Thanks for the information, and apologies in advance for the top-posting. It sounds like Pound might not be the best solution for what I am trying to do. I will investigate Squid as a possible reverse proxy solution. It's not that I'm opposed to handling the SSL certs on the reverse proxy, as it does make logical sense to do so. It's just that we are talking about 30-40 different servers all with unique certs and different expiration times... managing the certs is a full-time job in and of itself, and one that I'm not prepared to take on at this point.
Thanks again for the information. I also plan on doing IP based virtual hosting for this very reason. 1-1 NAT for internal and external means I don't have to decrypt the HTTP GET requests (which would be impossible anyway) to determine what back-end server they go to. Regards, Luke -----Original Message----- From: Dave Steinberg [mailto:[email protected]] Sent: Friday, May 01, 2009 2:05 PM To: [email protected] Subject: Re: [Pound Mailing List] Quick SSL questions Youngblood, Luke wrote: > Hello all, I'm looking into using Pound as a reverse proxy for my > SSL-enabled webservers, and I have a couple questions for you: > > I know Pound can function very well as a reverse proxy in front of > several back-end webservers. Pound can also manage the encryption > certificates itself. What if I want to manage the certificates on the > webservers themselves instead? We already have a group of webservers > running HTTPS and the webserver team handles certificate management on > their own servers, so I merely want to pass the SSL requests intact, > without modification, to the servers inside, who will handle all > encryption/decryption themselves. Is this possible? Not with pound. Pound expects to do the SSL work and pass vanilla HTTP to your backends. > The second question is about virtual hosting. The pound documentation > indicates that you can't virtual host SSL websites. Its not just pound, its a function of the SSL protocol. > If I use IP based > virtual hosts and have a single IP address for each internal server, is > it possible to virtual host multiple SSL websites on a single Pound > server? I assume this would eliminate the problem of having to decrypt > the HTTP GET request and parse the URL. You could simply redirect all > traffic to a particular IP address to it's corresponding internal > server. What you're talking about is a simple 1-1 NAT, and your router/firewall can most likely do that for you. What people typically want to do is host multiple SSL *name based* vhosts on a single IP, which the SSL protocol does not support. That said, I've found it very convenient to offload SSL at the pound box, with each site getting its own IP. Then *since pound speaks plain http to the backend*, you can direct all requests to a single backend IP and do name-based vhosting there. This makes SSL a configuration setting in pound, a DNS change, but the backend doesn't need to be touched. Bottom line, whatever your SSL endpoint is must use an ip-based vhosting scheme. Good luck, -- Dave Steinberg http://www.geekisp.com/ http://www.steinbergcomputing.com/ -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
