More issues with pen

From: Nathan Butcher <>
Date: Mon, 04 Dec 2006 16:58:43 +0900

I've been posting a lot to the mail list recently, mainly because I've
noticed quite a number of ways to improve pen (but haven't got the time
to submit patches), and I thought I'd post these notes for reference.

* Using pen and SSL in chroot requires that it have access to a PRNG.
This is fixed by putting a devfs into the chroot. In FreeBSD, this is as
simple as adding "devfs /home/pen/dev devfs ro 0
0" in /etc/fstab, assuming that we are chrooting to /home/pen. Problem

* It seems easier for us to rewrite the X-Client-IP header as opposed to
the X-Forwarding-For header (considering that we're mainly concerned
with the client IP for logging, not proxying), so we run a patched
version of the pen source code, except that all references to
X-Fowarding-For are replaced with X-Client-IP. It's easier for our java
web apps to use that header to determine where the client is really
connecting from. Would be nice if pen gave us a choice of which HTTP
header to rewrite (something like "-H X-Client-IP" on the command line
would work ok)

* If we could set server weights from the command line, rather than
being forced to set up a configuration file, it would be good. I think
someone has already mentioned this.

* It would be nice if the pen configuration file was read in BEFORE
chrooting. It only needs to be read once, and if it was read before
chrooting I wouldn't have to store the config file in the chroot
directory. It's only a minor niggle, but anyway....

* When using penctl with the write command to create a config file, the
resulting config file has a problem with the penctl "log" command. Say
if I set "-l" on the command line and then used
"penctl write" to produce a config file, the resulting config file shows
only "log" with no port number. However the penctl "log"
command only seems to understand files and not penlogd daemons... so
re-reading the conf file in produces the non-intended effect of writing
the log to a file named

* This one is a bit weird (or perhaps my mistake due to coffee overdose)
: Penlogd under chroot seems to die with no debug info if the logfile it
writes to inside it's chroot jail is not owned by the non-root "pen"
user, even though it has pen group write permission. This is easily
worked around, but it seems strange to me anyway. Pen doesn't die the
same way, and in fact, keeps working ok to a log file with root
ownership and pen user group write.

Received on Mon Dec 04 2006 - 09:03:15 CET

This archive was generated by hypermail 2.2.0 : Mon Dec 04 2006 - 09:03:18 CET