With a correction to my pound.cfg at the end - forgot to name the
From: Cory Sanders [mailto:[email protected]]
Sent: Saturday, November 02, 2013 4:32 PM
To: [email protected]
Subject: [Pound Mailing List] Pound with https:https -- issue with .pem cert in
/etc/pound
I have a server running ProxMox (Debian).
Server is running a public IP on eth0.
Here is /etc/network/interfaces:
iface lo inet loopback
auto eth0
iface eth0 inet static
address <my.public.i.p>
netmask 255.255.255.248
gateway <my.public.gate.way
post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
auto vmbr0
iface vmbr0 inet static
address 10.10.12.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.12.0/24' -o eth0 -j
MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.12.0/24' -o eth0 -j
MASQUERADE
I have several VMs built running on bridge vmbr0
Here is one of their /etc/network/interfaces
auto eth0
iface eth0 inet static
address 10.10.12.100
netmask 255.255.255.0
gateway 10.10.12.1
dns-nameservers 8.8.8.8
If I use iptables and this:
iptables -t nat -A PREROUTING -p tcp --dport 22100 -j DNAT --to 10.10.12.100:100
I can ssh to the VM from the outside. I am going to be using CSF with Webmin,
so I won't be using iptables, just csfpre.sh and csfpost.sh for nating rules.
I have the Apsis open source reverse proxy Pound installed on the server for
accessing the Web gui of each VM. Each VM is running https already with
/etc/apache2/sites-available/default having this:
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !^.*Aastra.*0
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}<https://%25%7bSERVER_NAME%7d>
[L,R]
</VirtualHost>
I will use another proxy, Kamailio, for the SIP traffic. But Kamailio is not
the subject of this post.
Regarding Pound and HTTPS to HTTPS connection to the back end servers, I am
having trouble understanding and implementing the key portion of the
directions, specifically relating to the .pem cert
my /etc/pound/pound.cfg has this:
# cat /etc/pound/pound.cfg
# My Pound Config
##
## see pound(8) for details
######################################################################
## global options:
User "pounduser"
Group "poundgroup"
#RootJail "/chroot/pound"
## Logging: (goes to syslog by default)
## 0 no logging
## 1 normal
## 2 extended
## 3 Apache-style (common log format)
LogLevel 1
## check backend every X secs:
Alive 30
## use hardware-accelleration card supported by openssl(1):
#SSLEngine "<hw>"
# poundctl control socket
Control "/var/run/pound/poundctl.socket"
######################################################################
## listen, redirect and ... to:
## redirect all http requests based on url to port 80 of VM
ListenHTTP
Address my.public.i.p
Port 80
End
ListenHTTPS
Address my.public.i.p
Port 443
Cert "/etc/pound/pound.pem"
End
# Server 1 vmservername.mydomain.com
#Service
HeadRequire "Host: vmservername.mydomain.com"
BackEnd
Address 10.10.12.100
Port 80
End
End
My question is about the .pem cert that pound.cfg is calling to. I have certs
for the machine already. ProxMox gui runs on port 8006 and is https. So I
have things like
/etc/pve/pve-root-ca.pem
/etc/pve/nodes/vproxy/pve-ssl.pem
and a whole host of other .pem files such as
/etc/ssl/certs/ca.pem
/etc/ssl/certs/cacert.org.pem
/etc/ssl/certs/certSIGN_ROOT_CA.pem
/etc/ssl/certs/ePKI_Root_Certification_Authority.pem
/etc/ssl/certs/spi-ca-2003.pem
/etc/ssl/certs/spi-cacert-2008.pem
Question is, can I go to /etc/pound and generate a new cert for Pound? How
should I do this? I don't want to mess up the https connection with Proxmox at
https://my.public.i.p:8006
Pound would not work when I called to my pve .pem files. And trying to cat
from other .pem and .key and write into a /etc/pound/pound.pem does not work.
I get this when I try to restart Pound:
# service pound start
Starting reverse proxy and load balancer: poundstarting...
/etc/pound/pound.cfg line 43: SSL_CTX_use_PrivateKey_file failed - aborted
failed!
Thanks.