Hello all, I have Pound set up to listen on a single IP address for HTTPS connections and then based on the Service's HeadRequire section I redirect the connection to a port on localhost, then I have Stunnel re-encrypt it and send it to the appropriate backend server (either a WebDAV server or an OpenVPN server).
The WebDAV works like a champ and the OpenVPN AS lets me logon to their user page and download the pre-configured client, but I think the OpenVPN client communications are getting dumped because it is not HTTP RFC compliant. 1) Is there any way to tell Pound to NOT sanitize inbound communications (preferably at the Service level)? I would like to tell pound to pass anything with a hostheader containing "vpn" back to my OpenVPN box. 2) How can I confirm that Pound is doing what I'm guessing above? (I've turned the logging up to 5 and don't see it denying connections or otherwise complaining in /var/log/daemon like I would expect) .... and yes I know I can run OpenVPN on a different port and not need to do most of this, but I want it running over tcp 443 for my own selfish reasons :) My setup is as such (Pound/Stunnel) - OpenBSD 4.6 - PoundProxy 2.4.4, Stunnel 4.2.7 (Webdav) - OpenBSD 4.6, default chrooted Apache 1.3 installation (OpenVPN) - Ubuntu 9.10 desktop, OpenVPN Access Server 1.3.5 pound.cfg User "_pound" Group "_pound" RootJail "/var/empty" # 0=none, 1=normal, 2=extended, 3=CLF, etc. LogLevel 5 ListenHTTPS Address 0.0.0.0 Port 443 # 0=GET/POST/HEAD, 1+=PUT/DELETE, 2+=WebDAV, 3+=MS WebDAV, 4+=MS RPC xHTTP 4 Cert "/etc/ssl/local.server.pem" End Service HeadRequire "Host:.*dav.*" BackEnd Address 127.0.0.1 Port 8080 End End Service HeadRequire "Host:.*vpn.*" BackEnd Address 127.0.0.1 Port 8081 End End stunnel.conf ; Certificate/key is needed in server mode and optional in client mode cert = /etc/ssl/local.server.pem ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3 ; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/stunnel/ setuid = _stunnel setgid = _stunnel pid = /var/run/stunnel.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log ; Service-level configuration client = yes ;this is for dav [http] accept = 8080 connect = 192.168.1.12:443 ;this is for openvpn [http] accept = 8081 connect = 192.168.1.10:443 Thanks! Matt Van Mater -- To unsubscribe send an email with subject unsubscribe to po...@apsis.ch. Please contact ro...@apsis.ch for questions.