goochjj / pound Goto Github PK

I can build 2.7c with --with-ssl=../foo but the 2.6 pcidss branch will not find the crypto library during the configuration build:

./configure --with-ssl=../openssl-0.9.8zc
checking for socket in -lsocket... no
checking for hstrerror in -lresolv... no
checking for BIO_new in -lcrypto... no
Missing OpenSSL (-lcrypto) - aborted

It also does it with the latest openssl-1.0.1j (same error)

I am using pound in an SSL-offloading proxy capacity and have been wondering if it is possible to have access to the client-side connections' SSL session-ID either as a header like the other X-SSL-* headers, for use in pound's Session config, or both?

From what I have read[1], it should be possible to uniquely identify client connections with the SSL session ID or from TLS tickets (even behind NAT devices, unlike IP), and it would be nice to have that information exposed for load-balancer backend pinning and perhaps to backend services (for added session security in combination with client IP and other info).

HAproxy seems to have such an option (SSLID) according to this blog post.
In Apache mod_ssl, this is available as the SSL_SESSION_ID and SSL_SESSION_RESUMED env variables.

[1] Related information:
http://discourse.haproxy.org/t/ssl-load-balancing-with-session-affinity/86/3
https://security.stackexchange.com/q/48856
https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/

Hi,

We are trialling version 2.7a of Pound with a view of pushing it to our production environment to benefit from the fixes to poundctl.

I've noticed during our testing that 'Redirect' is no longer appending the path to the end of the URL.

This is our configuration, as an example:

Service
    HeadRequire "Host: stable.thinkleicestershire.co.uk"
    Redirect "https://stable.thinkleicestershire.co.uk"
End

With v2.6, if we visit http://stable.thinkleicestershire.co.uk/potato, we are redirected to https://stable.thinkleicestershire.co.uk/potato successfully.

In 2.7a, if we visit http://stable.thinkleicestershire.co.uk/potato, we are redirected to https://stable.thinkleicestershire.co.uk

Is this a known issue, is it resolved in 2.7b, or 2.7c?

From your documentation, it seems to suggest this is a bug:

Redirect [code] "url"
The address the client is redirected to is determined by the actual
url you specify: if it is a "pure" host (i.e. with no path) then the client will be redirected to the host you specified, with the original request path appended. If your url does contain a path then the request path is ignored.
Examples: if you specified
Redirect "http://abc.example"

and the client requested http://xyz/a/b/c then it will be redirected to http://abc.example/a/b/c, but if you specified

Redirect "http://abc.example/index.html"

it will be sent to http://abc.example/index.html.

I am using Pound in this configuration for a dedicated server:

Pound (IP_EXT, Ports 80, 443) =>
Varnish (LOCALHOST, Port 8090) =>
Apache (LOCALHOST, Port 8080)

Pound is dealing with SSL Offloading and Apache has SSL module disable. Our website is using Magento CE 1.9.2.2 which can allow in part or full the frontend secured. We decided to use SSL in frontend only for secured pages like customer accounts, checkout. All the other pages in frontend are using http protocol, unsecured.

Magento can deal sessions using cookies or strings in URL. I have an issue getting sometimes this string ___SID=U where U means unsecured when visiting some links or switching for secured to unsecured parts of Magento. I tried finding a solution and finally discovered the problem in Pound. By default RewriteLocation is set to 1. Changing RewriteLocation to 0 in ListenHTTP and ListenHTTPS I see positive results but only for a small period of time. URLs having string ___SID=U are coming back.

Pound is installed from Debian repository, version 2.6. I searched the Internet for solutions and someone said I have to build pound by myself from source but commenting two lines in svn.c:

 /*|| strcasecmp(proto, (lstn->ctx == NULL)? "http": "https" */

Do you think this will work in my case or I have to give up for Nginx dealing with SSL in front of Varnish? It is clear to me pound creates confusion for Magento which has to insert sessions in URLs.

Hi guys,

I'm running:
Version 2.7d+github on Debian Wheezy
Configuration switches:
--with-ssl=yes
--with-maxbuf=8192
--with-owner=pound
--with-group=pound

(Makefile slightly changed to create a 4096 dh.pem).

I just tried to redirect all traffic to https and like in issue #3 the url encoding isn't working properly.

This is my pound config:

Service "my.url.com"
    HeadRequire "^Host:[\t ].*my\.url\.com"
    RedirectAppend  "https://my.url.com/"
End

And if it is active, the redirect in my lighttpd log looks like this:
my.url.com - [10/Nov/2014:14:41:21 +0100] "GET /this%2dis%2dan%2dexample%2dlink/ HTTP/1.1" 404 20023 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

My blog displays an internal error 404 (not the webserver!), that there was a mistake and the site could not be found, although the link in the url bar looks fine: "https://my.url.com/this-is-an-example-link/". If I press F5, the page reloads with the same error. But if I click into the url bar and press enter, the side loads fine with https.

Looks like "-" is translated to "%2d".

Any idea? :)

Cheers iro

Thanks for the great work and sorry for posting here - I am to lazy to sign up for the mailing list.

Using one of the newer options (Disable SSLv3), made me wonder why it didn't work...
My Config File had everything lined up nicely - in this case using two tab-stops.

-    || regcomp(&DisableProto, "^[ \t]*Disable[ \t](SSLv2|SSLv3|TLSv1|TLSv1_1|TLSv1_2)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+    || regcomp(&DisableProto, "^[ \t]*Disable[ \t]+(SSLv2|SSLv3|TLSv1|TLSv1_1|TLSv1_2)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)

Hello,

Please can you tell me if it is possible to disable the TLS v1.0 protocol, like you can with DisableSSLv2 and v3?

Thanks!

Matt

I'm building with openssl-1.0.1j. The error is:

http.c: In function ‘do_http’:
http.c:920: error: ‘con’ undeclared (first use in this function)
http.c:920: error: (Each undeclared identifier is reported only once
http.c:920: error: for each function it appears in.)

As far as I understand the code base, the first argument should be "be_ssl" (or "ssl", but I guess this variable is not relevant in the backend context).

The configuration script outputs version 2.7b for the 2.7c upstream staging branch.

I've noticed a slight issue whilst using 'RedirectAppend'.

For example, if we have a registration verification link sent via e-mail, using the http protocol, our pound is configured to 'RedirectAppend' from http to https.

ListenHTTP
Service
HeadRequire "Host: www.example.com"
RedirectAppend "https://www.example.com"
End
End

The link sent via e-mail is, for example:

http://www.example.com/Account/[email protected]&v=003c3086-e5e3-4ddb-b44d-b1d8c29ba76a

However, when pound redirectappends this url to HTTPS, the URL encoding is changed:

https://www.example.com/Account/Welcome?e%3dtest123%40example.com&v%3d003c3086-e5e3-4ddb-b44d-b1d8c29ba76a

Is this by design? It didn't behave like this in v2.6 when using 'Redirect' (which automatically appended the URL)

Thanks,

Kieran

Hi goochjj,

we are currently using your PCIDSS compliant pound:

• https://github.com/goochjj/pound/commits/pcidss/v2.6
  Is there any newer version than 2.6 (like 2.7 or 2.8) containing the SSL/TLS patches?

Thanks a lot for your great work!
Cheers, Georg

Hi goochjj,

currently if no suitable certificate is found in a Service declaration, the first certificate is issued to the client. If the domain does not suite the certificate the client gets an certificate error in his browser.
Is there a way to disable this behavior, i.e. just cancel the SSL/HTTPS handshake?

THX, Georg