Re: [Pound Mailing List] Quick SSL questions

[Dave Steinberg]

Youngblood, Luke wrote:
Hello all, I'm looking into using Pound as a reverse proxy for my
SSL-enabled webservers, and I have a couple questions for you:
I know Pound can function very well as a reverse proxy in front of
several back-end webservers.  Pound can also manage the encryption
certificates itself.  What if I want to manage the certificates on the
webservers themselves instead?  We already have a group of webservers
running HTTPS and the webserver team handles certificate management on
their own servers, so I merely want to pass the SSL requests intact,
without modification, to the servers inside, who will handle all
encryption/decryption themselves.  Is this possible?

Not with pound.  Pound expects to do the SSL work and pass vanilla HTTP 
to your backends.

The second question is about virtual hosting.  The pound documentation
indicates that you can't virtual host SSL websites.

Its not just pound, its a function of the SSL protocol.

> If I use IP based
virtual hosts and have a single IP address for each internal server, is
it possible to virtual host multiple SSL websites on a single Pound
server?  I assume this would eliminate the problem of having to decrypt
the HTTP GET request and parse the URL.  You could simply redirect all
traffic to a particular IP address to it's corresponding internal
server.

What you're talking about is a simple 1-1 NAT, and your router/firewall 
can most likely do that for you.  What people typically want to do is 
host multiple SSL *name based* vhosts on a single IP, which the SSL 
protocol does not support.

That said, I've found it very convenient to offload SSL at the pound 
box, with each site getting its own IP.  Then *since pound speaks plain 
http to the backend*, you can direct all requests to a single backend IP 
and do name-based vhosting there.  This makes SSL a configuration 
setting in pound, a DNS change, but the backend doesn't need to be touched.

Bottom line, whatever your SSL endpoint is must use an ip-based vhosting 
scheme.

Good luck,
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/

--
To unsubscribe send an email with subject unsubscribe to po...@apsis.ch.
Please contact ro...@apsis.ch for questions.