goochjj / pound Goto Github PK
View Code? Open in Web Editor NEWPound Load Balancer
Home Page: http://www.apsis.ch/pound/
Pound Load Balancer
Home Page: http://www.apsis.ch/pound/
I can build 2.7c with --with-ssl=../foo but the 2.6 pcidss branch will not find the crypto library during the configuration build:
./configure --with-ssl=../openssl-0.9.8zc
checking for socket in -lsocket... no
checking for hstrerror in -lresolv... no
checking for BIO_new in -lcrypto... no
Missing OpenSSL (-lcrypto) - aborted
It also does it with the latest openssl-1.0.1j (same error)
I am using pound in an SSL-offloading proxy capacity and have been wondering if it is possible to have access to the client-side connections' SSL session-ID either as a header like the other X-SSL-*
headers, for use in pound's Session
config, or both?
From what I have read[1], it should be possible to uniquely identify client connections with the SSL session ID or from TLS tickets (even behind NAT devices, unlike IP), and it would be nice to have that information exposed for load-balancer backend pinning and perhaps to backend services (for added session security in combination with client IP and other info).
HAproxy seems to have such an option (SSLID
) according to this blog post.
In Apache mod_ssl, this is available as the SSL_SESSION_ID
and SSL_SESSION_RESUMED
env variables.
[1] Related information:
http://discourse.haproxy.org/t/ssl-load-balancing-with-session-affinity/86/3
https://security.stackexchange.com/q/48856
https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
Hi,
We are trialling version 2.7a of Pound with a view of pushing it to our production environment to benefit from the fixes to poundctl.
I've noticed during our testing that 'Redirect' is no longer appending the path to the end of the URL.
This is our configuration, as an example:
Service
HeadRequire "Host: stable.thinkleicestershire.co.uk"
Redirect "https://stable.thinkleicestershire.co.uk"
End
With v2.6, if we visit http://stable.thinkleicestershire.co.uk/potato, we are redirected to https://stable.thinkleicestershire.co.uk/potato successfully.
In 2.7a, if we visit http://stable.thinkleicestershire.co.uk/potato, we are redirected to https://stable.thinkleicestershire.co.uk
Is this a known issue, is it resolved in 2.7b, or 2.7c?
From your documentation, it seems to suggest this is a bug:
Redirect [code] "url"
The address the client is redirected to is determined by the actual
url you specify: if it is a "pure" host (i.e. with no path) then the client will be redirected to the host you specified, with the original request path appended. If your url does contain a path then the request path is ignored.
Examples: if you specified
Redirect "http://abc.example"
and the client requested http://xyz/a/b/c then it will be redirected to http://abc.example/a/b/c, but if you specified
Redirect "http://abc.example/index.html"
it will be sent to http://abc.example/index.html.
I am using Pound in this configuration for a dedicated server:
Pound (IP_EXT, Ports 80, 443) =>
Varnish (LOCALHOST, Port 8090) =>
Apache (LOCALHOST, Port 8080)
Pound is dealing with SSL Offloading and Apache has SSL module disable. Our website is using Magento CE 1.9.2.2 which can allow in part or full the frontend secured. We decided to use SSL in frontend only for secured pages like customer accounts, checkout. All the other pages in frontend are using http protocol, unsecured.
Magento can deal sessions using cookies or strings in URL. I have an issue getting sometimes this string ___SID=U where U means unsecured when visiting some links or switching for secured to unsecured parts of Magento. I tried finding a solution and finally discovered the problem in Pound. By default RewriteLocation is set to 1. Changing RewriteLocation to 0 in ListenHTTP and ListenHTTPS I see positive results but only for a small period of time. URLs having string ___SID=U are coming back.
Pound is installed from Debian repository, version 2.6. I searched the Internet for solutions and someone said I have to build pound by myself from source but commenting two lines in svn.c:
/*|| strcasecmp(proto, (lstn->ctx == NULL)? "http": "https" */
Do you think this will work in my case or I have to give up for Nginx dealing with SSL in front of Varnish? It is clear to me pound creates confusion for Magento which has to insert sessions in URLs.
Hi guys,
I'm running:
Version 2.7d+github on Debian Wheezy
Configuration switches:
--with-ssl=yes
--with-maxbuf=8192
--with-owner=pound
--with-group=pound
(Makefile slightly changed to create a 4096 dh.pem).
I just tried to redirect all traffic to https and like in issue #3 the url encoding isn't working properly.
This is my pound config:
Service "my.url.com"
HeadRequire "^Host:[\t ].*my\.url\.com"
RedirectAppend "https://my.url.com/"
End
And if it is active, the redirect in my lighttpd log looks like this:
my.url.com - [10/Nov/2014:14:41:21 +0100] "GET /this%2dis%2dan%2dexample%2dlink/ HTTP/1.1" 404 20023 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
My blog displays an internal error 404 (not the webserver!), that there was a mistake and the site could not be found, although the link in the url bar looks fine: "https://my.url.com/this-is-an-example-link/". If I press F5, the page reloads with the same error. But if I click into the url bar and press enter, the side loads fine with https.
Looks like "-" is translated to "%2d".
Any idea? :)
Cheers iro
Thanks for the great work and sorry for posting here - I am to lazy to sign up for the mailing list.
Using one of the newer options (Disable SSLv3), made me wonder why it didn't work...
My Config File had everything lined up nicely - in this case using two tab-stops.
- || regcomp(&DisableProto, "^[ \t]*Disable[ \t](SSLv2|SSLv3|TLSv1|TLSv1_1|TLSv1_2)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+ || regcomp(&DisableProto, "^[ \t]*Disable[ \t]+(SSLv2|SSLv3|TLSv1|TLSv1_1|TLSv1_2)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
Hello,
Please can you tell me if it is possible to disable the TLS v1.0 protocol, like you can with DisableSSLv2 and v3?
Thanks!
Matt
I'm building with openssl-1.0.1j. The error is:
http.c: In function ‘do_http’:
http.c:920: error: ‘con’ undeclared (first use in this function)
http.c:920: error: (Each undeclared identifier is reported only once
http.c:920: error: for each function it appears in.)
As far as I understand the code base, the first argument should be "be_ssl" (or "ssl", but I guess this variable is not relevant in the backend context).
The configuration script outputs version 2.7b for the 2.7c upstream staging branch.
I've noticed a slight issue whilst using 'RedirectAppend'.
For example, if we have a registration verification link sent via e-mail, using the http protocol, our pound is configured to 'RedirectAppend' from http to https.
ListenHTTP
Service
HeadRequire "Host: www.example.com"
RedirectAppend "https://www.example.com"
End
End
The link sent via e-mail is, for example:
http://www.example.com/Account/[email protected]&v=003c3086-e5e3-4ddb-b44d-b1d8c29ba76a
However, when pound redirectappends this url to HTTPS, the URL encoding is changed:
Is this by design? It didn't behave like this in v2.6 when using 'Redirect' (which automatically appended the URL)
Thanks,
Kieran
Hi goochjj,
we are currently using your PCIDSS compliant pound:
Thanks a lot for your great work!
Cheers, Georg
Hi goochjj,
currently if no suitable certificate is found in a Service declaration, the first certificate is issued to the client. If the domain does not suite the certificate the client gets an certificate error in his browser.
Is there a way to disable this behavior, i.e. just cancel the SSL/HTTPS handshake?
THX, Georg
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.