3) As of Pound 2.6a, you can use SNI:
Please note that multiple Cert directives are allowed if your
OpenSSL version supports SNI. In such cases, the first directive
is the default certificate, with additional certificates used if
the client requests them.
If you do specify multiple Cert directives, the subject of the certificate
will be compared against the hostname the browser is requesting. If you have a
cert for www.domain.org, it will use that if the client asks for
www.domain.org. (Or if you have a cert for *.domain.org, that would match as
well)
Joe
> -----Original Message-----
> From: Dave Steinberg [mailto:[email protected]]
> Sent: Tuesday, April 05, 2011 3:13 PM
> To: [email protected]
> Subject: Re: [Pound Mailing List] SSL for Multiple Hosts
>
> On 4/5/2011 1:42 PM, W. Jeffrey Brown wrote:
> > I've looked all over and can't find this answer
> >
> > We have pound running and passing traffic off for two hosts. Each host
> has it's own set of servers.
> >
> > What I need to know is what the proper configuration would be for each
> host to have its own ssl cert.
> >
> > Here is a sanitized version of the pound config that we are using.
> >
> >
> > # Replace "localhost" by your IP or host name
> > ListenHTTPS
> > Address 0.0.0.0
> > Port 443
> > Cert "/opt/pound/ssl/server.pem"
> > Client 15
> > RewriteLocation 0
> >
> > Service
> > BackEnd
> > Address WWW.XXX.YYY.ZZZ
> > Port 80
> > Timeout 15
> > End
> > End
> > End
> >
> > ListenHTTP
> > Address 0.0.0.0
> > Port 80
> > Client 15
> > RewriteLocation 0
> >
> > Service
> > HeadRequire "Host:.*domain1.com.*"
> >
> > BackEnd
> > Address 192.168.99.196
> > Port 80
> > Timeout 15
> > End
> > BackEnd
> > Address 192.168.99.197
> > Port 80
> > Timeout 15
> > End
> > End
> >
> > Service
> > HeadRequire "Host:.*domain2.com.*"
> >
> > BackEnd
> > Address 192.168.99.198
> > Port 80
> > Timeout 15
> > End
> > BackEnd
> > Address 192.168.99.199
> > Port 80
> > Timeout 15
> > End
> > BackEnd
> > Address 192.168.99.200
> > Port 80
> > Timeout 15
> > End
> > End
> > End
>
> There's 2 easy choices:
>
> 1) Get 1 cert with both CN fields on it. Most SSL providers offer these
> for not much more (I have one that allows 5 names on 1 cert from Godaddy
> - it wasn't expensive).
>
> 2) Move them to different IPs and then update your ListenHTTP/HTTPS
> blocks, specifying the different certs for each IP.
>
> Regards,
> --
> Dave Steinberg
> http://www.geekisp.com/
> http://www.steinbergcomputing.com/
> http://www.redterror.net/
>
> --
> To unsubscribe send an email with subject unsubscribe to [email protected].
> Please contact [email protected] for questions.
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
