Hi James,
First of all welcome to Pound...
... I'm guessing that you have a WildCard SSL Certificate or a UCC
Certificate that will allow you to correctly encrypt the required traffic
to your backend servers as you can only enable one SSL Certificate per real
IP Address.
Myself I have a UCC Certificate from GoDaddy which I've setup to cover
three different top level domains (domain1.co.uk, domain2.co.uk, domain1.net)
and this works perfectly. The only downside is that if you need to add
another domain to the Certificate you need to rekey the whole certificate.
Where as with a wildcard certificate it will allow any subdomain of one top
level domain only (a.domain1.co.uk, b.domain1.co.uk, c.domain1.co.uk, etc.).
Sorry if I'm teaching you to suck eggs but I just wanted to check first.
Second Here is a basic pound.cfg file that will do what you require with a
UCC certificate this config file also forces HTTP back to HTTPS which you
can remove if not needed:
User "nobody"
Group "nobody"
LogLevel 1
LogFacility local3
Client 30
TimeOut 60
ListenHTTPS
Address xxx.xxx.xxx.xxx
Port 443
xHTTP 3
Cert "/etc/pound/ucc01.pem"
ReWriteLocation 1
Ciphers "RC4:HIGH:!MD5:!aNULL"
Service
HeadRequire "Host: *domain1.co.uk*"
BackEnd
Address 172.16.0.10
Port 80
End
End
Service
HeadRequire "Host: *domain2.co.uk*"
BackEnd
Address 172.16.0.20
Port 80
End
End
Service
HeadRequire "Host: *domain1.net*"
BackEnd
Address 172.16.0.30
Port 80
End
End
End
ListenHTTP
Address xxx.xxx.xxx.xxx
Port 80
xHTTP 3
ReWriteLocation 1
Service
HeadRequire "Host: *domain1.co.uk*"
Redirect "https://domain1.co.uk";
End
Service
HeadRequire "Host: *domain2.co.uk*"
Redirect "https://domain1.co.uk";
End
Service
HeadRequire "Host: *domain1.netk*"
Redirect "https://domain1.net";
End
End
~Yours,
Scott
On 11 October 2012 18:53, James Bensley <[email protected]> wrote:
> Hi all,
>
> First post to the list, Pounder newcomer here!
>
> I have a Pound proxy providing SSL off-load for HAProxy (they are
> installed on the same server, Pound passes request onto HAproxy over
> the 127.0.0.1 loop-back address). I have some HTTP servers all hosting
> the same sites behind this load-balancer. I would like for a couple of
> them to use SSL. The only way I could see to have more than one SSL
> site behind this Pound box was to assign multiple IPs to the box and
> set up a different HTTPS listening on each IP, but this isn't very
> scalable or IP conservative.
>
> Then. I saw the following text on the Pound website:
>
> Update June 2010: starting with with the 2.6 series, Pound has SNI
> support, if your OpenSSL version supports it. Basically you supply
> Pound with several certificates, one for each virtual host (wild card
> certificates - as described above - are allowed). On connecting the
> client signals to which server it wants to talk, and Pound searches
> among its certificates which would fit. Not all versions of OpenSSL
> and not all clients support this mode, but if available it allows for
> virtual hosts over HTTPS.
>
> Can anyone provide me with a configuration example of how I can
> achieve this, or the correct direction to be looking in?
>
> Many thanks,
> James.
>
> --
> To unsubscribe send an email with subject unsubscribe to [email protected].
> Please contact [email protected] for questions.
>
--
With Kind Regards.
Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org
