It is pretty much what I emailed earlier. /etc/pound/dev.pem is a self-sign
certificate for testing. This is how I created the certificate:
openssl req -new -newkey rsa:2048 -nodes -keyout dev.key -out dev.csr
openssl x509 -req -days 3650 -in dev.csr -signkey dev.key -out dev.crt
cat dev.key dev.csr dev.crt > dev.pem
And here is the pound config:
User "nobody"
Group "nobody"
Alive 5
LogLevel 0
ListenHTTPS
Address x.x.x.x
Port 443
Cert "/etc/pound/dev.pem"
Ciphers
"ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5"
AddHeader "X-Secure-Connection: true"
Service
BackEnd
Address x.x.x.x
Port xxxx
End
End
End
From: Scott McKeown <[email protected]<mailto:[email protected]>>
Reply-To: "[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Date: Thursday, 20 September 2012 16:30
To: "[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get
certificate
Hi Francoise,
Can you show me your current pound.cfg file please (replace anything with X's)
~Scott
On 20 September 2012 15:49, Francoise Dehinbo
<[email protected]<mailto:[email protected]>> wrote:
I tried your suggestion below so pound runs on 443 and 80. All http goes from
pound to the new perlbal port 8080. And all https goes through pound as usual.
I still have the same problem. Cannot redirect from http to https and vise
versa (now that pound is running both ports).
From: Scott McKeown
<[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>>
Reply-To:
"[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>"
<[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>>
Date: Thursday, 20 September 2012 13:40
To:
"[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>"
<[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>>
Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get
certificate
So your Pound Setup and the Web Site are running on the same server, sorry I
have mine setup in a Proxy mode which is a slightly different setup.
I don't know perlbal but at a guess you should be able to change the port that
its listening on in its config file to something like 8080 and then with the
pound redirect as above inplace but to port 8080 for the BackEnd
~Scott
On 20 September 2012 12:51, Francoise Dehinbo
<[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>>
wrote:
Just for testing, I stopped perlbal, added the ListenHTTP suggestion to pound,
so now pound runs on ports 443 and 80. The problem is worse. I cannot go from
http to https or from https to http. So it's definitely something with pound!
Previously I reinstalled pound with just plain 2.6 without any patches and it's
the same problem!
From: Scott McKeown
<[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>><mailto:[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>>>
Reply-To:
"[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>><mailto:[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>>"
<[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>><mailto:[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>>>
Date: Thursday, 20 September 2012 12:30
To:
"[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>><mailto:[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>>"
<[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>><mailto:[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>>>
Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get
certificate
Hi Francoise,
OK think I've got it now. Try something like this:
User "nobody"
Group "nobody"
LogLevel 1
ListenHTTPS
Address xxx.xxx.xxx.xxx
Port 443
Cert "/etc/pound/dev.pem"
Ciphers
"ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5"
AddHeader "X-Secure-Connection: true"
Service
BackEnd
# Send everything PSGI apps
Address 127.0.0.1
Port 5555
End
End
End
ListenHTTP
Address xxx.xxx.xxx.xxx
Port 80
Service
BackEnd
Address 127.0.0.1
Port 5555
End
End
End
This should stop the looping and catch anything that is HTTP and display as
normal. If you want for FORCE HTTP traffic to HTTPS the Redirect option should
work
~Scott
Privacy and Confidentiality Notice:
This is strictly confidential and intended solely for the person or
organisation to whom it is addressed. It may contain privileged and
confidential information and if you are not an intended recipient, you must not
copy, distribute or take any action in reliance on it. If you have received
this message in error, please notify us as soon as possible and delete it and
any attached files from your system.
The views and opinions expressed in this email message are the author's own and
may not reflect the views and opinions of the author's employer.
Foxtons Limited is registered in England and Wales (registered number
01680058). Our registered office is at Building One, Chiswick Park, 566
Chiswick High Road, London, W4 5BE.
_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.
--
To unsubscribe send an email with subject unsubscribe to
[email protected]<mailto:[email protected]>.
Please contact [email protected]<mailto:[email protected]> for questions.
--
With Kind Regards.
Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org
_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.
Privacy and Confidentiality Notice:
This is strictly confidential and intended solely for the person or
organisation to whom it is addressed. It may contain privileged and
confidential information and if you are not an intended recipient, you must not
copy, distribute or take any action in reliance on it. If you have received
this message in error, please notify us as soon as possible and delete it and
any attached files from your system.
The views and opinions expressed in this email message are the author's own and
may not reflect the views and opinions of the author's employer.
Foxtons Limited is registered in England and Wales (registered number
01680058). Our registered office is at Building One, Chiswick Park, 566
Chiswick High Road, London, W4 5BE.
_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
