You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Barry Books <bf...@mac.com> on 2005/04/09 02:24:09 UTC
Pound SSL Solved
Well perhaps not solved but a possible workaround.
The problem seems to be if you run pound behind a firewall then the
host pound thinks it's running on does not match the host in a
redirect. Pound will only rewrite the location if the hosts match so
what happens on an SSL redirect is the location ends up being
http://host:443/path
instead of https://host/path
I fixed this by making pound always rewrite the Location. Under some
circumstances this may not be what you want.
if you want to try this out change svc.c line 679 from return 0 to
return 1. (Pound-1.8.2)
WARNING: I have done very little testing on this patch.
Barry
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
Re: Pound SSL Solved
Posted by Barry Books <bf...@mac.com>.
I run OSX and Solaris so I don't have a binary that would work, however after thinking about the problem a bit more I may have a solution that works with the standard binary.
My problem was I have a firewall with an IP 64.217.80.79 named home.trsvax.com. Pound runs on a machine with an IP 192.168.1.10 so my pound config is
ListenHTTP 192.168.1.10,80
ListenHTTPS 192.168.1.10,443 /usr/local/etc/pound/test.pem
RewriteRedirect 1
LogLevel 3
UrlGroup ".*"
BackEnd 127.0.0.1,8001,1
EndGroup
The problem is when a 302 redirect happens Pound does dns lookup of the host in the Location header. In this case that's home.trsvax.com. It then compares it's IP with IP of the host in Location. If they match it rewrites it. If they don't it just lets it pass thru. So on the machine pound is running I added an entry to /etc/hosts of
192.168.1.10 home.trsvax.com
Again I have not done much testing but if this way works I think it's the correct solution. Let me know if that works for you.
Barry
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
Re: Pound SSL Solved
Posted by Theo vN <th...@gmail.com>.
Hi Barry
Well done - I would like to test this. Be so kind and send me a copy
of your pound binary. I'm running Debian and have installed pound from
a deb package - I hope your binary will work on my box (or did you
compile it under OS X?). My application for pound is quite simple: I
forward requests on ports 80 and 443 to specific tomcat apps all on
the same box.
Thanks in advance
On Apr 9, 2005 2:24 AM, Barry Books <bf...@mac.com> wrote:
> Well perhaps not solved but a possible workaround.
>
> The problem seems to be if you run pound behind a firewall then the
> host pound thinks it's running on does not match the host in a
> redirect. Pound will only rewrite the location if the hosts match so
> what happens on an SSL redirect is the location ends up being
>
> http://host:443/path
>
> instead of https://host/path
>
> I fixed this by making pound always rewrite the Location. Under some
> circumstances this may not be what you want.
>
> if you want to try this out change svc.c line 679 from return 0 to
> return 1. (Pound-1.8.2)
>
> WARNING: I have done very little testing on this patch.
>
> Barry
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
>
>
--
Cheers
Theo
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org