Pound SSL Solved

[Barry Books <bf...@mac.com>]

Well perhaps not solved but a possible workaround.

The problem seems to be if you run pound behind a firewall  then the 
host pound thinks it's running on does not match the host in a 
redirect. Pound will only rewrite the location if the hosts match so 
what happens on an SSL redirect is the location ends up being

http://host:443/path

instead of https://host/path

I fixed this by making pound always rewrite the Location. Under some 
circumstances this may not be what you want.

if you want to try this out change svc.c line 679 from return 0 to 
return 1.  (Pound-1.8.2)

WARNING: I have done very little testing on this patch.

Barry


---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: Pound SSL Solved

[Barry Books <bf...@mac.com>]

I run OSX and Solaris so I don't have a binary that would work, however after thinking about the problem a bit more I may have a solution that works with the standard binary.

My problem was I have a firewall with an IP 64.217.80.79 named home.trsvax.com. Pound runs on a machine with an IP 192.168.1.10 so my pound config is

ListenHTTP 192.168.1.10,80
ListenHTTPS 192.168.1.10,443 /usr/local/etc/pound/test.pem


RewriteRedirect 1
LogLevel 3


UrlGroup ".*"
BackEnd 127.0.0.1,8001,1
EndGroup


The problem is when a 302 redirect happens Pound does dns lookup of the host in the Location header. In this case that's home.trsvax.com. It then compares it's IP with IP of the host in Location. If they match it rewrites it. If they don't it just lets it pass thru. So on the machine pound is running I added an entry to /etc/hosts of

192.168.1.10   home.trsvax.com


Again I have not done much testing but if this way works I think it's the correct solution. Let me know if that works for you.

Barry

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: Pound SSL Solved

[Theo vN <th...@gmail.com>]

Hi Barry

Well done - I would like to test this. Be so kind and send me a copy
of your pound binary. I'm running Debian and have installed pound from
a deb package - I hope your binary will work on my box (or did you
compile it under OS X?). My application for pound is quite simple: I
forward requests on ports 80 and 443 to specific tomcat apps all on
the same box.

Thanks in advance

On Apr 9, 2005 2:24 AM, Barry Books <bf...@mac.com> wrote:
> Well perhaps not solved but a possible workaround.
> 
> The problem seems to be if you run pound behind a firewall  then the
> host pound thinks it's running on does not match the host in a
> redirect. Pound will only rewrite the location if the hosts match so
> what happens on an SSL redirect is the location ends up being
> 
> http://host:443/path
> 
> instead of https://host/path
> 
> I fixed this by making pound always rewrite the Location. Under some
> circumstances this may not be what you want.
> 
> if you want to try this out change svc.c line 679 from return 0 to
> return 1.  (Pound-1.8.2)
> 
> WARNING: I have done very little testing on this patch.
> 
> Barry
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
> 
> 


-- 
Cheers
Theo

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org