Is anyone using Pound as part of a load-balancing setup? We're experiencing a strange problem that happens during the logon sequence.
For HTTP requests, we have a load balancer running HAProxy that passes client requests to one of our Apache/PHP servers.
For HTTPS requests, we have Pound listening on port 443, which translates requests to plain HTTP, passes them to HAProxy and thence to the application servers.
We have "loginhttps" set to true, so all login requests are secured. But after users log in, they are redirected to an HTTPS address. Because Moodle has absolute URLs referencing CSS and images (using $CFG->wwwroot), the user receives a partially-encrypted page. On IE8, especially, this generates a confusing dialog:
The "correct" answer is "No". Clicking "Yes" breaks CSS and images.
It doesn't seem like Moodle is the cause. When a user requests a resource on the Moodle server that requires a login, they are redirected to /login/index.php over TLS. The address of the original request is stored in a session variable called "wantsurl".
Once a user is authenticated, their browser is redirected with a "303 See Other" header, followed by a "Location:" header containing the value of "wantsurl". I've logged this value on the application server, and it is always plain HTTP.
However, when I check the headers received by the browser, the Location field has been rewritten:
HTTP/1.1 303 See Other
Date: Fri, 11 Sep 2009 12:11:54 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Has anyone else encountered this, and has anyone discovered a solution?
- RewriteLocation 0|1|2
- If 1 force Pound to change the Location: and Content-location: headers in responses. If they point to the back-end itself or to the listener (but with the wrong protocol) the response will be changed to show the virtual host in the request. Default: 1 (active). If the value is set to 2 only the back-end address is compared; this is useful for redirecting a request to an HTTPS listener on the same server as the HTTP listener.
I am having the same or similar problem.
But it has nothing to do with Pound.
I am using loginhttps, which means that only the loginpage begins https, but my theme contains reference to two images that start with
which starts with http. Hence the students browsers give a message that says "do you want to download the unsecure contents" the correct answer is yes. It does not really matter if they click no. But it is going to confuse a lot of students.
- Get rid of images from my theme? I will do this for the timebeing.
- The theme serves a special content for the homepage using
is there a function "if ($loginpage)" ?
it might be nice if there were one.
- Otherwise I can use (using other people's hacks)
if (stristr($_SERVER['SCRIPT_FILENAME']."X", "login/index.phpX"))
to find out if I am on the loginpage.
- However, even then I will have to (preg)replace the "http" in $CFG->wwwroot with
"https" and create a temporary variable $tempwwwroot
Or is there an easier way?
Should be in your HTTPS Listener, not the HTTP Listener.