Thanks Dave,
I found my prob (not pound ;-) and things are _partly_ working now -
https is working for the first server (lets ignore the second server =)
__but__ it doesn't care if I use a private key or not - so anyone can see the
self-signed cert, accept it, and visit the site behind it.
I'm not sure how to configure pound to check for a private key in the users
browser.
Before I created the single pem file (from .crt and .key) to use on pound, the
machine with the self-signed cert was only visible to client browsers with a
private key.
This access restriction was created in the apache httpd.conf file with the
following:
<Directory />
...normal stuff...
<IfDefine SSL>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} req "CompanyName" and
%{SSL_CLIENT_S_DN_OU} in {"CompanyDept"}
</IfDefine>
</Directory>
and:
SSLEngine On
SSL Cert dirs...
----> SSLVerifyClient require
etc
The only way I can image doing the same now, would be to run apache on the same
server as pound, but I don't want that, and I doubt this would stick for
backend
servers I want pound to redirect to.
Perhaps I should still enable ssl eg 'SSLVerifyClient require' etc on apache on
the first backend 141? This is the server that did this before I tried pound.
The only other option I see is to create the PEM on 141 and move it to the
pound
server, but again, where does pound require the private key to access the
self-signed cert and backends?
My goal in using pound is to have one pem file on it, and direct a few
restricted users each with a private key to backend servers, all viewed in
https.
Please keep the suggestions coming, I'm slowing learning here! :D
________________________________
From: Dave Steinberg <[email protected]>
To: [email protected]
Sent: Sun, March 13, 2011 4:01:46 AM
Subject: Re: [Pound Mailing List] Using Private Key for Client Auth with Pound
On 3/12/2011 4:18 AM, Pound Rproxy wrote:
> I currently have a server that has a self-signed SSL cert and viewing it is
> restricted by using a private key that's been exported to Firefox.
> I want to put Pound in front of this and 1 other server, so that both are
using
> the same https listener in pound.cfg and the same private key on the client
end
> for restricting access.
>
> My confusion is mostly around where to generate the server.pem for Pound.
> Do I generate the server.pem and private browser key on the pound server or
> import the server.pem from a backend server?
It doesn't matter where they are generated. A PEM file is just a
private key + certificate, you can make it anywhere.
> If the second option, does this mean I can only have one SSL backend per Pound
> instance?
You can have many ListenHTTPS directives per pound instance, it has
nothing to do with the certificates used.
> I'm just at point of testing now (creating keys takes me a while) and have
> created a new CA, self-signed cert, pem file, and private key on the Pound
> server.
> I have commented out all SSL stuff in the Apache httpd.conf files on both
> backend servers so now they should just pass http requests back to Pound.
> I've tested that each backend resolves with http and without need for a
private
> key, as I want Pound to handle this.
> But I can't get Pound to resolve the backends. Am I doing something wrong or
> that isn't possible?
>
> Here's my pound.cfg so far:
>
> ListenHTTPS
> Address 192.168.1.140
> Port 443
> Cert "/usr/etc/server.pem"
> LogLevel 2
>
> Service
> BackEnd
> Address 192.168.1.141
> Port 8080
> End
> End
>
> Service
> BackEnd
> Address 192.168.1.142
> Port 8083
> End
> End
>
> End
Your config looks fine. What happens when you hit it, specifically?
Regards,
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
