Thank you very much for your help. To me it still seems that it's not
correct behaviour to spit out some random certificate if none matches,
but I can indeed route ssl-domains over a separate ip to circumvent it.
Keep up the good work, pound is awesome!
Filidor
On 15-08-14 19:13, Joe Gooch wrote:
HTTP redirects happen inside the HTTPS stream, so there's nothing Pound
could do, other than reject the connection, which would show in the
browser as a "connection has been reset"... Which IMHO is never desirable.
You can do whatever you'd like in the config, just use HeadRequire
directives to match against the hosts you want to return content for,
and create a service entry to handle any other host. Redirect to a
backend with a nice error, redirect to a backend that can redirect to
http, whatever you'd like. Users will get a "cert doesn't match,
continue?" warning on the browser and then be redirected based on what
you've created.
If you really want a connection reset message, or no listening port at
all, I suggest you create two separate IP addresses... On IP A have a
ListenHTTP defined, and on IP B have ListenHTTPS and ListenHTTP both
defined... And in DNS, assign the hosts you support SSL for to IP B and
others to IP A.
If a host changes to ssl support, switch their DNS to IP B and add the
SNI cert. Once DNS propagates all will be well. (And you can set low
TTLs to help that)
Joe
Confidentiality Notice: This e-mail transmission may contain
confidential and legally privileged information that is intended only
for the individual named in the e-mail address. If you are not the
intended recipient, you are hereby notified that any disclosure,
copying, distribution, or reliance upon the contents of this e-mail
message is strictly prohibited. If you have received this e-mail
transmission in error, please reply to the sender, so that proper
delivery can be arranged, and please delete the message from your mail box.
On 8/15/14, 12:55 PM, Filidor Wiese wrote:
Hello pound mailing list,
Quick question to which I can't seem to find an answer on the mailing list.
In my pound config, I have multiple SSL certificates defined in a
ListenHTTPS block making use of SNI support. Next to that there is also
a ListenHTTP block for non-ssl traffic - both listening on the same ip.
The problem I face is that https requests for a domain for which there
is no certificate are still getting served by pound - it defaults to the
first certificate defined.
For me, this is undesirable for multiple reasons;
- The wrong common-name is shown in the browser
- Google might now try to crawl and index https:// url's for domains for
which I don't offer https
- The website itself is not shown properly (css, images, js not loaded)
because of insecure content warnings
My question is, is there a way to configure pound that it rejects or
redirects these ssl requests for non-matching hostnames? Or is the only
viable solution to run pound on two separate ip's, having ssl domains
pointing at one and non-ssl domains pointing at the other?
Thanks in advance,
Filidor Wiese
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
