Is anyone using Pound as part of a load-balancing setup? We're experiencing a strange problem that happens during the logon sequence.
For HTTP requests, we have a load balancer running HAProxy that passes client requests to one of our Apache/PHP servers.
For HTTPS requests, we have Pound listening on port 443, which translates requests to plain HTTP, passes them to HAProxy and thence to the application servers.
We have "loginhttps" set to true, so all login requests are secured. But after users log in, they are redirected to an HTTPS address. Because Moodle has absolute URLs referencing CSS and images (using $CFG->wwwroot), the user receives a partially-encrypted page. On IE8, especially, this generates a confusing dialog:
The "correct" answer is "No". Clicking "Yes" breaks CSS and images.
It doesn't seem like Moodle is the cause. When a user requests a resource on the Moodle server that requires a login, they are redirected to /login/index.php over TLS. The address of the original request is stored in a session variable called "wantsurl".
Once a user is authenticated, their browser is redirected with a "303 See Other" header, followed by a "Location:" header containing the value of "wantsurl". I've logged this value on the application server, and it is always plain HTTP.
However, when I check the headers received by the browser, the Location field has been rewritten:
HTTP/1.1 303 See Other
Date: Fri, 11 Sep 2009 12:11:54 GMT
Server: Apache
X-Powered-By: PHP
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://moodle.lse.ac.uk/course/view.php?id=305
Content-Length: 220
Connection: close
Content-Type: text/html
Has anyone else encountered this, and has anyone discovered a solution?
