Hello all,
I have Pound set up to listen on a single IP address for HTTPS connections
and then based on the Service's HeadRequire section I redirect the
connection to a port on localhost, then I have Stunnel re-encrypt it and
send it to the appropriate backend server (either a WebDAV server or an
OpenVPN server).
The WebDAV works like a champ and the OpenVPN AS lets me logon to their user
page and download the pre-configured client, but I think the OpenVPN client
communications are getting dumped because it is not HTTP RFC compliant.
1) Is there any way to tell Pound to NOT sanitize inbound communications
(preferably at the Service level)? I would like to tell pound to pass
anything with a hostheader containing "vpn" back to my OpenVPN box.
2) How can I confirm that Pound is doing what I'm guessing above? (I've
turned the logging up to 5 and don't see it denying connections or otherwise
complaining in /var/log/daemon like I would expect)
.... and yes I know I can run OpenVPN on a different port and not need to do
most of this, but I want it running over tcp 443 for my own selfish reasons
:)
My setup is as such
(Pound/Stunnel) - OpenBSD 4.6 - PoundProxy 2.4.4, Stunnel 4.2.7
(Webdav) - OpenBSD 4.6, default chrooted Apache 1.3 installation
(OpenVPN) - Ubuntu 9.10 desktop, OpenVPN Access Server 1.3.5
pound.cfg
User "_pound"
Group "_pound"
RootJail "/var/empty"
# 0=none, 1=normal, 2=extended, 3=CLF, etc.
LogLevel 5
ListenHTTPS
Address 0.0.0.0
Port 443
# 0=GET/POST/HEAD, 1+=PUT/DELETE, 2+=WebDAV, 3+=MS WebDAV, 4+=MS RPC
xHTTP 4
Cert "/etc/ssl/local.server.pem"
End
Service
HeadRequire "Host:.*dav.*"
BackEnd
Address 127.0.0.1
Port 8080
End
End
Service
HeadRequire "Host:.*vpn.*"
BackEnd
Address 127.0.0.1
Port 8081
End
End
stunnel.conf
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/ssl/local.server.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/stunnel/
setuid = _stunnel
setgid = _stunnel
pid = /var/run/stunnel.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting
debug = 7
output = stunnel.log
; Service-level configuration
client = yes
;this is for dav
[http]
accept = 8080
connect = 192.168.1.12:443
;this is for openvpn
[http]
accept = 8081
connect = 192.168.1.10:443
Thanks!
Matt Van Mater
--
To unsubscribe send an email with subject unsubscribe to po...@apsis.ch.
Please contact ro...@apsis.ch for questions.
