HTTP redirects happen inside the HTTPS stream, so there's nothing Pound could do, other than reject the connection, which would show in the browser as a "connection has been reset"... Which IMHO is never desirable.
You can do whatever you'd like in the config, just use HeadRequire directives to match against the hosts you want to return content for, and create a service entry to handle any other host. Redirect to a backend with a nice error, redirect to a backend that can redirect to http, whatever you'd like. Users will get a "cert doesn't match, continue?" warning on the browser and then be redirected based on what you've created. If you really want a connection reset message, or no listening port at all, I suggest you create two separate IP addresses... On IP A have a ListenHTTP defined, and on IP B have ListenHTTPS and ListenHTTP both defined... And in DNS, assign the hosts you support SSL for to IP B and others to IP A. If a host changes to ssl support, switch their DNS to IP B and add the SNI cert. Once DNS propagates all will be well. (And you can set low TTLs to help that) Joe Confidentiality Notice: This e-mail transmission may contain confidential and legally privileged information that is intended only for the individual named in the e-mail address. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the contents of this e-mail message is strictly prohibited. If you have received this e-mail transmission in error, please reply to the sender, so that proper delivery can be arranged, and please delete the message from your mail box. On 8/15/14, 12:55 PM, Filidor Wiese wrote: > Hello pound mailing list, > > Quick question to which I can't seem to find an answer on the mailing list. > > In my pound config, I have multiple SSL certificates defined in a > ListenHTTPS block making use of SNI support. Next to that there is also > a ListenHTTP block for non-ssl traffic - both listening on the same ip. > > The problem I face is that https requests for a domain for which there > is no certificate are still getting served by pound - it defaults to the > first certificate defined. > > For me, this is undesirable for multiple reasons; > > - The wrong common-name is shown in the browser > - Google might now try to crawl and index https:// url's for domains for > which I don't offer https > - The website itself is not shown properly (css, images, js not loaded) > because of insecure content warnings > > My question is, is there a way to configure pound that it rejects or > redirects these ssl requests for non-matching hostnames? Or is the only > viable solution to run pound on two separate ip's, having ssl domains > pointing at one and non-ssl domains pointing at the other? > > Thanks in advance, > Filidor Wiese > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions. > -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
