
confidential information and if you are not an intended recipient, you must not
copy, distribute or take any action in reliance on it. If you have received
this message in error, please notify us as soon as possible and delete it and
any attached files from your system.
The views and opinions expressed in this email message are the author's own and
may not reflect the views and opinions of the author's employer.
Foxtons Limited is registered in England and Wales (registered number
01680058). Our registered office is at Building One, Chiswick Park, 566
Chiswick High Road, London, W4 5BE.
_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.
