Hello,
Michael Weinbergs <[email protected]> (Di 01 Jun 2010 07:30:36
CEST):
> I'm new to this package (so please be gentle ;)
And I'm not sure if I understood the problem well ;-)
(…)
> ListenHTTPS
> Address <ETH3 Static Address>
> Port 443
> Cert "/usr/local/etc/local.server.pem"
> Service
> HeadRequire "Host: securesite.mydomain.com.au"
> Backend
> Address securesite.mydomain.com.au
> Port 443
> HTTPS
> End
> End
> End
To decode your request pound needs to access the session contents. On behalf of
this it needs to present the client a valid certificate. This is not
possible w/o the accompaning key.
If it would present the backend servers cert, it would need the backend
servers key. If you install this on your pound, you'll be done.
> The only way that I can see this to work would be to put the
> "production" ssl cert on each of Listener interfaces.
Yes.
> Doesn't the 2.5c HTTPS directive care of this (essentially tunnelling
> the ssl session) and thus not require me to publish all the production
> certs on the pound server?
To have a real tunnel you do not need pound. W/o access to the session
contents pound can't redirect your request properly, as it does not have
access to the request headers.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann HS12-RIPE -----------------------------------------
gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B -
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
